March 23, 2023

Researchers have discovered a android spyware family dubbed RatMilad that is been involved in infecting devices in the Middle East.

The original variant of the previously unknown RatMilad spyware hide behind a VPN and phone number spoofing app called Text Me. Also, they uncovered a live sample of the malware family distributed through NumRent, a graphically updated version of Text Me.

Since RatMilad is not available on the Google Play Store or the third-party stores, the attackers use Telegram as their primary distribution channel. The threat actors also developed a dedicated website for distributing the spyware.

Advertisements

The spyware is installed by sideloading after a user enables the app to access multiple services. This allows the malicious actors to collect and control aspects of the mobile endpoint.

Once after the installation, the user is asked to allow access to contacts, phone call logs, device location, media, and files, alongside the ability to send and view SMS messages and phone calls.

A successful attack will result in threat actors accessing the camera to take pictures, record video and audio, get precise GPS locations. The group behind this spyware attack has potentially gathered critical and private data from mobile devices, leaving individuals and enterprises at risk.

Awareness

  • Beware of malicious links distributed online. 
  • Avoid downloading applications from untrusted sources. 
  • Check for application reviews and concerns on the internet.
Advertisements

Indicators of Compromise

Application Names:

  • com.example.confirmcode
  • com.example.confirmcodf
  • com.example.confirmcodg

C&C Servers:

  • hxxp://textme[.]network
  • api[.]numrent[.]shop

Hashes

  • 31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032
  • 3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07
  • 0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e
  • 12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42
  • bae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387
  • 30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8
  • c195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194
  • 73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7
Tags:

Leave a Reply

You may have missed

Microsoft Snipping Tool Vulnerability

Microsoft Snipping Tool Vulnerability

March 23, 2023
Google Cloud Armor Advanced DDoS Protection

Google Cloud Armor Advanced DDoS Protection

March 22, 2023
BreachForums Curtains Down

BreachForums Curtains Down

March 22, 2023
Google blocks Pinduoduo App amid Security Concerns

Google blocks Pinduoduo App amid Security Concerns

March 22, 2023
Mandiant Report – Nation State Zero Day Exploits in 2022

Mandiant Report – Nation State Zero Day Exploits in 2022

March 22, 2023
Mispadu Banking Trojan

Mispadu Banking Trojan

March 22, 2023
%d bloggers like this: