Syrian nation-state actor uses COVID lures to spread malware

A campaign that has been active since January 2018, recently released 71 apps that carried malware, takes advantage of the panic caused by the pandemic.

Share this Intel:

The Carrier

  • Lookout has identified 71 malware spreading Android apps, connected to the same command-and-control (C2) server.
  • The long-running surveillance campaign, which appears to have been active since January 2018, has recently started using COVID-19 lures to take advantage of the panic caused by the pandemic.

The Malware

  • 64 apps carry SpyNote, a family of commercial surveillanceware. 
  • The other apps carry SandroRat, AndoServer, and SLRat. 
  • The downloaded app serves as a distraction, while the malware runs in the background.
  • While some AndoServer samples are only surveillanceware, others contain legitimate apps inside the malware, with benign APK hidden in the res/raw folder.

The Risk

  • Once the malware is installed, hackers can:
    • Take screenshots
    • Record location (latitude and longitude)
    • Choose and access the device camera
    • Launch other malicious apps
    • Exfiltrate contacts, SMS, and call logs
    • Make calls and send SMS 

The Threat Actor

  • The IP of the C2 server belongs to an ISP owned by Syrian Telecommunications Establishment, which is known for hosting infrastructure for SEA (Syrian Electronic Army), a Syrian state-backed hacking group.
  • 22 APKs, in strings.xml files of the apps, refer to “Allosh”, a name associated with an SEA persona. 
  • The SEA recently claimed responsibility for DDoS attacks on Belgian media, and for defacing PayPal and eBay websites.
These apps have titles such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic”
These apps have titles such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic”

Indicators of Compromise (SHA1 hashes of the malicious apps)

  • 1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08
  • 213b7f8c3f26a87b116927143289886742b979a1
  • 321682c8395216b6f71ac1f4a1188040bbddfeb4
  • 8cae26c899440f890a8faca2e63ba42c0195cd3b
  • ccb143b25cedf043a8be46a1f3c3f8a0a3e4c2b2
  • 61ecf4d82246a22dc2d390eca1e20abd6b961083
  • 1e30cc843a32db0296502795781f8064adbceee6
  • a07370617fa695b047359ac345375d05a7135da0
  • 915e3470e5ab85cb1fe565484b15004a19e88da6
  • 3bfa1b4d98c02c43e7b3af9e536dbcd79e0b9197
  • d14bb8de94e6f6a733b0962c6d0847376286874f
  • 3c5fd8b163b32cde47dd50c4b61ab087c0cad8d4
  • 4dcc2d9ef4921b3eb4e4dc72dd3716520d558102
  • 07c1edf35c60ea6f2ff02df6e0bfa24abb3029c1
  • 50c607a138e33c8cbdcf2f617f61095b7efa06da
  • b1a9bc32ece469d7e2d43e894e68cb3bec17ac82
  • 34cb80d4e5d19fcaf724b73aacfebbb19c79337e
  • c21919c6064c739533878da39d0feaf83e99f586
  • a62250430da13436b80a62f6a1fee67ed0050e37
  • 246a17230dbe8a5c533231fa1da80d977985b111
  • 358653280acdfd84b6ca326c9b06d12878af69c8
  • 4ec39acfc6f3f9715d0d0e2b0a2f7121d617b605
  • 9f09a4868f61d174ad075e5acaa8d849294dbf69
  • 8952bdf2e3d777d01011e6f8619fca8835e8c434
  • b9dffff37efbfb8e577ee242c8807db967704a0d
  • 5f6019eae4a16abd11d981b2da5d4ef05115a5c4
  • 0b7cf990bb0dc62dd44d9fa6410ca591dfe47a5d
  • 08162ad39a6237e4eebacf764a5ca6158816a86e
  • f2fb9826da43f92ff69686f999f205502a33342c
  • c2e5287433a0e3c7d059494e65b87c3c36f74a47
  • c7405d85a78a62003494f398084cff8f1794e2ab
  • 16c9ef6ed5af0855a3e6b963ff9c2d65d70de11e
  • bae5c56d3cd888ec19c42bf5d782de327d012a37

  • 34cc91ad64f52420b6e1531c097ac1602af1f089
  • 00455a4652faf751753b5ebfbb0656bee530f4ef
  • b263eec151b11d0a6ebcfcf37b3b98458d2d530c
  • 18cc448d71437e7a72558f6680ff10fb234fc64f
  • 6a68f8d962adae7d767b6dfeb2d5b90be412b1f1
  • 0fdc50226a7eb9aee6e6422907425d4531290374
  • aa43f78a2667909546c3cd993a2940b076634379
  • 5b2e709dfc95e9fc4e4343b92c76cc2193acd49a
  • e6962b122e14e59c7c88a25d405d6c653b31590e
  • 9c83fdecc8429bc278d03116ca9e2cff5013987e
  • 53653984310845988103051e7acf4ed336150b99
  • 18451fc0e8fbe878f242e7ee1834091c455f8fc1
  • 0f7bf07352b4d1852f651dda350fd446b3477740
  • 615863ce030f3de3e377352637d6ecc55dfd185a
  • b46b241620a4d5682e9083ce726827fdbf4a96e5
  • ab259f11163ea51767a6b17855bc0e79a8ae96e4
  • 447165f88f951f8d26bc721f3047533a54f59ce0
  • 29e04da270da0a6bedfcaee3f6fe8251d6cdef31
  • 6cebf3c27fb348272b72041451b232f78190f83d
  • e99ebc998ab63026b9b40fff55037c1b69a80369
  • ddf2b474a0ed1b47278d00872a84d2a2405cc33c
  • 01963c9c70102961cb8b424f623e9be32d7b255b
  • 8d664c9753f7bf65a8cce69dca5486971d1f06ca
  • 2d01b7691ce5647e60c566eda33166bf2e9bcc53
  • 44d8bc4406227aeec9711b74f771c05ddfd3d173
  • 0c04da70ba0771734f99eba05a5676713675d0e8
  • 37e11e1a45f166b16170e8d649c3b75ee93e90a8
  • dbfbfe43f04c58bcf5daa71df61dcc354bbf2d27
  • dc3778ffb7399e009a287983f0113e15fd8b227e
  • 1a0a65e6b4a2c42e5dc3d7db2179c04952a03948
  • 69f475024e006b51f7ec6a1990bad460fe9805f0
  • a32900a79d459da90e49ee8acf23dcfd03bfcb4b
  • 5c8bf130f8e5c7756674a6d376dd7f25fbded4e4

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.

Subscribe now