September 22, 2023

Researchers have discovered a android spyware family dubbed RatMilad that is been involved in infecting devices in the Middle East.

The original variant of the previously unknown RatMilad spyware hide behind a VPN and phone number spoofing app called Text Me. Also, they uncovered a live sample of the malware family distributed through NumRent, a graphically updated version of Text Me.

Since RatMilad is not available on the Google Play Store or the third-party stores, the attackers use Telegram as their primary distribution channel. The threat actors also developed a dedicated website for distributing the spyware.

Advertisements

The spyware is installed by sideloading after a user enables the app to access multiple services. This allows the malicious actors to collect and control aspects of the mobile endpoint.

Once after the installation, the user is asked to allow access to contacts, phone call logs, device location, media, and files, alongside the ability to send and view SMS messages and phone calls.

A successful attack will result in threat actors accessing the camera to take pictures, record video and audio, get precise GPS locations. The group behind this spyware attack has potentially gathered critical and private data from mobile devices, leaving individuals and enterprises at risk.

Awareness

  • Beware of malicious links distributed online. 
  • Avoid downloading applications from untrusted sources. 
  • Check for application reviews and concerns on the internet.
Advertisements

Indicators of Compromise

Application Names:

  • com.example.confirmcode
  • com.example.confirmcodf
  • com.example.confirmcodg

C&C Servers:

  • hxxp://textme[.]network
  • api[.]numrent[.]shop

Hashes

  • 31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032
  • 3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07
  • 0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e
  • 12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42
  • bae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387
  • 30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8
  • c195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194
  • 73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7
Tags:

Leave a Reply

You may have missed

Apple fixes trio of Zeroday Exploits

September 22, 2023

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023

Snatch ransomware Dissection

September 21, 2023

Fortinet Fixes Vulnerabilities in FortiOS

September 20, 2023
%d bloggers like this: