The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
ESET, APT-C-23 spreads a new Android spyware with extended functionality: SpyC23.A
APT-C-23 (aka Two-tailed Scorpion) cyber espionage hackers are spreading a new Android spyware: SpyC23.A. It has been discovered by ESET cybersecurity experts. The group, known to target mainly the Middle East, has used both Windows and Android components in its operations, with the latter first described in 2017. In the same year, multiple analyses of APT-C-23’s mobile malware were published. Compared to the versions documented in 2017, the new malware has extended spying functionality, including reading notifications from messaging apps, call recording and screen recording, and new stealth features, such as dismissing notifications from built-in Android security apps. One of the ways the spyware is distributed is via a fake Android app store, using well-known apps as a lure.
The cybersecurity experts: The cyber espionage group’s exploits a fake app store to distribute it
Thanks to Malware Hunter Team, the cybersecurity researchers identified a fake Android app store used to distribute APT-C-23’s SpyC23.A. At the time of analysis, the “DigitalApps” store contained both malicious and clean items. The non-malicious items would redirect users to another unofficial Android app store, serving legitimate apps. The malware was hidden in apps posing as AndroidUpdate, Threema and Telegram. The latter two of these lures also downloaded the impersonated apps with full functionality along with the malicious code.