CSE Malware Zlab – Chinese APT27’s Long-term Espionage Campaign in Syria is Still Ongoing
(Jul 23, 2018)
Researchers from CSE Cybsec Z-Lab analyzed a public repository found by ESET security researcher Lukas Stefanko that contained some Android applications. The researchers’ analysis of a folder in the repository revealed that it contained an Android spyware associated to the Chinese Advanced Persistent Threat (APT) group “APT27” (Emissary Panda). The repository and its malware were identified to be targeting Syria, which is a known target for APT27.
Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.