One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624570 |
| Date de publication | 2024-12-13 12:29:31 (vue: 2024-12-13 13:08:40) |
| Titre | Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States |
| Texte | #### Targeted Geolocations - Uzbekistan - Kazakhstan - Tajikistan - Kyrgyzstan ## Snapshot Researchers at Lookout Threat Lab have uncovered two Android surveillance tools, BoneSpy and PlainGnome, linked to the Russian APT group Gamaredon (tracked by Microsoft as Aqua Blizzard). These tools have been targeting Russian-speaking individuals in former Soviet states, with BoneSpy active since at least 2021 and PlainGnome emerging in 2024. ## Description BoneSpy and PlainGnome both collect sensitive mobile data such as SMS, call logs, photos, device location, and contact lists from android devices. BoneSpy is derived from the Russian open-source DroidWatcher, while PlainGnome, not developed from the same code base, acts as a dropper for a surveillance payload. Of note, BoneSpy can be controlled via SMS messages. The attribution to Gamaredon is based on shared IP addresses, domain naming conventions, and the use of dynamic DNS providers, which are consistent with the group\'s operations. These are the first mobile malware families to be publicly attributed to Gamaredon, according to Lookout Threat Lab. The malware likely spreads through targeted social engineering, with BoneSpy evolving to use trojanized Telegram apps as lures, indicating possible enterprise targeting. PlainGnome\'s deployment involves a minimal first stage that drops a malicious APK, followed by a second stage that carries out surveillance activities. The command and control infrastructure for both uses No-IP Dynamic DNS service and is linked to Russian ISP Global Internet Solutions LLC, owned by Yevgeniy Valentinovich Marinko, who has a history of involvement in hacker forums and stolen-credential trading. ## Microsoft Analysis and Additional OSINT Context The actor that Microsoft tracks as [Aqua Blizzard](https://sip.security.microsoft.com/intel-profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80) (aka Gamaredon) is a nation-state activity group based out of Russia. The [Ukrainian government has publicly attributed](https://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy) this group to the Russian Federal Security Service (FSB). Aqua Blizzard is known to primarily target organizations in Ukraine including government entities, military, non-governmental organizations, judiciary, law enforcement, and non-profit, as well as entities related to Ukrainian affairs. Aqua Blizzard focuses on espionage and exfiltration of sensitive information. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Only install apps from trusted sources and official stores, like the Google Play Store and Apple App Store. - Never click on unknown links received through ads, SMS messages, emails, or similar untrusted sources. Use mobile solutions such as [Microsoft Defender for Endpoint](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) on Android to detect malicious applications - Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources. - Avoid granting SMS permissions, notification listener access, or accessibility access to any applications without a strong understanding of why the application needs it. These are powerful permissions that are not commonly needed. - If a device is no longer receiving updates, strongly consider replacing it with a new device. ## Detections/Hunting Queries ### Microsoft Defender Antivirus *Microsoft Defender Antivirus detects the threat components as the following malware.* - *[Trojan:AndroidOS/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:AndroidOS/Multiverze)* ## References [Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States](https:// |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© *microsoft 2021 2024 2024** 365/security/defender access accessed accessibility according active activities activity actor acts additional addresses ads affairs all always analysis android android to antivirus any apk app apple application applications apps apps disabled apt aqua are as attributed attribution avoid base based been being blizzard bonespy both call can carries click code collect com/en com/intel com/microsoft com/threat command commonly components consider consistent contact content context control controlled conventions copyright credential data defender deployment deploys derived derzhavni description detect detections/hunting detects developed device devices distribution dns domain droidwatcher dropper drops dynamic emails emerging encyclopedia endpoint endpoint/microsoft enforcement engineering enterprise entities espionage evolving exfiltration families federal first focuses followed following former forums from fsb gamaredon geolocations global google gov government governmental granting group hacker has have history https://learn https://sip https://ssu https://www impact including indicating individuals information infrastructure install installed intelligence/article/gamaredon internet involvement involves isp judiciary kazakhstan keep install khakeriv kiberatak known kyrgyzstan lab law least like likely linked links listener lists llc location logs longer lookout lures malicious malware marinko messages microsoft military minimal mitigations mobile name=trojan:androidos/multiverze naming nation needed needs never new non not note notification official only open operations organizations orhany osint out owned part payload permission permissions photos plaingnome play ponad possible powerful prevent primarily profiles/9b01de37bf66d1760954a16dc2b52fed2a7bd4e093dfc8a4905e108e4843da80 profit prohibited providers publicly queries received receiving recommendations recommends reduce references related replacing reproduction researchers reserved rights russia russian same second security sensitive service shared similar since site sms snapshot social solutions source sources soviet speaking spreads spyware stage state states stolen store stores strong strongly such surveillance surveillanceware tajikistan target targeted targeting telegram thereof these threat through tools tracked tracks trading trojan:androidos/multiverze trojanized trusted two tys ua/en/novyny/sbu ukraine ukrainian ukrainy uncovered understanding unknown untrusted updates us/wdsi/threats/malware use uses uzbekistan valentinovich view=o365 vstanovyla well which who why without worldwide written yaki yevgeniy zdiisnyly is on |
| Tags | Malware Tool Threat Legislation Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.