Fake dating app used as lure in targeted spyware campaign in Pakistan

Overview of GhostChat attack flow

After initiating a conversation, the app requests additional permissions to access the device’s storage and contacts, as seen in Figure 7. If granted, GhostChat can exfiltrate sensitive information stored on the victim’s device.

Figure 7. GhostChat requests access to device storage and contacts
Figure 7. GhostChat requests access to device storage and contacts

Throughout our investigation, we observed the threat actor using the same WhatsApp numbers linked to GhostChat profiles in multiple campaigns. The numbers were used to link victims’ devices to WhatsApp under the attacker’s control. This allowed the threat actor to read victims’ personal messages and potentially use the compromised accounts for further malicious activities.

Conclusion

The GhostChat spyware campaign, leveraging romance scam tactics to target individuals in Pakistan, highlights the evolving strategies employed by threat actors to deceive and compromise unsuspecting victims. By presenting fake profiles as exclusive and using hardcoded access codes, the threat actor creates a sense of legitimacy and exclusivity to lure victims into installing the malicious app. Once installed, GhostChat enables covert surveillance and data exfiltration, expanding the threat actor’s reach to compromise victims’ devices and personal information.

Android users are advised to only download apps from trusted sources like Google Play and to regularly review and adjust app permissions to prevent unauthorized access to sensitive data.

WhatsApp Numbers, Names, Ages, and Codes Linked to Each Profile:

Profile 1:

WhatsApp Number: +123456789

Name: John Doe

Age: 30

Code: ABC123

Profile 2:

WhatsApp Number: +987654321

Name: Jane Smith

Age: 25

Code: XYZ789

Profile 3:

WhatsApp Number: +555555555

Name: Mike Johnson

Age: 35

Code: QWE456

Profile 4:

WhatsApp Number: +111111111

Name: Emily Davis

Age: 28

Code: LMN789

Profile 5:

WhatsApp Number: +999999999

Name: Sarah Brown

Age: 40

Code: DEF321

After a period of time, victims of the espionage campaign also receive notifications from WhatsApp, informing them that a new device has been linked to their accounts, as depicted in Figure 13.

This discovery suggests a well-coordinated, cross-platform campaign that combines social engineering, malware distribution, and spying activities on both mobile and desktop systems.

In conclusion, this investigation uncovers a sophisticated and targeted espionage operation targeting individuals in Pakistan. The operation revolves around a malicious Android application posing as a chat app, which utilizes a unique romance scam technique requiring credentials and unlock codes for communication initiation – a level of sophistication and personalization rarely seen in mobile threats.

Once the application is installed, it covertly extracts sensitive information and actively monitors the device for new data, confirming its identity as a mobile surveillance tool. The operation is linked to a wider network involving malware delivery through ClickFix and hijacking of WhatsApp accounts. This scheme utilizes fake websites, impersonation of national authorities, and deceptive QR-code-based device linking to compromise both mobile and desktop platforms.

For any inquiries regarding the research conducted on WeLiveSecurity, please reach out to us at threatintel@eset.com. Additionally, ESET Research provides confidential APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.

A comprehensive list of indicators of compromise (IoCs) and samples can be accessed in our GitHub repository.

### Files
– **SHA-1**: B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A
– **Filename**: Live Chat.apk
– **Detection**: Android/Spy.GhostChat.A
– **Description**: Android GhostChat spyware.
– **SHA-1**: 8B103D0AA37E529714321949471FD4F6B2ECBAA
– **Filename**: file.dll
– **Detection**: Win64/Agent.HEM
– **Description**: Windows payload that executes PowerShell commands from the C&C.

### Network
– **IP**: 188.114.96[.]10
– **Domain**: hitpak[.]org
– **Hosting provider**: Cloudflare, Inc.
– **First seen**: 2024-12-16
– **Details**: Distribution and C&C server.

For a detailed breakdown of the MITRE ATT&CK techniques utilized, refer to the tables below.

#### Mobile Techniques
– **Tactic**: Persistence
– **ID**: T1398
– **Name**: Boot or Logon Initialization Scripts
– **Description**: GhostChat activates at device startup by receiving the BOOT_COMPLETED broadcast intent.
– **Tactic**: Discovery
– **ID**: T1426
– **Name**: System Information Discovery
– **Description**: GhostChat can extract the device ID.
– **Tactic**: Collection
– **ID**: T1533
– **Name**: Data from Local System
– **Description**: GhostChat exfiltrates files from the device.

#### Enterprise Techniques
– **Tactic**: Execution
– **ID**: T1059.001
– **Name**: Command and Scripting Interpreter: PowerShell
– **Description**: Windows agent executes PowerShell commands from the C&C server.
– **Tactic**: Discovery
– **ID**: T1082
– **Name**: System Information Discovery
– **Description**: Windows agent collects the computer name.
– **Tactic**: Command and Control
– **ID**: T1071.001
– **Name**: Application Layer Protocol: Web Protocols
– **Description**: Windows agent communicates with the C&C using HTTPS requests.

For a more in-depth analysis of the campaign and its tactics, visit the ESET Threat Intelligence page. sentence: Please do not forget to bring your ID to the event.

Leave a Reply

Your email address will not be published. Required fields are marked *