As reported inward our previous article, before this calendar month researchers at Talos threat word unit of measurement discovered a grouping of Indian hackers abusing mobile device management (MDM) service to hijack together with spy on a few targeted iPhone users inward India.
Operating since August 2015, the attackers convey been institute abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, together with PrayTime, onto targeted iPhones.
These modified apps convey been designed to secretly spy on iOS users, together with bag their real-time location, SMS, contacts, photos together with private messages from third-party chatting applications.
During their ongoing investigation, Talos researchers identified a novel MDM infrastructure together with several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used inward previous campaigns.
- Ios-update-whatsapp[.]com (new)
- Wpitcher[.]com
- Ios-certificate-update.com
"We know that the MDM together with the Windows services were upward together with running on the same C2 server inward May 2018," researchers said inward a blog post published today.
"Some of the C2 servers are notwithstanding upward together with running at this time. The Apache setup is really specific, together with perfectly matched the Apache setup of the malicious IPA apps."
Possible Connections with "Bahamut Hacking Group"
The newly identified MDM infrastructure, which was created inward Jan 2018, together with used from Jan to March of this year, targeted 2 Indian devices together with ane located inward Qatar with a British telephone number.
According to the researchers, Bahamut likewise targeted similar Qatar-based individuals during their Android malware campaign, every bit detailed past times Bellingcat inward a blog post.
"Bahamut shared a domain holler with ane of the malicious iOS applications mentioned inward our previous post," researchers said.Apart from distributing modified Telegram together with WhatsApp apps with malicious functionalities, the newly-identified server likewise distributes modified versions of Safari browser together with IMO video chatting app to bag to a greater extent than personal information on victims.
"The novel MDM platform nosotros identified has similar victimology with Middle Eastern targets, namely Qatar, using a United Kingdom mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign."
Attackers Using Malicious Safari Browser to Steal Login Credentials
"The malware continuously monitors a spider web page, seeking out the HTML cast fields that concur the username together with password every bit the user types them inward to bag credentials. The names of the inspected HTML fields are embedded into the app amongst the domain names," the researchers said.The malicious browser contains iii malicious plugins—Add Bookmark, Add To Favourites, together with Add to Reading List—that only similar the other apps, ship stolen information to a remote attacker-controlled server.
At this time, it's unclear who is behind the campaign, who was targeted inward the campaign, together with what were the motives behind the attack, but the technical elements propose the attackers are operating from India, together with are well-funded.
Researchers said that those infected with this sort of malware ask to enroll their devices, which agency "they should hold upward on the lookout adult man at all times to avoid accidental enrollment."
The best way to avoid beingness a victim to such attacks is to e'er download apps from official app store.
