The Wolf Strikes Back

What's all the hullabaloo?

• Recently, Cisco Talos discovered a new malware variant, WolfRAT, based on a previously leaked DenDroid malware.
• The research has found infrastructure overlaps and string references to an infamous organization, Wolf Research, that developed interception and espionage-based malware. The organization was highlighted by CSIS researchers during a presentation at VB2018.
• Though Wolf Research has been shut down, its threat actors are still active. In its research, Cisco Talos has identified some of the C2 servers located in Thailand, panels containing Thai JavaScript comments, and domain names containing references to Thai food.

How does the wolf hunt?

• The WolfRAT malware mimics genuine services such as GooglePlay Google service, or Flash update.
• When a victim is tricked, the RAT is installed on the target Android device to collect device data, steal photos or videos, compromise SMS messaging, and transfer files to a C2 server.
• The actor has not advanced and performs amateur actions, including open-source project copy/paste, code overlaps, the use of unstable packages, and unsecured panels.

Malware have always had a thing for messaging apps

• In 2019, researchers at Symantec found a malicious app named MobonoGram 2019. Detected as Android.Fakeyouwon malware, the app secretly loaded and browsed several ill-natured websites in the background.
• In December 2019, a trojan malware, dubbed CallerSpy, was found targeting Android users by tricking them into downloading a fake chat application. The mobile malware was designed to pry on calls, texts, and other communication methods.
• In 2018, an Android trojan horse malware was discovered by Trustlook Labs that used code obfuscation to steal data from Skype, Facebook Messenger, and many other messaging apps.

Wrapping up