The malware will serve content in the Spanish language from the SPSRASD website to look legitimate to the victim.
In actuality, FlexStarling is a highly versatile malware capable of deploying additional malware components and stealing information from the infected devices.
Starry Addax's infrastructure can be used to target Windows- and Android-based users.
All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar.
The use of FlexStarling with a Firebase-based C2 instead of commodity malware or commercially available spyware indicates the threat actor is making a conscious effort to evade detections and operate without being detected.
The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants.
The FlexStarling malware app requests a plethora of permissions from the Android OS to extract valuable information from the infected mobile device.
The actor wants to gain the ability to read, write, modify, delete and manage files on external storage locations.
The malware obtains command codes and accompanying information from the C2 server.
Download. Download a file specified by a URL to the Downloads directory.
Copy files from the download's directory to the application package directory.
Decrypt a dex file located in the application package directory and reflectively load it.
Upload a local file to the attacker's dropbox folders using the Dropbox API. The ACCESS TOKEN, local filepath and remote upload path is specified by the C2. fb84708d32d00fca5d352e460776584c.
Check if a file inside the application package directory exists.
DEX: Contains the source file name to be used during the Decrypt commands.
Ky4: Used as a parameter during reflective loading of the DEX file.
Ky5: Secret key used for AES decryption as part of the implant's DEX decrypt and reflective load. ky6: IV used for AES decryption as part of the implant's DEX decrypt and reflective load. ky7: Contains the source file name to be used during the AES decryption as part of the implant's DEX decrypt and reflective load. Coverage.
Cisco Secure Endpoint is ideally suited to prevent the execution of the malware detailed in this post.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Malware Analytics identifies malicious binaries and builds protection into all Cisco Secure products.
This Cyber News was published on blog.talosintelligence.com. Publication date: Tue, 09 Apr 2024 14:43:05 +0000