Kaspersky shares new details about watering-hole attacks targeting mobile users in Southeast Asia


Earlier in March, Trend Micro published a watering hole campaign targeting users in Southeast Asia with powerful spyware called LightSpy. As a result of that investigation, Kaspersky’s Global Research and Analysis Team shared some important additional details about this attack on mobile users through links on various forums and communication channels. In their research, published on Securelist.com, Kaspersky provides an analysis of:

– The implementation framework of the monitoring framework from January 2020 – Previously unknown examples of the LightSpy Android implants – Traces of implants targeting Windows, Mac and Linux computers, along with Linux routers – New compromise indicators and some other details about the attack What is known about the LightSpy attacks?

Actors behind the campaign spread links to malicious websites that mimic the original ones likely to be visited by potential victims. Once a target visits the armed website, a custom exploit chain attempts to execute a shell code, leading to the implementation of the full original malware on the victim’s phone. Landing page of the watering hole

The malware successfully targets iPhones with iOS versions up to version 12.2. Users with the latest version of iOS, 13.4, should be safe from these exploits. Android OS-based device users are also in the crosshairs – researchers found several versions of the implant targeting this platform. In addition, Kaspersky researchers discovered some indicators of the existence of malware targeting Mac, Linux and Windows computers, along with Linux-based routers. The study also found that the malware is spread through forum posts and replies, as well as popular communication platforms by posting links to the deployed landing pages. Once the website is visited, the malware jailbreaks the victim’s device, giving attackers the ability to record calls and audio, read certain messengers, and more.

Currently available information does not allow the operation to be attributed to a known advanced persistence threat actor (APT), therefore Kaspersky temporarily called the attackers “TwoSail Junk”. “We’ve been following this particular framework and infrastructure since January this year. It’s an interesting example of a flexible approach to developing and implementing a supervisory framework in Southeast Asia. This innovative strategy is something we’ve seen from SpringDragon and LightSpy’s focused geolocation declines within the previous regional targeting of the SpringDragon / LotusBlossom / Billbug APT, as well as infrastructure and utilization of “evora” back doors, although the campaign peaked in February – when we saw the highest growth from the left to the malicious site – it is still active and we will continue to monitor it, “said Alexey Firsh, a security researcher at Kaspersky’s Global Research and Analysis Team.

To avoid falling victim to water holing and other targeted attacks like this, Kaspersky recommends: Try to avoid suspicious links that promise promising exclusive content, especially when shared on social media. Consult official sources for reliable and legitimate information.

Check the authenticity of the website. Do not visit websites until you are sure they are legit and start with & # 39; https & # 39 ;. Confirm that the website is genuine by double checking the URL or spelling of the company name, reading reviews about it, and checking the domain registration information. Choose a reliable security solution such as Kaspersky Security Cloud for effective personal protection against known and unknown threats. (ANI)

(This story has not been edited by staff and is automatically generated from a syndicated feed.)


Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top