India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.
As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.
Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.
These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.
During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.
- Ios-update-whatsapp[.]com (new)
“We know that the MDM and the Windows services were up and running on the same C2 server in May 2018,” researchers said in a blog post published today.
“Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.”