New SandStrike spyware targets Android users with a booby-trapped VPN app

New SandStrike spyware targets Android users with a booby-trapped VPN app

In the third quarter of 2022, Kaspersky researchers unveiled a previously unknown Android spying campaign dubbed SandStrike.

The actor is targeting the Persian-speaking religious minority, the Baha’i, by distributing a VPN app containing highly sophisticated spyware. Kaspersky experts also discovered an advanced upgrade of the DeathNote suite and – along with SentinelOne – investigated the never-before-seen Metatron malware.

This and other findings are revealed in Kaspersky’s latest Quarterly Threat Intelligence Summary.

To lure victims to download the implanted spyware, adversaries created accounts on Facebook and Instagram with more than 1,000 followers and designed attractive graphic material of a religious nature, effectively forming a trap for adherents of this belief.

Most of these social media accounts contain a link to a Telegram channel that the attacker also created.

In this channel, the actor behind SandStrike has distributed a seemingly harmless VPN application to access sites that are restricted in certain regions, for example, religious-related material. To make this application fully functional, opponents have also created their own virtual private network infrastructure.

However, the VPN client contains a fully functional spyware with capabilities that allow threat actors to collect and steal sensitive data, including call logs, contact lists and also track any other activities of the persecuted individuals.

Throughout the third quarter of 2022, APT representatives were constantly changing their tactics, sharpening their tools and developing new technologies. The most important results include:

  • New advanced malware platform targeting telecom companies, ISPs and universities

    together with guard oneKaspersky researchers analyzed a never-before-seen complex malware platform called Metatron. Metatron mainly targets telecoms, ISPs and universities in Middle East and African countries. Metatron is designed to bypass native security solutions while spreading malware platforms directly into memory.

  • Upgrade advanced and advanced tools

    Kaspersky experts note that Lazarus is using the DeathNote group against victims in South Korea. The actor may have used a strategic web hack, using an infection chain similar to that previously reported by Kaspersky researchers, to attack the endpoint security software. However, experts discovered that malware and infection systems were also updated. The actor used never-before-seen malware, with minimal functionality to execute commands from the C2 server. Using this implanted backdoor, the operator hid in the victim’s environment for a month and collected system information.

  • Cyber ​​espionage remains a major target of APT campaigns

    In the third quarter of 2022, Kaspersky researchers discovered several APT campaigns, the main target of which are government institutions. Our recent investigations show that this year HotCousin, from February onwards, attempted to compromise foreign ministries in Europe, Asia, Africa and South America.

“As we can see from the analysis of the past three months, APT actors are now being aggressively used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected tactics: SandStrike, attacking users via a VPN service, in which victims try to find Protection and security, is an excellent example. Today it is easy to distribute malware through social networks and remain undetected for months or more. This is why it is so important to be more alert than ever and to make sure that you are armed with the intelligence of threats and appropriate tools to protect against existing and emerging threats.

To read the full APT Q3 2022 Trends Report, please visit

In order to avoid becoming a victim of a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend carrying out the following actions:

  • Provide your SOC team with access to the latest threat information (TI). The Kaspersky Threat Intelligence Portal is a single point of access to the company’s TI, providing cyber-attack data and insights that Kaspersky has collected over the past 20 years. To help businesses enable effective defenses in these uncertain times, Kaspersky has announced free access to independent, constantly updated, globally sourced information about cyberattacks and persistent threats. Request Online access.
  • Raising skills Your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • Use an enterprise level EDR solution like Kaspersky EDR Expert. It is essential to detect threats among a sea of ​​scattered alerts thanks to the automatic integration of alerts into incidents as well as to analyze and respond to the event in the most effective manner.
  • In addition to adopting basic endpoint protection, implement an enterprise-grade security solution that detects advanced network-level threats at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • Since many targeted attacks start with social engineering tactics, such as phishing, provide security awareness training and science practical skills to your team – using tools like Kaspersky Automatic Security Awareness Platform.

#SandStrike #spyware #targets #Android #users #boobytrapped #VPN #app

Leave a Comment

Your email address will not be published. Required fields are marked *