Asian company is the newest APT threat

An unnamed South Asian software development consultancy that creates software for employee monitoring is also an APT player and, according to CloudSek CTO Rahul Sasi, it appears to be conducting widespread intellectual property theft for economic gain.

“The targets of this APT are so diverse, ranging from government officials, high profile individuals to engineers from technology companies,” he says.

The group – dubbed Santa APT, for reasons that will become clear as you read on – is targeting software companies and individuals around the world, looking for and exfiltrating confidential information with the help of two distinct pieces of malware they have created.

The first one is desktop malware that hides on the target computer and collects files and screenshots, then sends it to the attacker’s servers.

It’s interesting to note that the malware can also collect data from air-gapped systems with the help of a USB module.

As Sasi explained it to us, this module copies important data from an infected system to a USB device, and sends it out when it reaches an infected system that has Internet access.

The second malware is made to target Android and iOS devices. It is bundled in various Christmas-themed games and apps, and offered for download online.

The permissions these apps ask are extensive and could be viewed as “too much” by some, but apparently there are at least 8,000 users who have decided to grant them and install one of these apps.

The researchers managed to access the control panels on the C&C servers for both threats, and discovered that the mobile malware collects and exfiltrates to the servers the following information from the infected device: the user’s contacts, text messages, call records, location info, calendar contents, photos and videos, browser history and more.

Malware interface

As said before, the desktop malware exfiltrates files and screenshots, but CloudSek also found (currently empty) folders for keylogging and voice recording on the server. This may indicate that the group means to add those capabilities to the Trojan in the future.

According to Sasi, the group is also selling the desktop malware on various underground forums. Simultaneously, as a legitimate company, they are recruiting mobile app developers (both for Android and iPhone).