Trojanized Alpine Quest app geolocates Russian soldiers • The Register

Russian troopers are being focused with an Android app specifically altered to pinpoint their location and scan their telephones for recordsdata, with the flexibility to exfiltrate delicate paperwork if instructed.

The software program in query is Alpine Quest, a legit topographic mapping device common amongst hikers, hunters, and extra to the purpose, Russian army personnel working in fight zones. A tampered model, with adware dubbed Android.Spy.1292.origin injected into it, has been circulated by individuals unknown, seemingly with the intent to contaminate the gadgets of President Putin’s war-fighters.

“Menace actors embedded Android.Spy.1292.origin into one of many older Alpine Quest app variations and distributed the trojanized variant below the guise of a freely accessible model of Alpine Quest Professional, a program with superior performance,” Russian safety outfit Dr Internet explained this week.

To unfold the contaminated app, the snoops behind the caper created a bogus Telegram channel to pose because the app’s developer. “The channel supplied a hyperlink for downloading the app in one of many Russian app catalogs. The identical trojan model, disguised because the app’s ‘replace,’ was later distributed through this exact same channel,” Dr Internet added.

As soon as put in, the trojan quietly connects to a distant command-and-control server (C2), ready for orders and sending again delicate information. In response to Dr Internet, it might probably gather the next:

• Present date and geolocation
• Downloaded recordsdata
• Cell phone numbers and accounts
• Tackle lists
• The machine’s app model

That is only for starters. The malware will also be instructed to obtain and run extra modules that assist exfiltrate particular recordsdata — significantly paperwork shared by way of Telegram or WhatsApp, and locLog GPS logs created by Alpine Quest itself.

Whereas attribution stays unconfirmed, the information assortment profile factors towards state-backed surveillance – presumably Ukrainian. We have requested Dr Internet for additional particulars.

A pretend software program replace hides a nasty shock

Alpine Quest is much from the one digital mess Russia’s coping with. Over at Kaspersky, researchers have uncovered one other nasty shock – a “subtle” backdoor – this time hiding inside a pretend software program replace.

The Russian infosec home discovered that miscreants had bundled the malware into LZH archives mimicking respectable ViPNet replace packages for Home windows computer systems; ViPNet being a trusted safe networking suite used extensively throughout Russia’s authorities, finance, and industrial sectors. Contained in the archive is a rogue executable known as msinfo32.exe, a reputation borrowed from a respectable Home windows system device – a traditional trick to dodge suspicion throughout preliminary inspection. This system decrypts and unpacks a payload inside the archive.

“The msinfo32.exe file is a loader that reads the encrypted payload file. The loader processes the contents of the file to load the backdoor into reminiscence,” Kaspersky said.

“This backdoor is flexible: It could hook up with a C2 server through TCP, permitting the attacker to steal recordsdata from contaminated computer systems and launch extra malicious elements, amongst different issues.”

To be clear, this wasn’t a screw-up on ViPNet’s half – Kaspersky notes the malware was smuggled in through spoofed replace archives, not any official launch.

In the meantime, the digital struggle continues

From the opposite facet, Russian fiends have been focusing on Ukrainian officers and their allies in an ongoing phishing marketing campaign geared toward hijacking Microsoft 365 accounts.

Marks are contacted through Sign or WhatsApp by baddies posing as diplomats from the EU, Romania, Bulgaria, or Poland. The hook? An invite to a video name in regards to the ongoing struggle, safety biz Volexity reports.

As soon as the sufferer takes the bait, with some social engineering and a bit abuse of Microsoft’s OAuth 2 authentication workflow – kinda like what we noticed earlier this year with machine authentication codes – the snoops achieve management of the sufferer’s M365 account. Volexity summarized the assault thus:

In response to Volexity, one marketing campaign even leveraged a compromised Ukrainian authorities account to lend credibility to the ruse.

“Like different OAuth phishing strategies, the one used on this marketing campaign concerned direct interplay with the sufferer to have them click on a hyperlink and provide a code again to the attacker,” the groups says. “This code is then sought by the attacker and used to acquire illicit entry to M365 sources.” ®