SpyMax RAT Attacking Android Users Via Telegram to Evade Detection


Researchers discovered a new Android RAT (Remote Administration Tool) called SpyMax targeting Telegram users. This RAT is particularly dangerous because it doesn’t require a rooted device, making it easier to infect victims. 

SpyMax steals personal data from the device and sends it to a remote server under the attacker’s control, where the attackers use phishing techniques to trick users into downloading a malicious app posing as a legitimate Telegram app, and once installed, it hides as a regular Telegram app to avoid detection. 

Telegram app Phishing page

The analyzed APK exploits granted permissions to function as a keylogging Trojan, creating a directory on external storage to store logs with filename timestamps.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The malware gathers comprehensive location data, including altitude, latitude, longitude, precision, and device speed, which is compressed before transmission to the Command and Control (C2) server using the gZIPOutputStream API. 

Collects the device location information

The Remote Access Trojan (RAT) analyzed establishes communication with a Command and Control (C2) server at IP 154.213.65.28 on port 7771, where the port number is obfuscated within the malware. 

After a successful connection, the RAT transmits gzip-compressed data to the C2 server. Decompressing this data reveals the device’s IP address, potentially allowing the attacker to identify and further exploit the infected system. 

Decompressed gzip data showing IP address

In a Command and Control (C2) attack, the attacker’s server (C2) sends compressed data to the compromised device, containing system commands and a malicious APK payload. 

Security researchers at K7 Security Labs were able to decompress the data and extract the APK using a tool called Cyberchef.

The C2 server can send various commands to the victim’s device, including stealing files, taking screenshots, and recording audio.  

Using a mobile security product, keeping software updated, patching vulnerabilities, and only downloading applications from reliable sources can stop these attacks. 

 Commands sent by the C&C

An analysis of indicators of compromise (IoCs) suggests a potential Trojan infection (005a5d9c1) spread through a malicious Android package (reputation.printer.garmin, hash: 9C42A99693A2D68D7A19D7F090BD2977) disguised as an application download from https://telegroms[.]icu/assets/download/ready.apk. 

The malware may attempt to evade detection by obfuscating files or information and avoiding sandboxes, which could also discover and collect data from the infected system, potentially including email content, through unknown techniques.

The communication with the command and control server (C2) might utilize an encrypted channel on a non-standard port (154.213.65.28:7771).

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files



Source link