Cybersecurity researchers have shown that the Russian military is the goal of a new malicious company that distributes Android spyware under the guise of Alpine Quest software.
“The attackers hide this Trojan inside alpine Quest software and distribute it in different ways, including through one of the Russian Android App”, DOCTOR WEB – Note In the analysis.
Trojan was found built into the old software versions and is distributed as a freely available Alpine Quest Pro option, an advanced functionality.
The Russian cybersecurity supplier said he also observed malicious software, called Android.Spy.1292.origin, which was distributed as APK file through a fake telegram.
While threatening subjects initially submitted a link to download the application into one of the Russian apps through telegram, the tray -made version later was distributed directly as APK as an application update.
What notes the attack is that it will take advantage of the fact that the alpine quest is used by a Russian military in the special military operation.
After installing on the Android device app on malware
- Number of mobile and their bills
- Lists of contacts
- Current date and geolocation
- Information about saved files and
- Application version
In addition to sending the victim’s placement every time it goes into a telegram, spyware maintains the ability to download and start additional modules that allow it to highlight interesting files, especially those sent via Telegram and WhatsApp.
“Android.Spy.1292.origin not only allows users to control, but also confidential files to be captured,” said Dr. Web. “In addition, its functionality can be expanded by downloading new modules, allowing it to perform a wider range of harmful tasks.”
To mitigate the risk that such threats, it is recommended to upload Android Apps only from the proxies apps and avoid downloading “free” paid software versions from questionable sources.
Russian organizations aimed at new Windows Backdoor
The disclosure of information occurs when Caspersorski showed that various major organizations in Russia covering the government, finance and industrial sectors were directed to the complex back, masking it as an update for safe network software called Vipnet.
“Backdoor focuses on computer connected to VIPNE networks” – Note In the previous report. “The back was distributed in the LZH archives with a structure characteristic of the software updates.”
In the archive, which is present in the archive, there is a malicious executable file (“msinfo32.exe”), which acts as a loader for encrypted useful load, also included in the file.
“The loader handles the file contents to download the back in memory,” Kaspersky said. This back is versatile: it can connect to the C2 server via TCP, allowing the attacker to steal files from infected computers and run additional malicious components, among other things. “
