Kaspersky is warning of a previously unknown espionage campaign targeting the Persian-speaking religious minority Bahaʼi with Android spyware.
As part of the campaign, victims were lured to a VPN application claiming to provide access to Bahaʼi religious resources that are banned in Iran.
The application contains highly sophisticated spyware designed to collect all types of data from devices, including call logs and contact lists, and to track victims’ activities. The malware, named SandStrike, also supports commands that allow the attackers to perform various operations on the device.
The threat actor behind SandStrike created Facebook and Instagram accounts with over 1,000 followers and lured victims using religious-themed materials containing a link to a Telegram channel controlled by the attackers.
The adversary used this channel to distribute the nefarious VPN application claiming it would allow users to access banned sites. The attackers set up their own VPN infrastructure to increase the legitimacy of the claims.
Kaspersky’s description of the attacks involving SandStrike spyware come just weeks after reports that Iran has intensified its persecution of the Baha’i religious minority.
SandStrike, however, was only one of the threat actors active in the Middle East during the third quarter of the year, Kaspersky says.
The security firm analyzed the sophisticated malware platform Metatron, observed the SilentBreak threat group using a new C++ backdoor, SoleExecutor, and documented the activities of DeftTorero (aka Lebanese Cedar, Volatile Cedar).
Detailed in September, Metatron focuses on telecommunications, ISPs, and universities in the Middle Eastern and Africa. The adversary bypasses native security solutions and executes malware directly into memory.
In its analysis of the advanced persistent threat (APT) actors’ activity for the third quarter of 2022, Kaspersky also mentions the operations of Russian, Chinese, and North Korean threat actors, pointing out that cyberespionage remains the main goal of the observed APT campaigns.
“APT actors are now strenuously used to create attack tools and improve old ones to launch new malicious campaigns. In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via VPN service, where victims tried to find protection and security, is an excellent example,” said Kaspersky lead security researcher Victor Chebyshev.