FlagThis - #sophos

A new Android malware campaign, potentially linked to previous attacks targeting Indian military personnel, has been identified focusing on users in Taiwan. The malware, known as PJobRAT, is an Android Remote Access Trojan (RAT) that steals sensitive data. It operates by disguising itself as legitimate chat applications, tricking users into installation. Once installed, PJobRAT can extract SMS messages, phone contacts, device information, documents, and media files from infected devices, enabling deep surveillance and remote control.

Researchers at Sophos X-Ops uncovered this recent campaign, observing activity from January 2023 to October 2024. The malicious chat apps, named SangaalLite and CChat, were distributed through compromised WordPress sites. While this particular campaign may be paused, it illustrates that threat actors often retool and retarget after an initial campaign, improving their malware and adjusting their approach before striking again. Users are advised to avoid installing apps from untrusted sources and employ mobile security solutions for protection.


References :

• ciso2ciso.com: PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps – Source:thehackernews.com
• The Hacker News: An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps.
• www.infosecurity-magazine.com: PJobRAT malware targets Taiwan Android users, stealing data through fake messaging platforms
• Sophos X-Ops: Back in 2021, researchers reported on PJobRAT, an Android RAT targeting Indian military personnel by imitating various dating and instant messaging apps. After that, everything seemed to go quiet. But during a recent threat hunt, Sophos X-Ops researchers uncovered a more recent PJobRAT campaign appearing to target users in Taiwan – the earliest sample being Jan 2023, and the most recent in October 2024.
• Cyber Security News: Sophos X-Ops researchers have uncovered a new campaign involving PJobRAT, an Android Remote Access Trojan (RAT) first observed in 2019. This latest iteration, which appeared to target users in Taiwan, disguised itself as instant messaging apps such as ‘SangaalLite’ and ‘CChat’.
• gbhackers.com: PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a new campaign targeting users in Taiwan.
• Sophos News: PJobRAT makes a comeback, takes another crack at chat apps
• Sophos X-Ops: We can’t confirm how users were directed to these sites, but PJobRAT previously used a variety of tricks, including third-party app stores, link shortening, phishing pages, fictitious personae, and posting links on forums. Once on a user’s device, the malware requests various permissions, and can steal SMS messages, phone contacts, device and app info, documents, and media files. The latest variant does not have a built-in function for stealing WhatsApp messages. But it does have a new functionality – running shell commands. This greatly increases the malware’s capabilities.

Classification:

• HashTags: #PJobRAT #AndroidMalware #Taiwan
• Company: Sophos
• Target: Taiwanese users
• Attacker: PJobRAT
• Product: Android
• Feature: Android Malware
• Malware: PJobRAT
• Type: Malware
• Severity: Major

Cybercriminals are increasingly leveraging Scalable Vector Graphics (SVG) files in phishing attacks to circumvent traditional email security measures. Sophos researchers have uncovered this rising threat, noting that attackers use SVG files to distribute malicious links leading to credential theft. These SVG files, commonly used for vector-based images, can contain hyperlinks and scripts within their text-based XML instructions, enabling attackers to embed malicious content directly within the graphics file.

Attackers often employ social engineering tactics in phishing emails, impersonating well-known brands like DocuSign, Microsoft SharePoint, Dropbox, and Google Voice to trick recipients into opening the malicious SVG attachments. When a user clicks the embedded link, they are redirected to a credential-harvesting site disguised as a legitimate login portal. Sophos has observed increasingly sophisticated SVG phishing attacks, including the use of Cloudflare CAPTCHA gates, credential pre-filling, live phishing templates, and JavaScript auto-redirects to further evade detection.


References :

• securityonline.info: Sophos Uncovers Rising Threat of SVG-Based Phishing Attacks
• ciso2ciso.com: Cybercriminals Weaponize Graphics Files in Phishing Attacks – Source: www.infosecurity-magazine.com
• ciso2ciso.com: Ciso2Ciso - Cybercriminals Weaponize Graphics Files in Phishing Attacks

Classification:

• HashTags: #PhishingAttacks #SVGFiles #EmailSecurity
• Company: Sophos
• Target: Email Users
• Attacker: Sophos
• Product: SVG
• Feature: Scalable Vector Graphics
• Type: Phishing
• Severity: Medium