HQ/EMEAFind out how we can help your business
Researchers have linked the WyrmSpy and DragonEgg spyware to the Winnti group. Based on reports, these spyware strains have been targeting Android mobile users as part of a cyberespionage campaign.
Winnti (aka APT41) is one of the oldest Chinese-sponsored threat groups notorious for targeting various industries in Europe, Asia, and the United States.
The group has constantly faced crackdowns from different cybersecurity entities but continued to evolve and shift its targeted users. As of now, their targeted entities are mobile users.
The Winnti operators allegedly employed WyrmSpy and DragonEgg for their new cybercriminal campaigns.
The Winnti group adopted WyrmSpy, which first appeared in 2017, and DragonEgg, which emerged a couple of years ago, to execute their attacks earlier this year.
Researchers explained that both spyware strains contain similar Android signing certificates and have extensive data collection and exfiltration capabilities. Moreover, the two strains have identical capabilities, such as collecting users’ photos, SMS messages, locations, and audio recordings from infected mobile devices.
WyrmSpy utilises known rooting tools to acquire admin-level privileges on infected devices and perform spyware activities based on the commands it receives from its command-and-control servers after execution.
On the other hand, DragonEgg also relies on additional commands from its C2 servers to execute its capabilities. The researchers were able to link the two spyware strains to Winnti because of these C2 infrastructures.
These command-and-control servers from DragonEgg and WyrmSpy include a hardcoded source code from the Winnti group.
Researchers have yet to encounter samples of the APT41 attacks that use the two malware strains, but they believe that the actors distribute the malware via social engineering tactics. The current campaign that uses both spyware strains distributes them through malicious apps on Google Play Store.
These attacks are expected to continue even though their attribution is correct since the threat actors have already deployed their apps on Play Store.
Winnti’s interest in Android devices indicates that mobile endpoints are high-priority targets with essential information. Users should avoid downloading unnecessary apps or apps from unknown sources.
