SpaceCobra Uses Android GravityRAT Malware to Target WhatsApp Backups
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
In a recent discovery, a new version of Android GravityRAT spyware was discovered by researchers at ESET. Targeting WhatsApp users, the trojanized version of the legitimate OMEMO IM app is available to download via BingeChat and Chatico messaging apps.
Active since 2015, GravityRAT is a remote access tool that has been used for specific targets based in India. A cross-platform app whose origin remains unknown, but ESET researchers internally associate it with the group SpaceCobra.
The malware with the capability to compromise platforms including Windows, macOS and Android is believed to be active since August 2022. It not only can access all files stored in WhatsApp backup but also exfiltrate all sensitive information from a user’s device.
The messaging apps, BingeChat and Chatico are not available to download on Google Play store, rather they are distributed through: bingechat[.]net and chatico[.]co[.]uk; dubious websites that promote free file-sharing and chat services.
The malware has been designed to extract all data from WhatsApp backups and receive remote instructions to delete information including call logs, contacts, and specific files. “These are very specific commands that are not typically seen in Android malware,” noted ESET’s research.
Without the victim’s knowledge, GravityRAT also extracts sensitive data like SMSes, location data, files including photos, videos and audio recordings, call logs that are transferred to an attacker controlled C2 server. It is able to extract this information by using the legitimate functionality of an Android app. It requests all standard permissions including access to different functions and files, which is granted by the user.
According to ESET researchers, Chatico is no longer active, but BingeChat is still operational. Both the apps are used to capture specific targets. For instance, the documented SpaceCobra deployed Chatico attack was targeted towards an India-based user. BingeChat can only be downloaded after registration, which is not open to all.
‘’The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. In any case, the campaign is very likely highly targeted,’’ noted the research.
Since GravityRAT is coming up with new and updated versions, it is essential that Android users adhere to strict security measures including using antivirus to mitigate such threats.
New Golang-Based Malware Skuld Targets Discord and Web Browsers to Steal Sensitive Data
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new malware strain based on the popular Golang programming language has been compromising Windows-based systems worldwide. Dubbed Skuld by researchers at Trellix, the malware has the ability to exfiltrate sensitive user information. By targeting the victim’s system and Discord account, the threat actor steals information stored in browsers, system files and folders.
Skuld’s modus operandi is quite similar to other open-source public repositories like Creal Stealer, Luna Grabber and BlackCap Grabber.
When executed, the malware first performs a check to see if it’s running in a virtual environment and for this it compares the downloaded list of running processes to a predefined blocklist. Should there be any similarity, Skuld terminates the matched process instead of removing itself. This process is done to avoid detection during analysis.
Through this method of attack, not only does the malware gather system metadata, but also extracts browser and system stored information like login credentials, history, and cookies. It also downloads system configuration data and information stored in windows user profile folders like Music, OneDrive, Downloads, Document, Videos, and Desktop.
The malware has the capability to bypass the security protection of Better Discord and Discord Token Protector. By injecting a JavaScript code into Discord, Skuld tries to extract the backup codes from the application, noted Trellix’s report. The extracted information is sent to the actor using Discord webhook or Gofile upload service.
The report went on to say that the malware is also working on developing a module to steal cryptocurrency assets. Researchers at Trellix have associated the threat actor known as Deathined with this malware, having accounts on various social media platforms like GitHub, Telegram, Reddit, and Tumblr. It is believed that in future, these accounts could be used to market it as a service for other hackers.
With the increasing use of Golang to develop these types of malwares as well as targeting of social media platforms like Discord, it is important to have strong security measures in place. Using the best password managers to suggest and store your passwords. Using an antivirus or a VPN to mitigate threats like phishing, identity theft helps you stay safe in the ever-changing cybersecurity landscape.
