In the shadowy corners of the digital world, cyber threats lurk, ever-evolving and increasingly cunning. Today, we shine a spotlight on a recent campaign that has seen the notorious APT41 hacking group turn their attention to Android devices, deploying two newly discovered spyware strains, WyrmSpy and DragonEgg. This revelation, brought to light by Lookout security researchers, underscores the relentless innovation of threat actors and the persistent danger they pose.
APT41: A Brief Overview
APT41, a Chinese state-backed hacking group, is one of the oldest and most persistent cyber threat actors. Known for their extensive targeting of various industries in the USA, Asia, and Europe, they have a history of conducting cyber-espionage operations against entities across various industry sectors, including software development, hardware manufacturing, think tanks, telcos, universities, and foreign governments.
APT41 operates under various aliases, including Winnti, BARIUM, Blackfly, GREF, Group 72, Red Kelpie, Grayfly, LEAD, WICKED SPIDER, WICKED PANDA, BRONZE ATLAS, BRONZE EXPORT, and most recently, Earth Baku. In September 2020, the U.S. Department of Justice charged five Chinese nationals linked to APT41 for their involvement in cyberattacks on more than 100 companies.
The Threat
In this latest campaign, APT41 is targeting Android devices with the WyrmSpy and DragonEgg spyware strains. Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent example dating back to April 2023.
Both Android malware strains come with extensive data collection and exfiltration capabilities activated on compromised Android devices after deploying secondary payloads. While WyrmSpy disguises itself as a default operating system app, DragonEgg is camouflaged as third-party keyboard or messaging apps, using these guises to evade detection.
MITRE ATT&CK TTPs
The threat actors used a variety of tactics and techniques that align with the MITRE ATT&CK framework. These include:
- Masquerading (T1036): The threat actors used the guise of default operating system apps and third-party keyboard or messaging apps to disguise the malware’s true identity.
- Command and Control Infrastructure (T1583): The malware establishes a command-and-control server (C2) for communication and control.
Indicators of Compromise (IOCs)
At this time, specific IOCs related to WyrmSpy and DragonEgg have not been provided. However, the presence of unexpected network traffic related to Android devices or unusual data collection activities could be potential signs of compromise.
Conclusion
This activity serves as a reminder of the importance of maintaining up-to-date systems and being aware of the latest threats. It also highlights the lengths to which threat actors will go to disguise their malicious activities, including impersonating reputable apps.
Further Reading
For more information on this topic, please refer to the original article by BleepingComputer. For more information on APT41 and their aliases, you can refer to the following resources:
- Secureworks Threat Profiles
- Malpedia APT41 Overview
- Mandiant APT41 Report
- Trend Micro APT41 Resurgence
- Crowdstrike Adversaries