The notorious nation-state actor APT41, also known as Axiom or Blackfly, has been associated with two previously undisclosed strains of Android spyware called WyrmSpy and DragonEgg, indicating the group’s increasing focus on mobile endpoints.
WyrmSpy and DragonEgg
APT41, a long-standing cyber threat group known for targeting various industries for intellectual property theft, has expanded its capabilities to include mobile devices, introducing advanced surveillance tools such as WyrmSpy and DragonEgg.
Intricate Connections: APT41’s Mobile Espionage Tactics
The recent deployment of WyrmSpy and DragonEgg by APT41 has raised concerns about the increasing sophistication of Android malware and its potential implications for corporate and personal data security.
The prolific Chinese hacker collective APT41, also referred to as Axiom, Blackfly, Brass Typhoon, and several other aliases has recently been linked to two previously undiscovered strains of Android spyware: WyrmSpy and DragonEgg.
According to a report from Lookout, a leading cybersecurity company, APT41 is renowned for its expertise in exploiting web-facing applications and infiltrating traditional endpoint devices. The inclusion of mobile malware in their arsenal signifies the growing importance of targeting mobile endpoints due to the valuable corporate and personal data they contain.
Since at least 2007, APT41 has been actively targeting a wide range of industries to conduct intellectual property theft, using a variety of tactics and tools to achieve their objectives.
Recently, the group has been observed utilizing an open-source red teaming tool known as Google Command and Control (GC2) in attacks aimed at media and job platforms in Taiwan and Italy.
The initial method of intrusion for the mobile surveillanceware campaign remains unclear, although it is suspected that social engineering played a significant role. Lookout reported first detecting WyrmSpy as early as 2017, while DragonEgg came to light at the beginning of 2021, with new samples of the latter detected as recently as April 2023.
WyrmSpy adopts various disguises, initially appearing as a default system app used to display notifications. However, later variants masquerade as adult video content, Baidu Waimai, and Adobe Flash to deceive users. On the other hand, DragonEgg has been distributed through third-party Android keyboards and messaging apps like Telegram.
There is no evidence to suggest that these rogue apps were ever propagated through the official Google Play Store. The number of victims targeted by WyrmSpy and DragonEgg remains undetermined.
WyrmSpy and DragonEgg’s connection to APT41 comes from their use of a command-and-control (C2) server with the IP address 121.42.149[.]52, which corresponds to a domain (“vpn2.umisen[.]com“) previously linked to the group’s infrastructure.
Once installed on a device, both strains of malware request intrusive permissions and come equipped with sophisticated data collection and exfiltration capabilities. This includes harvesting users’ photos, locations, SMS messages, and audio recordings.
The malware employs modules downloaded from a now-offline C2 server after the app’s installation, facilitating data collection while evading detection.
WyrmSpy can disable Security-Enhanced Linux (SELinux), a security feature in Android, and can also utilize rooting tools like KingRoot11 to gain elevated privileges on compromised devices. On the other hand, DragonEgg establishes contact with the C2 server to fetch an unknown tertiary module disguised as a forensics program.
Lookout’s senior threat researcher, Kristina Balaam, emphasizes that the discovery of WyrmSpy and DragonEgg highlights the increasing threat posed by advanced Android malware. These spyware packages demonstrate high levels of sophistication and are capable of extracting a wide range of data from infected devices.
As Chinese espionage crews continue to evolve their tactics to evade detection, it is crucial for organizations and individuals to remain vigilant against such threats. Tactics include weaponizing networking devices and virtualization software, utilizing botnets to obscure C2 infrastructure and victim environments, and tunneling malicious traffic within victim networks via compromised systems.