Rewterz Threat Alert – China-linked Group APT41 Targets Mobile Devices With New WyrmSpy and DragonEgg Spyware – Active IOCs

Severity

High

Analysis Summary

A cybersecurity firm has identified a China-linked cyberespionage group APT41, also known as Winnti, Axiom, Barium, Blackfly, and HOODOO, which has been using two previously unknown Android spyware named WyrmSpy and DragonEgg. APT41 has been active since at least 2007 and has not slowed down despite recent indictments by the U.S. government. The group is now targeting mobile devices, considering them high-value targets for their cyber espionage operations.

The researchers linked WyrmSpy and DragonEgg by identifying overlapping Android signing certificates. Some versions of WyrmSpy were found to use unique signing certificates later used by the author of DragonEgg. Additionally, they discovered a connection between the malware’s Command and Control (C2) infrastructure and Chengdu 404, as evidenced by the use of an IP address associated with APT41’s hacking infrastructure between May 2014 and August 2020.



Researchers first detected WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent samples of DragonEgg dating back to April 2023. WyrmSpy initially masquerades as a default Android system app for displaying notifications, but later variants disguise themselves as adult video content, the “Baidu Waimai” food delivery platform, and Adobe Flash. On the other hand, DragonEgg pretends to be third-party Android keyboards and messaging apps like Telegram.

After installation, both spyware requests extensive device permissions and rely on downloaded modules to exfiltrate data from infected devices. WyrmSpy can collect log files, photos, device location, SMS messages (read and write), and audio recordings. It gains escalated privileges on the device using known rooting tools and follows commands from its C2 servers to carry out surveillance activities. DragonEgg also utilizes additional payloads to implement sophisticated surveillance capabilities, collecting device contacts, SMS messages, external device storage files, device location, audio recordings, and camera photos.

WyrmSpy uses popular rooting tools like KingRoot11 and IovyRoot/IvyRoot12, and it can disable SELinux on compatible Android versions. If the packaged rooting tool fails or doesn’t exist, and if the device isn’t already rooted, the malware queries the C2 infrastructure with the device’s model and kernel version to receive a response containing a file name, which the malware uses to download additional rooting binaries from the C2 infrastructure if available. Notably, Google confirmed that the malicious apps were not detected on Google Play based on their current detection capabilities.

“If the packaged rooting tool does not work or does not exist, and if the device is not already rooted, the malware queries the C2 infrastructure with the model and kernel version of the infected device. It then receives a response containing a file name which the malware uses to download additional rooting binaries from C2 infrastructure if one exists for the specified device.” they conclude.

Impact

• Espionage and Data Theft
• Financial Loss

Indicators of Compromise

IP

• 118.193.39.165
• 121.201.109.98
• 103.43.17.99

MD5

• 015f01cacca56bb4c8b1978a29194491
• c77842c3bb14316476d220685441276a
• 0424b9dca148e291178acae85797b9e3
• 06b682d3ffd19785745ce7d53f3ff454
• 1e3b46c0d30c4bad4cce8adec2af1154
• 427d75d2b1d398b91b5b090c6cc844ec
• fffc97a8c116cd72aed5d75b6d806311

SHA-256

• 38e18d79b83e7c0afbe1ac246a7a5fe6b2783adc085e9aeb2ec610e76f5ccaad
• 92ce9de120ebd88f0126644697e9840489b2c2497e5c99acfa7dd680d98cf075
• c45a82123c985f2fd18e6763b76443ba6c49d12df3d7fe445a19c8fcdc6de846
• 4fd5f3c3e4bc4c354d0e4de0bebfdb85e1bab5e5f1ea24ce18b947377a7e2423
• 68494cde4ee344cba80e8651c579418f2ce534018d88745797f030a3115ed19b
• 9ef830205b7cf0d59d495f722fc61cc3a9f938972e24bae05fa8620b43ed264a
• ee90d36b384d92a0c9609eab0a3fe0f2af245c281473b4ff0cdd8caeed34fe97

SHA-1

• d02f548d354adff645318de6edc45dff23170241
• 2438069c43771f0011da2f22b57b8336aaa7562c
• 5c2fc57609ee28753b78a0f33ba7519fc9fbb6f8
• 53c745956c3501d1daf232aeea5edfb52168c6b4
• cab70e99516a36ab0f0d3851375adf0740f4bd5e
• 81762cfae0bd5585e8c0c86e4fdbbe47d2dd614a
• fbda76a2c2834f89d642a72c24b1988a1f56e4b8

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable MFA wherever possible to add an extra layer of security to online accounts and prevent unauthorized access.
• Download apps only from official app stores like Google Play Store or Apple App Store. Avoid sideloading apps from untrusted sources, as this can increase the risk of malware infections.
• Be cautious when granting permissions to apps. Review the permissions requested by apps and avoid giving unnecessary access to sensitive data or functions.
• Conduct security audits and vulnerability assessments to identify and address potential weaknesses in the network and infrastructure.
• Restrict access to sensitive data and critical systems. Employ the principle of least privilege to ensure that users only have access to the resources necessary for their roles.
• Maintain regular backups of critical data and verify their integrity. In case of a ransomware attack or data breach, having backups can help in recovery without paying a ransom.
• Develop and practice an incident response plan to handle security incidents effectively. This plan should include procedures for identifying, containing, and eradicating malware.