Telegram Users Beware! SpyMax RAT Attacking to Steal Sensitive Data

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cybersecurity researchers at K7 Labs have uncovered a new threat targeting Telegram users.

The malicious software, SpyMax, is a Remote Administration Tool (RAT) designed to steal sensitive data from Android devices.

Unlike many other threats, SpyMax does not require the targeted device to be rooted, making it easier for threat actors to inflict damage.

SpyMax is a sophisticated malware that can gather personal and private information from infected devices without the user’s consent.

This data is then sent to a remote threat actor, allowing them to control the victim’s device and compromise the confidentiality and integrity of their data.

Phishing Campaign Targeting Telegram Users

Researchers at K7 Labs discovered a phishing campaign explicitly targeting Telegram users.

The campaign uses a fake Telegram app to lure victims into downloading the malicious software.

Below is the phishing image used in the campaign, pretending to be the Telegram app.

Telegram app Phishing page

Once the user clicks on the “click to download” button, a malware application named “ready.apk” is downloaded from the link: https://telegroms[.]icu/assets/download/ready.apk.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

How SpyMax Works

After installing the malicious “ready.apk”, it pretends to be the Telegram app. The icon is similar to the legitimate Telegram app, as shown below.

Fake Telegram app icon created by the malware

Once installed, the RAT frequently prompts the user to enable the Accessibility Service for the app.

This continues until the user grants the necessary permissions.

Request for accessibility service

Technical Analysis

With the required permissions, the APK acts as a Trojan with keylogger capabilities.

It creates a directory “Config/sys/apps/log” in the device’s external storage and saves logs in files named “log-yyyy-mm-dd.log,” where yyyy-mm-dd represents the date the keystrokes were captured.

Creating Log files

The malware also collects location information, including altitude, latitude, longitude, precision, and even the speed at which the device moves.

SpyMax combines all the collected data and compresses it using the gZIPOutputStream API before sending it to the Command and Control (C2) server.

The RAT contacts the C2 server at IP 154.213.65[.]28 via port 7771, which is obfuscated.

C2 URL

The connection with the C2 server is established, as shown below.

TCP connection with the C2 server

After the connection is established, the malware sends the gzip compressed data to the C2 server, as evident from the network packet’s header.

Decompressed Data

The decompressed gzip content of the data reveals the IP address and other sensitive information.

The C2 server responds by sending a series of compressed data containing system commands and an APK payload when decompressed. In this case, the APK was extracted using Cyberchef.

The structure of the commands sent from the C2 to the victim’s device is shown below.

Commands sent by the C&C

At K7, we protect all our customers from such threats. To safeguard your mobile devices, ensure you scan them with a reputable security product like K7 Mobile Security and keep the product active and updated.

Additionally, patch your devices for all known vulnerabilities. Users are also advised to exercise caution and download software only from reputable platforms like Google Play and the App Store.

Stay vigilant and protect your data from malicious actors like those behind SpyMax.

Ioc

Package Name Hash Detection Name
reputation.printer.garmin 9C42A99693A2D68D7A19D7F090BD2977 Trojan ( 005a5d9c1 )

URL

https://telegroms[.]icu/assets/download/ready.apk

C2

154.213.65[.]28:7771

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free