Cybersecurity researchers at K7 Labs have uncovered a new threat targeting Telegram users.
The malicious software, SpyMax, is a Remote Administration Tool (RAT) designed to steal sensitive datafrom Android devices.
Unlike many other threats, SpyMax does not require the targeted device to be rooted, making it easier for threat actors to inflict damage.
SpyMax is a sophisticated malware that can gather personal and private information from infected devices without the user’s consent.
This data is then sent to a remote threat actor, allowing them to control the victim’s device and compromise the confidentiality and integrity of their data.
Phishing Campaign Targeting Telegram Users
Researchers at K7 Labs discovered a phishing campaign explicitly targeting Telegram users.
The campaign uses a fake Telegram app to lure victims into downloading the malicious software.
Below is the phishing image used in the campaign, pretending to be the Telegram app.
Telegram app Phishing page
Once the user clicks on the “click to download” button, a malware application named “ready.apk” is downloaded from the link: https://telegroms[.]icu/assets/download/ready.apk.
Scan Your Business Email Inbox to Find Advanced Email Threats - [Try AI-Powered Free Threat Scan](https://trustifi.com/real-time-threat-scan?utm_source=cybersecuritynews&utm_medium=link&utm_campaign=CyberSecuritynews&utm_id=cybersecuritynews)
How SpyMax Works
After installing the malicious “ready.apk”, it pretends to be the Telegram app. The icon is similar to the legitimate Telegram app, as shown below.
Fake Telegram app icon created by the malware
Once installed, the RAT frequently prompts the user to enable the Accessibility Service for the app.
This continues until the user grants the necessary permissions.
Request for accessibility service
Technical Analysis
With the required permissions, the APK acts as a Trojan with keylogger capabilities.
It creates a directory “Config/sys/apps/log” in the device’s external storage and saves logs in files named “log-yyyy-mm-dd.log,” where yyyy-mm-dd represents the date the keystrokes were captured.
Creating Log files
The malware also collects location information, including altitude, latitude, longitude, precision, and even the speed at which the device moves.
SpyMax combines all the collected data and compresses it using the gZIPOutputStream API before sending it to the Command and Control (C2) server.
The RAT contacts the C2 server at IP 154.213.65[.]28 via port 7771, which is obfuscated.
C2 URL
The connection with the C2 server is established, as shown below.
TCP connection with the C2 server
After the connection is established, the malware sends the gzip compressed data to the C2 server, as evident from the network packet’s header.
Decompressed Data
The decompressed gzip content of the data reveals the IP address and other sensitive information.
The C2 server responds by sending a series of compressed data containing system commands and an APK payload when decompressed. In this case, the APK was extracted using Cyberchef.
The structure of the commands sent from the C2 to the victim’s device is shown below.
Commands sent by the C&C
Additionally, patch your devices for all known vulnerabilities. Users are also advised to exercise caution and download software only from reputable platforms like Google Play and the App Store.
Stay vigilant and protect your data from malicious actors like those behind SpyMax.
Ioc
Package Name Hash Detection Name reputation.printer.garmin9C42A99693A2D68D7A19D7F090BD2977Trojan ( 005a5d9c1 )
URL
https://telegroms[.]icu/assets/download/ready.apk
C2
154.213.65[.]28:7771
**Free** **Webinar! 3 Security Trends to Maximize MSP Growth -> [Register For Free](https://go.cynet.com/3-security-trends-to-maximize-msp-growth?utm_source=cyber_security_news&utm_medium=sponsored_article&utm_campaign=Q2-sponsored-webinars)**
