Bringing cybersecurity globally to critical and complex key activities
ATK80 (aka: APT-C-27, GoldMouse or Golden Rat) is a threat actor active since at least November 2014. It launched targeted long-term attacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information. Its malwares are mainly disguised as common chat software such as ChatSecure or WhatsApp or Telegram. It also uses the njRat, an open-source Remote Access Trojan created in 2012 and often used against targets in the Middle East.
It is supposed that this group is one of the branch of the Syrian Electronic Army, with the initial access techniques include the conception of fake websites helped by typosquatting used to lead the user to download the malicious messaging app. The group also used social media like Facebook to induce users to download the malicious softwares from a specified link. 360 NetLab reserchers asees that lure documents could be used to deliver the payload through spear-phishing.
Its Android spyware has the ability of recording, photographing, GPS positioning, uploading contacts/call records/sms/files, executing cloud commands, etc. These capabilities allow the attacker to efficiently track a person. In a four years period, the group improved from using open-source malwares such as njRat or Downloader to its own custom Android RAT, Windows RAT and JS backdoor. This developpement indicated that the group has ressources but it used a small C2 infrastructure with 9 known C2 domains in the same period. Furthermore this group to heavily rely on advanced phishing techniques than exploiting sophisticated vulnerabilities.
This group attacks in waves :
In March 2019, the group started to use the WinRAR vulnerability (CVE-2018-20250) to install an embedded njRat on a vulnerable computer. The language used in the malwares and in the lure documents is Arabic. The lure documents are about terrorist attacks, a sensible subject in the Middle East region and other theme that can easily lead to user curiosity.
The Android RAT is an application pretending to be "ChatSecure", "WordActivation", "whatsappupdate_2017", "?????_??_??" and other common chat office software. It incite the user to activate Android Device Manager to protect itself from being easily uninstalled and hide its icon to run in background. After establishing a connection with the C2 he wait for command and steal data from WhatsApp, Viper and other softwares. It has the hability of recording, photographing, GPS positioning, uploading contacts/call records/sms/files, executing cloud commands in xml format, etc.
This Windows RAT pretend to be the Telegram chat application, using strong phishing techniques (well choosed icons, names, well made interfaces) with a fake installation interface to lead the user to install the malware and, if needed, malicious updates. It is created using .net and has common backdoor habilities like upload/download/create/move/delete/rename/run/zip/unzip files, get process list and kill a process, take and upload a screenshot or execute a command.
This group used a large number of VBS scripts which are obfuscated. These scripts have backdoor fonctionalities.
A JavaScript script able to create file or a script in the tmp directory and run it, get a specified environment variable, executing a command and update itself.
Other Mobile TTP
Notable behaviors:
REFERENCES