New types of computer malaware target nuclear facilities
Military, Nuclear Entities Under Target By Novel Android Malware, Threat Post, Lindsey O’Donnell, February 11, 2021 The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.
Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir. The two malware families, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content and geolocation, as well as other types of sensitive information. Researchers first saw Hornbill as early as May 2018, with newer samples of the malware emerging on December 2020. They said the first Sunbird sample dates back to 2017 and was last seen active on December 2019. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device,” said Apurva Kumar, staff security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” Malware Attack Targeting Military, Nuclear, Election EntitiesThe malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors). While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted ……… SunBird has been disguised as applications such as security services (including a fictional “Google Security Framework”), apps tied to specific locations (like “Kashmir News”) or activities (“including “Falconry Connect” or “Mania Soccer”). Researchers said the majority of these applications appear to target Muslim individuals. Meanwhile, Hornbill applications impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and system applications. “Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware,” said Kumar and Del Rosso. “No use of exploits was observed directly by Lookout researchers.” Malware Cybersecurity Surveillance CapabilitiesBoth malware families have a wide range of data exfiltration capabilities. They are able to collect call logs, contacts, device metadata (such as phone numbers, models, manufacturers and Android operating system version), geolocation, images stored on external storage and WhatsApp voice notes. In addition, both families can request device administrator privileges, take screenshots of whatever victims are currently viewing on their devices, take photos with the device camera, record environment and call audio and scrape WhatsApp message and contacts and WhatsApp notifications (via the Android accessibility service feature). SunBird has a more extensive set of malicious functionalities than Hornbill, with the ability to upload all data at regular intervals to its C2 servers. For instance, SunBird can also collect a list of installed applications on the victims’ devices, browser history, calendar information, WhatsApp Audio files, documents, databases and images and more. And, it can run arbitrary commands as root or download attacker-specified content from FTP shares. “In contrast, Hornbill is more of a passive reconnaissance tool than SunBird,” said Kumar and Del Rosso. “Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low.”…….. State-Sponsored APT Behind The CyberattackThe malware families have been linked “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene since 2013 as a state-sponsored, pro-India actor. The APT has previously targeted victims in Pakistan and South Asia. “We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes,” said Kumar and Del Rosso.https://threatpost.com/military-nuclear-entities-under-target-by-novel-android-malware/163830/ |
|
|
No comments yet.
-
Archives
- March 2021 (14)
- February 2021 (271)
- January 2021 (278)
- December 2020 (230)
- November 2020 (297)
- October 2020 (392)
- September 2020 (349)
- August 2020 (351)
- July 2020 (280)
- June 2020 (293)
- May 2020 (251)
- April 2020 (273)
-
Categories
- 1
- 1 NUCLEAR ISSUES
- business and costs
- climate change
- culture and arts
- ENERGY
- environment
- health
- history
- indigenous issues
- Legal
- marketing of nuclear
- media
- opposition to nuclear
- PERSONAL STORIES
- politics
- politics international
- Religion and ethics
- safety
- secrets,lies and civil liberties
- spinbuster
- technology
- Uranium
- wastes
- weapons and war
- Women
- 2 WORLD
- ACTION
- AFRICA
- AUSTRALIA
- Christina's notes
- Christina's themes
- culture and arts
- Fukushima 2017
- Fukushima 2018
- fukushima 2019
- Fukushima 2020
- Fukushima 2021
- general
- global warming
- Humour (God we need it)
- Nuclear
- RARE EARTHS
- Reference
- resources – print
- Resources -audiovicual
- World
- World Nuclear
- YouTube
-
RSS
Entries RSS
Comments RSS
Leave a Reply