Security researchers have discovered an Asian-based APT group hiding information-stealing malware inside Santa and other Christmas-themed mobile apps.
CloudSek CTO Rahul Sasi claimed in a blog post that the “Santa-APT” group appears to be engaged in both economically motivated IP theft and gathering intelligence which could be useful for governments.
It was first spotted selling desktop malware on underground forums designed specifically to jump air-gapped systems.
“Given the type of documents the attackers are seeking, it was collecting classified data from software companies and government organisations,” Sasi explained.
That malware grabs files and screenshots before sending it back to a C&C server in Germany.
A separate USB module allows attackers to copy data from an infected machine to a plugged-in thumb drive and then send it back to the hacker when it reaches an internet connected machine, Sasi said.
CloudSek also discovered unused folders for keylogs and voice recordings, hinting that the trojan may still be in development.
The security firm tracked the APT group to South Asia, revealing that it claims to provide “software development consultation” and spyware to monitor employees.
The group is actively recruiting mobile app developers, and has been pushing out Christmas-themed mobile games loaded with malware, which connect back to the same IP address in Germany as the desktop trojan.
It’s designed to steal a range of data from the victim’s device including contacts, SMS, call records, location info, calendar, photos, and browser history.
Even though users have to grant the Android app permissions before it can start nabbing info, it’s already infected around 8,000 devices, Sasi claimed.
“This Christmas make sure you think about security before installing an app,” he warned.
“Verify the permissions you are granting an application before accepting them. Ensure that an application has enough legitimate reviews. And last but not the least, do not let someone else install any application on your official/personal devices.”
SOURCE: Phil Muncaster