Schedule a demo

Syrian nation-state actor uses COVID lures to spread malware

Summary

A campaign that has been active since January 2018, recently released 71 apps that carried malware, takes advantage of the panic caused by the pandemic.

The Carrier

  • Lookout has identified 71 malware spreading Android apps, connected to the same command-and-control (C2) server.
  • The long-running surveillance campaign, which appears to have been active since January 2018, has recently started using COVID-19 lures to take advantage of the panic caused by the pandemic.

The Malware

  • 64 apps carry SpyNote, a family of commercial surveillanceware.
  • The other apps carry SandroRat, AndoServer, and SLRat.
  • The downloaded app serves as a distraction, while the malware runs in the background.
  • While some AndoServer samples are only surveillanceware, others contain legitimate apps inside the malware, with benign APK hidden in the res/raw folder.

The Risk

  • Once the malware is installed, hackers can:
    • Take screenshots
    • Record location (latitude and longitude)
    • Choose and access the device camera
    • Launch other malicious apps
    • Exfiltrate contacts, SMS, and call logs
    • Make calls and send SMS

The Threat Actor

  • The IP of the C2 server belongs to an ISP owned by Syrian Telecommunications Establishment, which is known for hosting infrastructure for SEA (Syrian Electronic Army), a Syrian state-backed hacking group.
  • 22 APKs, in strings.xml files of the apps, refer to “Allosh”, a name associated with an SEA persona.
  • The SEA recently claimed responsibility for DDoS attacks on Belgian media, and for defacing PayPal and eBay websites.
These apps have titles such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic”
These apps have titles such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic”

Indicators of Compromise (SHA1 hashes of the malicious apps)

  • 1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08
  • 213b7f8c3f26a87b116927143289886742b979a1
  • 321682c8395216b6f71ac1f4a1188040bbddfeb4
  • 8cae26c899440f890a8faca2e63ba42c0195cd3b
  • ccb143b25cedf043a8be46a1f3c3f8a0a3e4c2b2
  • 61ecf4d82246a22dc2d390eca1e20abd6b961083
  • 1e30cc843a32db0296502795781f8064adbceee6
  • a07370617fa695b047359ac345375d05a7135da0
  • 915e3470e5ab85cb1fe565484b15004a19e88da6
  • 3bfa1b4d98c02c43e7b3af9e536dbcd79e0b9197
  • d14bb8de94e6f6a733b0962c6d0847376286874f
  • 3c5fd8b163b32cde47dd50c4b61ab087c0cad8d4
  • 4dcc2d9ef4921b3eb4e4dc72dd3716520d558102
  • 07c1edf35c60ea6f2ff02df6e0bfa24abb3029c1
  • 50c607a138e33c8cbdcf2f617f61095b7efa06da
  • b1a9bc32ece469d7e2d43e894e68cb3bec17ac82
  • 34cb80d4e5d19fcaf724b73aacfebbb19c79337e
  • c21919c6064c739533878da39d0feaf83e99f586
  • a62250430da13436b80a62f6a1fee67ed0050e37
  • 246a17230dbe8a5c533231fa1da80d977985b111
  • 358653280acdfd84b6ca326c9b06d12878af69c8
  • 4ec39acfc6f3f9715d0d0e2b0a2f7121d617b605
  • 9f09a4868f61d174ad075e5acaa8d849294dbf69
  • 8952bdf2e3d777d01011e6f8619fca8835e8c434
  • b9dffff37efbfb8e577ee242c8807db967704a0d
  • 5f6019eae4a16abd11d981b2da5d4ef05115a5c4
  • 0b7cf990bb0dc62dd44d9fa6410ca591dfe47a5d
  • 08162ad39a6237e4eebacf764a5ca6158816a86e
  • f2fb9826da43f92ff69686f999f205502a33342c
  • c2e5287433a0e3c7d059494e65b87c3c36f74a47
  • c7405d85a78a62003494f398084cff8f1794e2ab
  • 16c9ef6ed5af0855a3e6b963ff9c2d65d70de11e
  • bae5c56d3cd888ec19c42bf5d782de327d012a37
  • 34cc91ad64f52420b6e1531c097ac1602af1f089
  • 00455a4652faf751753b5ebfbb0656bee530f4ef
  • b263eec151b11d0a6ebcfcf37b3b98458d2d530c
  • 18cc448d71437e7a72558f6680ff10fb234fc64f
  • 6a68f8d962adae7d767b6dfeb2d5b90be412b1f1
  • 0fdc50226a7eb9aee6e6422907425d4531290374
  • aa43f78a2667909546c3cd993a2940b076634379
  • 5b2e709dfc95e9fc4e4343b92c76cc2193acd49a
  • e6962b122e14e59c7c88a25d405d6c653b31590e
  • 9c83fdecc8429bc278d03116ca9e2cff5013987e
  • 53653984310845988103051e7acf4ed336150b99
  • 18451fc0e8fbe878f242e7ee1834091c455f8fc1
  • 0f7bf07352b4d1852f651dda350fd446b3477740
  • 615863ce030f3de3e377352637d6ecc55dfd185a
  • b46b241620a4d5682e9083ce726827fdbf4a96e5
  • ab259f11163ea51767a6b17855bc0e79a8ae96e4
  • 447165f88f951f8d26bc721f3047533a54f59ce0
  • 29e04da270da0a6bedfcaee3f6fe8251d6cdef31
  • 6cebf3c27fb348272b72041451b232f78190f83d
  • e99ebc998ab63026b9b40fff55037c1b69a80369
  • ddf2b474a0ed1b47278d00872a84d2a2405cc33c
  • 01963c9c70102961cb8b424f623e9be32d7b255b
  • 8d664c9753f7bf65a8cce69dca5486971d1f06ca
  • 2d01b7691ce5647e60c566eda33166bf2e9bcc53
  • 44d8bc4406227aeec9711b74f771c05ddfd3d173
  • 0c04da70ba0771734f99eba05a5676713675d0e8
  • 37e11e1a45f166b16170e8d649c3b75ee93e90a8
  • dbfbfe43f04c58bcf5daa71df61dcc354bbf2d27
  • dc3778ffb7399e009a287983f0113e15fd8b227e
  • 1a0a65e6b4a2c42e5dc3d7db2179c04952a03948
  • 69f475024e006b51f7ec6a1990bad460fe9805f0
  • a32900a79d459da90e49ee8acf23dcfd03bfcb4b
  • 5c8bf130f8e5c7756674a6d376dd7f25fbded4e4

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now