This dangerous new malware is after your WhatsApp backups

By Nick Heyman On Jun 17, 2023

A hacking group known as SpaceCobra developed an instant messaging app that is also able to steal a lot of sensitive information from the target device. The threat actor seems to know exactly who it wants to target, as downloading the app has proven to be quite the challenge for researchers.

Cybersecurity researchers from ESET recently discovered that two messaging apps, called BingeChat and Chatico, were actually serving GravityRAT, a remote access trojan. This RAT was capable of exfiltrating plenty of sensitive information from compromised endpoints, including call logs, contact list, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents.

No app store presence

What makes these two apps stand out from others delivering GravityRAT out there, is that these can also steal WhatsApp backups and receive commands to delete files.

The way the malware is distributed makes this campaign even more unique. The apps cannot be found on app stores and were never uploaded to Google Play, for example. Instead, they can only be downloaded by visiting a specially crafted website and opening up an account. This might not sound like anything special, but the researchers from ESET could not open up an account as registrations were “closed” when they visited. This prompted them to conclude that the group was very precise with its targeting, possibly going for a specific location or IP address.

“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe,” says ESET researcher Lukáš Štefanko. “Although we couldn’t download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” he adds.

That being said, the majority of the victims seem to reside in India. The attackers, SpaceCobra, are apparently of Pakistani origin. The campaign is most likely active since August last year, with one of the two (BingeChat) still being active, the researchers said. The malicious app, based on the open-source OMEMO Instant Messenger app, is available for Windows, macOS, and Android.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.