Rewterz Threat Alert – Patchwork Utilizes Romance Scams to Spread VajraSpy Malware on Android Devices – Active IOCs

Severity

High

Analysis Summary

The threat actor Patchwork employed romance scam tactics to target victims in Pakistan and India, infecting their Android devices with the VajraSpy remote access trojan. A cybersecurity cybersecurity firm identified 12 espionage apps, with six available on the official Google Play Store, collectively amassing over 1,400 downloads from April 2021 to March 2023. VajraSpy, described by security researcher Lukáš Štefanko, possesses various espionage functionalities, stealing contacts, files, call logs, SMS messages, and extracting WhatsApp and Signal messages, recording calls, and capturing images with the camera.

Approximately 148 devices in Pakistan and India were compromised by malicious apps masquerading as messaging applications, the latest propagated as recently as September 2023. Noteworthy among them is Rafaqat رفاق, a non-messaging app advertised as a news platform, which gained 1,000 downloads on Google Play before removal on October 26, 2022, by a developer named Mohammad Rizwan.

“The first group comprises all the trojanized messaging applications that used to be available on Google Play, i.e., MeetMe, Privee Talk, Let’s Chat, Quick Chat, GlowChat, and Chit Chat. It also includes Hello Chat, which wasn’t available on Google Play,” researchers mentioned.

– timeline

The distribution vector for the malware remains unclear, but it is suspected that targets were deceived into downloading the apps through a honey-trap romance scam, convincing them to install the malicious apps for more secure conversations. This is not the first time Patchwork has utilized such techniques, as evidenced by a March 2023 revelation by Meta about fictitious personas on Facebook and Instagram sharing rogue app links, targeting victims in various countries.

The attackers have previously deployed VajraRAT, documented by QiAnXin in early 2022 in a campaign targeting Pakistani government and military entities. Qihoo 360 linked VajraSpy to a threat actor it tracks as Fire Demon Snake (APT-C-52). Outside Pakistan and India, Nepalese government entities were likely targeted through a phishing campaign delivering a Nim-based backdoor, attributed to the SideWinder group with Indian interests.

Financially motivated threat actors from Pakistan and India targeted Indian Android users with a fake loan app (Moneyfine or “com.moneyfine.fine”) as part of an extortion scam manipulating selfies uploaded during the know your customer (KYC) process. These actors promised quick loans, delivered malware to compromise devices, and threatened victims with doctored photos distributed to contacts.

A broader trend involves people falling prey to predatory loan apps harvesting sensitive information and using blackmail and harassment tactics. The Network Contagion Research Institute reported an increase in financial sextortion attacks on teenagers from Australia, Canada, and the U.S. by Nigeria-based cybercriminal group Yahoo Boys. The Wizz app, implicated in the report, denied awareness of successful extortion attempts and had its Android and iOS apps removed from app stores.

Impact

• Unauthorized Remote Access
• Cyber Espionage

Indicators of Compromise

MD5

• e95c7b7d33ffa747dc9dea6701fc1159
• 21e996e74ed60a618413c4d703906f74
• 259035caab78d2f18fb022dc30552470
• b62e21c2a7091da95bd8c345b4e963bf
• 195a6f2c703375a90a614f7a25c962d4
• 84504c2f077b1c73ec3a64bfa4429cf4
• 666ca68e8a21ae09ed20722d06a06a0b

SHA-256

• c06f8c3fd23ae7124cc06eb63c0411418715bf99d3c9fa66525790b2b4c61858
• 1f744fcc5b503328e8707c93f36904d17d2a71db3aa948803c98a5d54160b878
• 35f52cb5085cc58e8d005d249bfcaa17244f1be3147780e1ac64990006db2ccc
• c547fc04afad7538be1c638019867145dabf630afc2eba1ece7f972892598a65
• 0757de1fd165f72a084f955dc3fe45480a92b18b6153e116d1992586ca8ccd02
• 2fdb7c4430660cb49547ac2828a631810d4e3d245a6501ce00825faa169cb7d0
• 1e2c03876cb0a4dfb588be0de5bffd11aff57d556dbfb8a92793470ab3c66038

SHA-1

• baf6583c54fc680aa6f71f3b694e71657a7a99d0
• 846b83b7324dfe2b98264bafac24f15fd83c4115
• 5cfb6cf074ff729e544a65f2bcfe50814e4e1bd8
• 1b61dc3c2d2c222f92b84242f6fcb917d4bc5a61
• 5f860d5201f9330291f25501505ebab18f55f8da
• 3b27a62d77c5b82e7e6902632da3a3e5ef98e743
• 44e8f9d0cd935d0411b85409e146acd10c80bf09

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise IOCs in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Encourage users to regularly update their Android devices and install security patches to mitigate vulnerabilities that threat actors may exploit.
• Advocate for the implementation of multi-factor authentication wherever possible to add an extra layer of security, especially for sensitive applications like messaging and financial apps.
• Organizations should conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in their systems and networks.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.