APT spies used malware made for jealous spouses

Trend Micro has dissected malware used in the Operation C-Major attack officers of the Indian army and tracked it back to malware that originated from Pakistan.

Operation C-Major traced back to Pakistan malware
Operation C-Major traced back to Pakistan malware

The inspiration behind a high-level cyber-espionage attack on army officers and foreign embassy officials in India was the notorious StealthGenie spyware, designed for jealous spouses.

The spies behind ‘Operation C-Major' were admirers of StealthGenie, says Trend Micro, and copied its features to steal over 16 gigabytes of data – including passport scans and other ID, army strategy documents and personal photos – from 160 Indian military officers, foreign military attaches, consultants and resellers.

The “unsophisticated” attackers successfully targeted their victims' mobiles with malware that could steal SMS and files, make videos, record calls and steal emails, contacts and calendar data. And they managed to keep their spyware on official stores like Google Play for months before it was removed, and advertised their apps on Facebook pages that received thousands of likes from high-profile targets.

This is in contrast to the fate of StealthGenie's Pakistani owner, who was arrested by the FBI and fined $500,000 for selling spyware.

In a 18 April blog, Trend's Shawn Xing, David Sancho and Feike Hacquebord detail the cyber-spies' link to StealthGenie, an Android, BlackBerry and iPhone app sold as a tool to monitor employees, spouses and children.

Trend said one of the ‘threat actors' promoted the app, then in 2013, “Operation C-Major used spying apps for BlackBerry phones with similar functions to that of StealthGenie's. The sample we found has capabilities similar to StealthGenie's – it can exfiltrate GPS location, email address, emails, contacts, calendar data, device identifiers, and user's stored photos. The application also has the ability to intercept email, phone calls, MMS and SMS messages.”

Trend added: “It is no surprise that the actors behind C-Major used BlackBerry malware in their operation. BlackBerry in general has been used a lot by government agencies, probably including the Indian military.”

Commenting on C-Major's mimicking of StealthGenie, UK APT expert, author and cyber-security researcher David Lacey said it was a natural link.

“Military intelligence and jealous spouses are the main markets for spying and surveillance devices, so it's no surprise to see the same techniques used for both purposes,” he told SCMagazineUK.com via email.

Mark James, security specialist at ESET, told us: “One of the biggest problems with software is the fine line between using it for what it is intended and using it for something else. StealthGenie is a classic case in point. Although it has some ‘justifiable' uses it could and was used for malware purposes. If you tie this with the all too easy techniques used for social engineering you could have a high success rate operation capable of reaping some nice rewards. Sadly social engineering still works.”

Trend said the Android and BlackBerry apps used by the C-Major attackers also included SmeshApp spyware, which can steal SMS messages, record videos and calls, and send screenshots. This stayed on Google Play for 10 months until last month, and was downloaded hundreds of times before it was pulled.

The spies also used Ringster, which collects victims' contact lists and takes screenshots. This too was available on Google Play in the first half of 2015 before being removed.

And they used three fake news apps that could steal SMS and files, make videos and record calls. They promoted these apps on Facebook, with one fake page collecting over 1,200 likes from Facebook members with a connection to the Indian army before it was closed. Another got 3,300 page likes.

“Operation C-Major used relatively basic malware that remained unnoticed on the Google Play store for a large time window,” Trend said. “These apps were downloaded by the hundreds.”

David Lacey said the attack highlighted the need to tighten up mobile security: “Mobile phones, apps and personal email accounts are the Achilles' heel of government officials, they often give away useful secrets than corporate systems can't. The future of information is in the Cloud and on mobiles. Unfortunately, our security hasn't yet caught up. The users have left the building, the apps are following. It's time for security to join them.”

Mark James added: “Google and other app stores will do their best to protect the end-user against malicious apps but when those apps incorporate simple processes that may be used in other apps or even just re-use those apps, it's quite difficult to identify the good from the bad ones. Mobile devices are usually overlooked but need protection just as much as desktops. Making sure you have a good regular updating internet security product installed and keep your mobile OS up-to-date will help in keeping you safe.”

In an initial expose of the C-Major campaign last month, Trend traced it back to Pakistan: “There is no evidence this attack is tied to the Pakistani government,” it said. “However Indian military officers were targeted, with the acquisition of classified information a key goal of the attack.”

Trend concluded: “Compared to its contemporaries, in terms of technique this targeted attack campaign is amateur at best, sloppy at worst. Despite this, it was able to get at least 16 gigabytes' worth of data from 160 targets.

“This shows targeted attacks don't need to be well-planned operations backed by a big budget and sufficient resources. What attackers may lack in technical sophistication, they can make up for through tenacity, persistence and clever social engineering.

“For those in charge of defending a corporate or organisation network, this attack reinforces the fact that any user, regardless of rank or position, is susceptible in becoming the organisation's weakest security link.”

Trend Micro's full report is available here.