Connect with us

A connection has been detected between the cybersecurity company and the spyware for Android

Published

on

Innefu Labs ‘IP address has been used repeatedly to deliver malicious payloads to victims’ devices.

Specialists of the international non-governmental human rights organization Amnesty International discovered a link between an information security company and spyware for Android devices used to spy on activists in Togo and parts of Asia.

Experts traced the spyware back to the Indian company Innefu Labs after it was discovered that its IP address had been repeatedly used to deliver malicious payloads to victims’ systems. However, the spyware developer itself could be the Donot Team (APT-C-35), an Indian hacker group that has been attacking the governments of Southeast Asia since at least 2018.

According to experts, it is likely that Innefu Labs has no idea how its customers or other third parties are using its tools. However, now that all the technical details are known, an external audit will help to reveal everything.

In a letter to Amnesty International, the company denies any connection to the Donot Team and the hacker attacks on activists.

The attack begins with the victim receiving a WhatsApp message asking him to install the supposedly secure chat application ChatLite. If the victim does not fall for the bait, the attackers send him an email from his Gmail mailbox with a malicious MS Word file that delivers spyware to the system by exploiting an old vulnerability.

ChatLite is a custom Android spyware application that allows attackers to steal sensitive data stored on the device and install additional malicious tools.

A variant of malware that spreads through a Word document is capable of recording keyboard keystrokes, regularly taking screenshots, stealing files from local and external storages, and loading additional malicious modules.

After analyzing a sample of spyware for Android, experts found several similarities with Kashmir_Voice_v4.8.apk and SafeShareV67.apk – malicious tools associated with past Donot Team operations.

This opsec error allowed experts to identify a “test” server in the United States where cybercriminals stored screenshots and keystrokes stolen from infected Android devices. This is where the experts first discovered the real IP address of Innefu Labs, hiding with a VPN.

This is the first time that the Donot Team has attacked victims in Africa. This suggests that the group has begun offering its hacking services to foreign governments.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Europol detains 150 merchants on the darknet

Published

on

26.7 million euros in cash, 230 kilograms of drugs and 45 weapons were seized from the detainees.

Europol conducted an international special operation against sellers and buyers in underground markets on the darknet, informs Deutsche Welle portal.

On suspicion of trafficking in illegal goods on the darknet, 150 people were arrested around the world, 26.7 million euros in cash, 230 kilograms of drugs and 45 weapons were seized from them. Among the confiscated drugs were 152 kg of amphetamines, 27 kg of opiates and more than 25 thousand tablets of the synthetic drug “Ecstasy”.

Most of the detainees are citizens of the United States (65 people), Germany (47) and the United Kingdom (24). Also on the list are Dutch nationals (4), French citizens (3), two people from Switzerland and one Bulgarian. Almost all were big sellers on DarkMarket, which Europol disclosed earlier this year.

At the moment, investigative measures are underway in a number of European countries. In which ones, the representative of Europol did not say.

Continue Reading

Security

Zuckerberg: Facebook fell victim to defamation

Published

on

American businessman Mark Zuckerberg has denounced a series of investigations called “The Facebook Dossier”

Facebook CEO Mark Zuckerberg responded to accusations against his company from the world’s leading media. According to him, the social network is doing everything it can to get better. The company has a massive renovation plan worth tens of billions of dollars.

What is happening is slander and a distorted picture. So the head of Facebook, Mark Zuckerberg, commented on the published archive of the social network. In October, 17 US media outlets published internal company documents – the so-called Facebook Papers – which may indicate the spread of fakes and that the company is neglecting the principles of free speech and equality. The documents were submitted to the press by a former employee of the company, Frances Haugen. She has previously testified publicly in the US Congress and the British Parliament about Facebook’s internal corporate rules.

Mark Zuckerberg noted that conscientious criticism helps you improve. However, what is happening now is a coordinated effort to selectively use current documentation to present a distorted picture of Facebook.

Zuckerberg is confident that organizations should not independently decide all questions about their media policy. Sometimes government regulation is needed. When making decisions, he said, it is important to balance between free speech, social justice, reducing harmful content, or between helping law enforcement and enforcing encryption for privacy.

Zuckerberg also made a few more statements. In particular, he said that the social network Facebook has invested more than $ 5 billion this year in user security and called the tools developed by the company to combat malicious content the best in the industry. In addition, he pointed out that Facebook will invest tens of billions of dollars in virtual reality technologies in the coming years.

Continue Reading

Security

Hackers Cry Too: BlackMatter Closed Its Portal Due to Inflow of Insults

Published

on

Authorization data on the BlackMatter negotiation portal has leaked to the public.

Online-persecution of cybercriminal groups could lead to toughening of their policies for publishing data stolen from victims, experts from the information security company Emsisoft say.

Earlier this month, ransomware operators Conti threatened to disrupt the ransom negotiations if someone who is not a “respected journalist or researcher” posts a screenshot of the negotiations.

As a rule, screenshots of negotiations are uploaded to the public by unauthorized users who, out of curiosity, log in to the portals where negotiations are taking place.

This is exactly what happened with the portal of the BlackMatter grouping (presumably being reborn under the new name DarkSide). Credentials for authorization on the portal (usually indicated in a ransom note) were made publicly available, as a result of which a wave of violent insults fell on the criminals. As a result, BlackMatter was forced to shut down its portal.

How noted Emsisoft CTO Fabian Wosar, while actions like these help victims and sympathizers let off steam and seemingly take revenge, shutting down the platform also means that security researchers are deprived of one of the most valuable tools of communication with victims of ransomware.

Ransomware groups rely on the media and social media to put pressure on victims, and public opinion is very important to them. However, experts are concerned about such publicity of the ransomware. In particular, decryptors are of great concern to Emsisoft experts. When it becomes known that ransomware contains a vulnerability that allows victims to decrypt their files without paying a ransom, its operators fix the vulnerability. This vulnerability was present in DarkSide, allowing Emsisoft to secretly decrypt victims’ files.

The vulnerability was discovered in December 2020, and was fixed on January 12, the day after the publication of a free decryptor from the information security company Bitdefender, which also discovered this vulnerability.

As it turned out, having revived under the name BlackMatter, the DarkSide group made the same technical mistake again.

“We were surprised when BlackMatter made changes to its ransomware that again allowed victims to recover their data without falling ransom,” said Vosar. Now that the BlackMatter portal is down, Emsisoft can no longer help victims of the ransomware recover their files without paying the ransom.

Continue Reading

Most Popular