430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Uncategorized

Bouncing Golf cyberespionage campaign targets Android users in Middle East

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries. Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries. Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features […]

bouncing golf golfspy

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries.

Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries.

Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.

GolfSpy could steal the following information:

  • Device accounts
  • List of applications installed in the device
  • Device’s current running processes
  • Battery status
  • Bookmarks/Histories of the device’s default browser
  • Call logs and records
  • Clipboard contents
  • Contacts, including those in VCard format
  • Mobile operator information
  • Files stored on SDcard
  • Device location
  • List of image, audio, and video files stored on the device
  • Storage and memory information
  • Connection information
  • Sensor information
  • SMS messages
  • Pictures

Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.

“We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.”” reads the blog post published by Trend Micro. “The malware involved, which Trend Micro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications.”

According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused on stealing military-related information.

The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.

Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.

bouncing golf golfspy

The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.

The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.

GolfSpy also connects C2 via a socket in order to receive additional commands. In this case, stolen data is also sent to the C2 in encrypted forms via the socket, experts pointed out that the encryption key is different from the one used when data is sent via HTTP.

The operators behind the Bouncing Golf campaign attempt to cover their tracks, for example, they masked the registrant contact details of the C&C domains used in the campaign. The IP addresses associated with the C&C servers used in the campaign also appear to be located in many European countries, including Russia, France, Holland, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Bouncing Golf, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]