A Syrian government-backed hacking campaign has begun to distribute coronavirus-themed applications that are actually spyware, according to new research from mobile security firm Lookout.
While some of the malware samples appear to have been created in March, the campaign is part of an espionage effort that has been in operation since at least January of 2018, according to Lookout. The campaign appears to target Arabic-speakers, Syrians, and those who may be critical of the Syrian government, Lookout Senior Security Intelligence Engineer Kristin Del Rosso told CyberScoop.
“This is an ongoing campaign that has used a variety of application titles,” Del Rosso said. “But as with any major political event, economic event, health event — a new crisis gives actors something new to talk about to infect people [with malware].”
In the last month alone, hackers tied to the Syrian government have leveraged at least 71 new malicious Android applications using coronavirus lures that are capable of capturing victim geolocation, contacts, pictures, audio, video, and more, according to Lookout.
“If your device is infected and someone is monitoring you because you’re a dissident, a rebel, a journalist, they now then know who you’re talking to, where you’re going, who you might meet up with,” Del Rosso said.
For anyone affected by the civil war in Syria, these capabilities pose a particular threat. Although the civil war has been ongoing for nine years, recent violence in northwest Syria has forced hundreds of thousands to flee their homes, where they are targeted in bombings, according to the United Nations.
The surveillance campaign is the latest evidence that nation-state hacking outfits are jumping at the chance to re-tool long-running espionage operations to exploit the pandemic to surreptitiously surveil citizens. Iran’s Ministry of Health encouraged its citizens in March to download an application disguised as a COVID-19 symptom tracker that was actually a delivery mechanism for spyware, for instance. Lookout researchers also recently uncovered a mobile malware campaign that leveraged a lookalike Johns Hopkins coronavirus tracking map to target people in Libya.
And while some governments have explicitly announced they are using smartphones to track the spread of the pandemic, the Syrian campaign does not appear to be as overt, nor targeted at stemming the virus’s spread.
For instance, one of the applications used in the Syrian campaign, which is disguised as an application that can take users’ body temperatures, asks users for permissions to capture pictures, videos, and to modify to delete contents of the SD card. But the application, which deploys AndoServer malware, has other capabilities it can run in the background without users’ awareness, according to Lookout. The malware may also track users’ geolocation, launch other applications, and record audio. It may also exfiltrate call logs, text messages, and contact lists. It may also call and send texts to certain contacts.
Some of the spyware applications the hackers are using don’t offer any legitimate uses to the victims at all, Del Rosso said.
Links to the Syrian government
Lookout researchers link this set of targeting with the Syrian government in part because the command-and-control server is located in a block of addresses that is owned by Tarassul, an internet service provider owned by Syrian Telecommunications Establishment (STE). In the past, STE has provided infrastructure for the Syrian state-backed hacking group, the Syrian Electronic Army (SEA).
Likewise, one of the aliases the SEA has used to create software in the past, “Allosh,” was used by the hackers in nearly two-dozen of this campaign’s APKs. This has led the researchers to believe that the group has gotten a little bit sloppy in covering their tracks, Del Rosso told CyberScoop.
The majority of the malicious applications in the Syrian surveillance campaign employ a customized version of commercially-available malware called SpyNote, which aligns with historical activity from the SEA. Syrian hackers are no stranger to repurposing commercially available malware — in a previous campaign, the SEA used AndroRat — an Android-focused RAT — but customized it into its own surveillance malware family dubbed SilverHawk.
Two puzzling questions
It’s not entirely clear how victims might be downloading the malware-laced applications, but the evidence point to victims downloading them from non-traditional sources. The apps are not offered on Google’s Play Store, according to Lookout.
As in past Syrian campaigns, it’s possible people are downloading them through watering hole sites that are designed to look like popular sites Syrians might typically visit, but actually serve to deliver the malicious app, Del Rosso suggested.
“We haven’t actually seen how it’s spread yet. But based on what we’ve seen in the past with this group, a watering hole would be a good assumption. It’s an efficient way of doing it,” Del Rosso said.
Lookout is also examining two lesser-known malware strains it found in the campaign, Del Rosso told CyberScoop. The strains, known as AndoServer and SLRat, do not appear to have been previously sold or mentioned on public forums.
“The group we think is behind this has a history of using publicly available mobile malware and then taking that mobile malware and customizing it to create their own tooling,” Del Rosso said. “But the other two, AndoServer and SLRat, those are much smaller…We’re still trying to figure out how they’re being used in a targeted sense.”
Del Rosso told CyberScoop that Lookout researchers are continuing to examine whether a specific individual or a small group are behind these two malware samples.