A prominent Togolese human rights defender has been targeted with spyware by a threat actor known for striking victims in South Asia.Amnesty International tied the covert attack campaign to a collective tracked as “Donot Team“, which has been linked to cyber offensives in India and Pakistan, while also identifying apparent evidence linking the group’s infrastructure to an Indian company called Innefu Labs.
The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application.The application was in fact a piece of custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist’s phone.
The messages originated from a WhatsApp account associated with an Indian phone number that’s registered in the state of Jammu and Kashmir. Once installed, the malicious software which takes the form of an app named “ChatLite” grants the adversary permissions to access the camera and microphone, gather photos and files stored on the device, and even grab WhatsApp messages as they are being sent and received.
But when the aforementioned attempt failed, the attackers switched to an alternate infection chain in which an email sent from a Gmail account contained a malware-laced Microsoft Word document that leveraged a now-patched remote code execution vulnerability (CVE-2017-0199) to drop a full-fledged Windows spying tool known as the YTY framework that grants complete access to the victim’s machine.
The spyware can be used to steal files from the infected computer and any connected USB drives, record keystrokes, take regular screenshots of the computer, and download additional spyware components.
Amnesty International said it discovered a domain (“server.authshieldserver.com”) that pointed to an IP address (122.160.158[.]3) used by a Delhi- based company named Innefu Labs. In a statement shared with the non-governmental organization, Innefu Labs denied any connection to the Donot Team APT, adding “they are not aware of any use of their IP address for the alleged activities.”
The worrying trend of private companies actively performing unlawful digital surveillance increases the scope for abuse while reducing avenues for domestic legal redress, regulation, and judicial control. The nature of cross-border commercial cyber surveillance where the surveillance targets, the operators, the end customer, and the attack infrastructure can all be located in different jurisdictions creates significant impediments to achieving remediation and redress for human rights abuses.