Indian hackers abuse mobile device Management Services MDM monitors iphone users

India's highly targeted mobile malware campaign, unveiled two weeks ago, has been found to be part of a wide range of campaigns targeting a wide variety of platforms, including Windows devices and possibly Android.

Earlier this month, researchers at the Talos Threat Intelligence agency found a group of Indian hackers abusing mobile device management (MDM) services to hijack and monitor some of India's targeted iphone users.

Since its inception in August 2015, attackers have been found abusing the MDM service to remotely install malicious versions of legitimate applications, including Telegram,whatsapp and Praytime, to the target iphone.

These modified apps are designed to spy on iOS users and steal their live locations, text messages, contacts, photos and private messages from third-party chat apps.

In their ongoing investigation, TALOS researchers found a new MDM infrastructure and several malicious binaries-designed to target the same infrastructure used in previous campaigns for victims running the MicrosoftWindows operating system.

In addition, the researchers found some potential similarities, linking the activity to an old hacker organization called "Bahamut", a former threat actor who previously used an Android device similar to MDM technology used in the latest iOS malware activity.

The newly identified MDM infrastructure was created in January 2018 and used from January to March this year, targeting two Indian devices and a UK telephone number in Qatar.

In addition to distributing modified telegram and WhatsApp apps with malicious features, newly discovered servers also distribute modified versions of the Safari browser and the IMO video chat app to steal more personal information from the victim.

Attacker steals login credentials with a malicious Safari browser

According to the researchers, the malicious Safari browser has been pre-configured to automatically reveal the user's user name and password for a variety of other Web services, Yahoo,rediff,amazon,google,reddit,baidu,protonmail,zoho, Tutanota and more.

? Malicious browser contains three malicious plugins-add bookmarks, add to Favorites and add to reading list-just like any other application, send stolen data to a remote attacker-controlled server.

It is unclear who supported the activity, who was the target of the campaign, and what the motives behind the attack were, but the technical elements indicated that the attackers were operating in India and were well funded.

The researchers say those infected with such malware need to register their device, which means "they should always be careful to avoid accidental registration". (Welcome reprint share)

Indian hackers abuse mobile device Management Services MDM monitors iphone users