SafeChat Spyware Compromises Android Libraries to Exfiltrate Sensitive User Data

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

An Android spyware known as SafeChat designed specifically to target users in the South Asia region was recently discovered by security researchers at CYFIRMA .

The Singapore-based cybersecurity company in an advisory revealed that the dubious Android chatting app is the creation of the Indian Advanced Persistent Threat (APT) group ‘’Bahamut’’. Active since 2017, the hacking group is known to employ espionage and phishing campaigns via malicious Android and iOS applications.

Initially named Coverlm, the spyware has the ability to interact with and steal data from other already installed messenger applications like Telegram, Signal, Facebook Messenger, etc. Moreover, it can also exploit Android libraries to steal contacts, call logs, device details, keystrokes, GPS location, and interpret texts from victims’ mobile devices.

Social engineering tactic details of the attack were not revealed by CYFIRMA; however, the advisory revealed that the spear phishing campaign typically begins with the spyware being directly delivered to the unsuspecting victim through WhatsApp.

The payload SafeChat disguised as an authentic chatting application deceives the target into installing the app under the guise of moving onto a more secure messaging platform. To add credibility, the cleverly designed interface takes the victim through an apparent legitimate registration process.

It also requires the user to grant various permissions that are later abused by the attacker to extract and transfer sensitive information to a command and control (C2) server. The spyware also requires the victim to approve the battery optimization service which allows the app to communicate uninterrupted with the C2 server.

The stolen data is encrypted and stored by the attacker using modules that support RSA, ECB, and OAEPPadding. In addition, a letsencrypt certificate is used to dodge any network interception methods employed against them.

CYFIRMA researchers’ analysis also revealed that the threat actors behind this campaign have ties to the Indian territory with links to a particular nation state government. Their research also revealed an association between Bahamut and the notorious APT group DoNot. Both were seen to employ similar attack techniques and tactics, use of Android malware, and a common target region.

WormGPT: New AI Tool Helps Hackers Generate Credible Emails for BEC Attacks

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new generative AI tool by the name of WormGPT recently emerged on a prominent forum associated with threat actors. The AI module specifically designed for malicious activities can become a powerful tool in the hands of cyber criminals wanting to launch phishing and business email compromise (BEC) campaigns.

The tool based on the open-source GPT-J language model comes laden with various features including ‘’unlimited character support, chat memory retention, and code formatting capabilities,’’ reported SlashNext . Moreover, it’s suspected to have been trained on a variety of data sources, especially malware-related data sets.

WormGPT, presented as a blackhat alternative to GPT models is being touted as the biggest enemy of ChatGPT, with the ability to help even novice cybercriminals launch sophisticated attacks. It can help attackers create fake persuasive, personalized emails with impeccable grammar, thus reducing chances of being flagged as suspicious. This was revealed in an experiment conducted by researchers at SlashNext.

‘’WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.’’

Along with the development of these generative AI modules, cybersecurity researchers have also noticed promotion of ‘’jailbreaks’’ for ChatGPT. These are specialized inputs created to manipulate such tools to generate output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code.

According to SlashNext, the adoption of AI and use of such practices by determined cybercriminals underlines the growing challenges that organizations today face in ensuring AI security.

To safeguard against such BEC attacks, it is essential that companies follow a multi-faceted approach. This includes developing extensive BEC-specific training programs that educate employees about AI augmented threats and tactics employed by threat actors. Enforcing stringent email verification processes and deploying measures that help detect potential malicious emails, especially the ones containing keywords linked to BEC attacks.