2024-02-01 VajraSpy A Patchwork of espionage apps

📃Title: VajraSpy: A Patchwork of espionage apps
📅Date: 2024-02-01
🔗References:

• https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/

Description

ESET researchers have identified 12 Android espionage apps that were available on Google Play between 2021 and 2023 and are still available in the wild, but not on alternative app stores, as previously thought.

🔖Rectifyq Taxonomies:

• relevancy: 🟡 Somewhat Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: somewhat-relevant
• topic: mobile-attack
• topic: geopolitical

🔖MISP Galaxies:

• producer ESET
• target-information=“Pakistan”
• target-information=“Malaysia”
• target-information=“India”
• threat-actor QUILTED-TIGER
• malpedia=“VajraSpy”
• mitre-attack-pattern=[‘T1398’, ‘T1417’, ‘T1418’, ‘T1420’, ‘T1422’, ‘T1426’, ‘T1429’, ‘T1430’, ‘T1437’, ‘T1481’, ‘T1512’, ‘T1517’, ‘T1533’, ‘T1553’, ‘T1566’, ‘T1082’, ‘T1636.002’, ‘T1636.003’, ‘T1641’, ‘T1646’, ‘T1417.001’, ‘T1481.003’, ‘T1636.004’, ‘T1437.001’]

MISP event uuid: 7b7d8d69-d72f-4a5d-afd9-03ddc2ec3843

Indicator of Compromise (IoCs)

type,value,comment
sha1, bcd639806a143bd52f0c3892fa58050e0eeef401, 'VajraSpy trojan No sample in VT\r\nLast check:22/02/2025'
ip-dst, 34.120.160.131, 'VajraSpy C&C servers'
hostname, hello-chat-c47ad-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, chit-chat-e9053-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, meetme-abc03-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, chatapp-6b96e-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, tiktalk-2fc98-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, wave-chat-e52fe-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, privchat-6cc58-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, glowchat-33103-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, letschat-5d5e3-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, quick-chat-1d242-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
hostname, yooho-c3345-default-rtdb.firebaseio.com, 'VajraSpy C&C servers'
ip-dst, 35.186.236.207, 'VajraSpy C&C servers'
hostname, rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase.app, 'VajraSpy C&C servers'
ip-dst, 160.20.147.67, 'VajraSpy C&C servers'

Full IOCs available in Rectifyq's MISP```