Spyware targeting Italy and Kazakhstan

Google has came up with details about a spyware vendor called RCS Labs that has been caught targeting people in Italy and Kazakhstan.

TAG says that RCS Labs targeted iOS and Android devices alike with its spyware. All campaigns TAG observed originated with a unique link sent to the target, Once clicked, the page attempted to get the user to download and install a malicious application on either Android or iOS.

Those malicious links appear to have arrived in two different flavors. One masqueraded as an app that could be used to restore the victim’s mobile data connection more on that in a moment while the other pretended to be some kind of messaging app.

The former only works if someone has actually lost internet access on their phone, of course, and it seems RCS Labs had some assistance in that regard. It is believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity.

The attacks then progressed based on what kind of smartphone a target uses. On iPhone, the spyware exploited six different vulnerabilities, two of which TAG says were zero-days.

• CVE-2018-4344 internally referred to and publicly known as LightSpeed.
• CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
• CVE-2020-3837 internally referred to and publicly known as TimeWaste.
• CVE-2020-9907 internally referred to as AveCesare.
• CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
• CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

RCS Labs took a different approach on Android. TAG says the malicious app, which was designed to look like a legitimate Samsung app, does not contain any exploits. Instead the group believes RCS Labs used command-and-control infrastructure to remotely download and execute exploits.

TAG says that RCS Labs used features built into iOS and Android that allow users to sideload software, which means the applications weren’t subject to the same scrutiny as officially distributed software.

Indicators of Compromise

• e38d7ba21a48ad32963bfe6cb0203afe0839eca9a73268a67422109da282eae3
• fe95855691cada4493641bc4f01eb00c670c002166d6591fe38073dd0ea1d001
• 243ea96b2f8f70abc127c8bc1759929e3ad9efc1dec5b51f5788e9896b6d516e
• a98a224b644d3d88eed27aa05548a41e0178dba93ed9145250f61912e924b3e9
• c26220c9177c146d6ce21e2f964de47b3dbbab85824e93908d66fa080e13286f
• 0759a60e09710321dfc42b09518516398785f60e150012d15be88bbb2ea788db
• 8ef40f13c6192bd8defa7ac0b54ce2454e71b55867bdafc51ecb714d02abfd1a
• 9146e0ede1c0e9014341ef0859ca62d230bea5d6535d800591a796e8dfe1dff9
• 6eeb683ee4674fd5553fdc2ca32d77ee733de0e654c6f230f881abf5752696ba

Drive-by download domains

• fb-techsupport[.]com
• 119-tim[.]info
• 133-tre[.]info
• 146-fastweb[.]info
• 155-wind[.]info
• 159-windtre[.]info
• iliad[.]info
• kena-mobile[.]info
• mobilepays[.]info
• my190[.]info
• poste-it[.]info
• ho-mobile[.]online

C2 domains

• project1-c094e[.]appspot[.]com
• fintur-a111a[.]appspot[.]com
• safekeyservice-972cd[.]appspot[.]com
• comxdjajxclient[.]appspot[.]com
• comtencentmobileqq-6ffb5[.]appspot[.]com

C2 IPs

• 93[.]39[.]197[.]234
• 45[.]148[.]30[.]122
• 2[.]229[.]68[.]182
• 2[.]228[.]150[.]86