Cyble-Dracarys-Malware

Bitter APT group using “Dracarys” Android Spyware

Android Malware Disguised as a Messaging Application

During our routine threat hunting exercise, Cyble Research Labs came across an article wherein the researchers mentioned Bitter APT delivering the Android Spyware “Dracarys.” Bitter aka T-APT-17 is a well-known Advanced Persistent Threat (APT) group active since 2013 and operates in South Asia. It has been observed targeting China, India, Pakistan, and other countries in South Asia.

The Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques like spear phishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and other malware families.

Dracarys Android Spyware impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites.

During analysis, we observed that one of the phishing sites is still live and distributing Dracarys. The phishing site mimics the genuine Signal site and delivers a trojanized Signal app.

Figure 1 – Phishing site which distributes Dracarys malware

Upon in-depth analysis of the malware, we observed that the Threat Actor (TA) had inserted the malicious code into the Signal app source code to avoid being detected. The below image showcases the extra added spyware module “org.zcode.dracarys” in the trojanized version of the Signal App.

Figure 2 – Comparison of the genuine and trojanized Signal App

Technical Analysis

APK Metadata Information   

  • App Name: Signal
  • Package Name: org.thoughtcrime.securesms.app
  • SHA256 Hash: d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003

   

Figure 3 shows the metadata information of the application.  

Figure 3 – App Metadata Information 

Manifest Description 

The malicious application mentions 24 permissions, of which the TA exploits 10. The harmful permissions requested by the malware are:  

Permission  Description 
READ_CONTACTSAccess phone contacts
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
CAMERARequired to access the camera device.
READ_CALL_LOGAccess phone call logs
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call
ACCESS_FINE_LOCATIONAllows an app to access precise location

Source Code Review  

The trojanized version of the Signal application has registered the Accessibility Service in the Manifest file. The malware abuses the Accessibility permissions

such as auto granting permission to run the application in the background, activating Device Admin, and performing auto clicks.

Figure 4 – Malware abusing Accessibility Service

The malware connects to the Firebase server and receives the commands to execute operations for collecting the data from the victim’s device, as shown in the below image.

Figure 5 – Receiving commands from the Firebase server

The malware collects all the contacts from the infected device and sends them to the Command and Control (C&C) server “hxxps://signal-premium-app[.]org“.

Figure 6 – Malware sending contact list to the C&C server

Similarly, the malware collects SMS data, call logs, installed applications list, and files present on the infected device after receiving a command from the C&C server, as shown in Figures 7 through 10.

Figure 7 – Collecting call logs from the infected device

Figure 8 – Collecting installed application list

Figure 9 – Collecting SMS list from an infected device

Figure 10 – Collecting files present in the victim’s device

The malware registers the “DracarysReceiver” broadcast receiver, which receives the event from the Firebase server and starts collecting Personal Identifiable Information (PII) data from the infected device, as shown below.

Figure 11 – Dracarys receiver to send updated PII data

The malware can capture screenshots and record audio to spy on the victim’s device. The below figure shows the code used by the malware to send captured screenshots and recordings to its C&C server.

Figure 12 – Collecting recordings and captured screenshots

The image below shows the C&C server and the URL path to which the stolen data is sent.

Figure 13 – C&C server and endpoints

Conclusion 

According to our research, the TA has injected malicious code into genuine messaging applications such as Signal. The TA also distributed the malware through a phishing site masquerading as a genuine website that tricks users into downloading a trojanized version of popular messaging applications.

We have observed Bitter APT continuously attacking South Asian countries and changing its mode of attack with each new campaign. In this campaign, Bitter APT used a sophisticated phishing attack to infect devices with Dracarys Android Spyware.

In the coming days, we may observe a change in the Bitter APT group’s activities, with different malware variants, enhanced techniques, and distribution modes.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
CollectionT1412Capture SMS Messages
CollectionT1432Access Contacts List
CollectionT1433Access Call Logs
CollectionT1517Access Notifications
CollectionT1533Data from Local System
CollectionT1429Capture Audio
ExfiltrationT1437Standard Application Layer Protocol

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003SHA256Hash of the analyzed APK file
2c60fbb9eb22d0eb5e62f15d1e49028944c3ff51SHA1Hash of the analyzed APK file 
761705bd1681b94e991593bdcf190743MD5Hash of the analyzed APK file
hxxps://signal-premium-app[.]orgURLC&C server
hxxps://signalpremium[.]com/URLMalware distribution site
43e3a0b0d5e2f172ff9555897c3d3330f3adc3ac390a52d84cea7045fbae108dSHA256Hash of the analyzed APK file
a35653c3d04aaaa76266db6cd253f086872a5d27SHA1Hash of the analyzed APK file 
d9a39c41e9f599766b5527986e807840MD5Hash of the analyzed APK file
hxxp://94[.]140.114[.]22:41322URLC&C server
220fcfa47a11e7e3f179a96258a5bb69914c17e8ca7d0fdce44d13f1f3229548SHA256Hash of the analyzed APK file
04ec835ae9240722db8190c093a5b2a7059646b1SHA1Hash of the analyzed APK file 
07532dea34c87ea2c91d2e035ed5dc87MD5Hash of the analyzed APK file
hxxps://youtubepremiumapp[.]com/URLC&C server
Scroll to Top