Malware ready for Android, iOS and BlackBerry, over 60 mobile operators included in the preparations

Dec 10, 2014 15:40 GMT  ·  By
Mobile carriers targeted in MMS phishing through Inception espionage campaign
7 photos
   Mobile carriers targeted in MMS phishing through Inception espionage campaign

A sophisticated cyber-espionage campaign believed to be the continuation of the Red October operation has been identified to target specific users of Android, iOS and BlackBerry mobile devices through spear-phishing attacks.

Researchers from provider of security and network solutions Blue Coat have uncovered the endeavor that leverages a complex infrastructure relying on “a convoluted network of router proxies and rented hosts, most likely compromised because of poor configurations or default credentials,” to deliver targeted malicious emails.

Kaspersky analyzed the campaign as well

Because of this, they named the campaign “The Inception Framework,” a reference to Christopher Nolan’s Inception movie starring Leonardo DiCaprio.

An analysis of the malware used in this operation has also been conducted by researchers at Kaspersky, who dubbed the malware Cloud Atlas and identified plenty of similarities to the toolset used in the Red October campaign.

“The interests of CloudAtlas attackers match those of RedOctober, taking into account the geopolitical changes from the last 2 years,” Costin Raiu, Director of Global Research and Analysis Team (GReAT) at Kaspersky Lab, tweeted on Wednesday.

Attackers took servers offline, prevent full analysis

In an extensive report on Inception/Cloud Atlas, Blue Coat revealed that the threat actor planned attacks on mobile devices of high-profile targets in different sectors, from finance and oil industry to military, engineering and politics, in different parts of the world.

The researchers found that the Bit.ly URL shortening service was used to create links pointing to machines serving malicious payloads for the mobile devices.

From one account alone, about 10,000 such links were created, all leading to only three IP addresses, with a pattern that included a target identifier and an action code for serving malware guised as an app update (WhatsApp or Viber) or MMS phishing.

In the case of phishing, the action code also identified the mobile carrier for the device in order to deliver the appropriate telecom company logo.

Blue Coat says that they were not able to get all the data on the targeted mobile operators because the attackers took the servers offline.

“We managed to get 66 of a total of 190,” which accounts for 35%, after going through 3152 of 4781 phishing links, the report says. According to the intelligence they collected, it appears that the top three operators were Vodafone, T-Mobile, and Proximus (Belgacom).

Functionality of the malware, info exfiltration

Analyzing the malicious updates, Blue Coat found that the main feature of the Android version of the malware was to record phone calls, but it can also track location, read contact list, monitor incoming/outgoing calls or text messages.

The attackers used LiveJournal accounts to store the information and communication with the compromised device.

On iOS, it was discovered that the fake update impersonated a Cydia installer, which could be added only on jailbroken devices.

The data would be exfiltrated to an FTP account on a hosting service in the UK, and included device and system information, address book, phone number, name of the carrier, WiFi status, MAC address, battery level, total and free space, time zone (default and local), Apple ID, list of downloaded apps, and computer used for creating a backup.

On the BlackBerry platform, a similar set of details as in the case of iOS was retrieved and delivered to a DynDNS domain in a US-based webhosting service.

Important to note is that the command and control servers are different for each platform. In the case of desktop computers, the attackers relied on Swedish cloud storage service CloudMe to store the stolen data and to deliver new modules to the compromised system.

In a Twitter conversation with Costin Raiu, CloudMe said that it would delete all accounts involved in the Inception / Cloud Atlas campaign.  

Inception Framework (7 Images)

Mobile carriers targeted in MMS phishing through Inception espionage campaign
Targeted phishing using WhatsApp lure, with link to malicious updateBit.ly account used to create shortened phishing links
+4more