Researchers from Amnesty International have uncovered a new wave of spyware that is believed to be developed from an India-based cybersecurity company and utilized by the notorious hacker group to target human rights activists in Tago.
The threat group is known as Donot Team that was connected to various attacks in south Asia, now linked with the Indian cybersecurity company known as Innefu Labs Pvt. Ltd. which is claimed to be focused on digital security, data analytics, and other cybersecurity services to law enforcement agencies.
Donot Team has used Android spyware used to target hundreds of individuals across South Asia and the Middle East and the current attack is focused against Togolese HRD prominent human rights defender (HRD) in Togo.
There are 2 pieces of evidence found that Innefu Labs has a strong link with Donot group Android spyware, also researchers found screenshots from an infected test Android phone exposed on a Donot Team server.
Those screenshots are revealed that the attackers also testing the spyware, and also used a WhatsApp account called “UserTester” and sending messages such as “Testing WhatsApp notifications”.
Innefu company is operating from Delhi, India, and claiming that they are handling operations like Information Security R&D startup, providing cutting edge Information Security & Data Analytics solutions.
“We count among our clients the biggest corporate entity in the country apart from some of the most sensitive and critical organizations in Government of India.” Innefu website says.
The link between Donot Team spyware and an Indian cybersecurity company, Innefu Labs was an attacker using the custom SwiftKey keyboard on the device and the swiftKey suggested two different URLs.
One is led to the malware distribution websites(bulk[.]fun,) and the other one is an IP address tied to Innefu Labs.
According to the report, the Innefu Labs IP address and the bulk[.]fun URL would only be suggested by the keyboard if the attacker using this test phone had previously interacted with both the spyware server and the Innefu Labs IP address.
Also researchers found that the same IP address and the malicious URL only suggested by the keyboard if the attacker
using this test phone had previously interacted with both the spyware server and the Innefu Labs IP address.
Suspicious WhatsApp Messages
HRD from Tago reported suspicious WhatsApp messages they were receiving on their mobile phone that were sent from a WhatsApp account registered to an Indian phone number.
WhatsApp chats encouraging the HRD to install an Android chat application to continue their communications.
Instead of an Android app, a customer Spyware being installed that was designed to extract some of the most sensitive and personal information stored on the HRD’s phone.
The Android application masqueraded as a chat application named ChatLite, but it was a custom-developed Android spyware tool that, when successfully deployed, allows the attackers to collect sensitive data from victims’ mobile devices and install additional spyware tools.
Successfully installed spyware on targeted activists movable, it starts recording the camera and microphone, collects photos and files stored on the device, and even reads encrypted WhatsApp messages as they were being sent and received.
Attackers also targeting the Togolese HRD who is using Windows system via email through which they sent a malicious email with an attachment that contains Microsoft Word document (docx) attachment that leads to download and executes the malicious RTF file. The RTF file is actually an exploit for the known Microsoft Word vulnerability(CVE-2017-0199) that leads to dropping spyware on their systems.
“Togolese authorities should put in stronger mechanisms to ensure that HRDs can carry out their work in a safe and enabling environment, including providing protection against and remedy for unlawful targeted surveillance.” Amnesty International said.