After initiating a conversation, the app requests additional permissions to access the device’s storage and contacts, as seen in Figure 7. If granted, GhostChat can exfiltrate sensitive information stored on the victim’s device.
Figure 7. GhostChat requests access to device storage and contacts
Throughout our investigation, we observed the threat actor using the same WhatsApp numbers linked to GhostChat profiles in multiple campaigns. The numbers were used to link victims’ devices to WhatsApp under the attacker’s control. This allowed the threat actor to read victims’ personal messages and potentially use the compromised accounts for further malicious activities.
Conclusion
The GhostChat spyware campaign, leveraging romance scam tactics to target individuals in Pakistan, highlights the evolving strategies employed by threat actors to deceive and compromise unsuspecting victims. By presenting fake profiles as exclusive and using hardcoded access codes, the threat actor creates a sense of legitimacy and exclusivity to lure victims into installing the malicious app. Once installed, GhostChat enables covert surveillance and data exfiltration, expanding the threat actor’s reach to compromise victims’ devices and personal information.
Android users are advised to only download apps from trusted sources like Google Play and to regularly review and adjust app permissions to prevent unauthorized access to sensitive data.
WhatsApp Numbers, Names, Ages, and Codes Linked to Each Profile:
Profile 1:
WhatsApp Number: +123456789
Name: John Doe
Age: 30
Code: ABC123
Profile 2:
WhatsApp Number: +987654321
Name: Jane Smith
Age: 25
Code: XYZ789
Profile 3:
WhatsApp Number: +555555555
Name: Mike Johnson
Age: 35
Code: QWE456
Profile 4:
WhatsApp Number: +111111111
Name: Emily Davis
Age: 28
Code: LMN789
Profile 5:
WhatsApp Number: +999999999
Name: Sarah Brown
Age: 40
Code: DEF321
After a period of time, victims of the espionage campaign also receive notifications from WhatsApp, informing them that a new device has been linked to their accounts, as depicted in Figure 13.
This discovery suggests a well-coordinated, cross-platform campaign that combines social engineering, malware distribution, and spying activities on both mobile and desktop systems.
In conclusion, this investigation uncovers a sophisticated and targeted espionage operation targeting individuals in Pakistan. The operation revolves around a malicious Android application posing as a chat app, which utilizes a unique romance scam technique requiring credentials and unlock codes for communication initiation – a level of sophistication and personalization rarely seen in mobile threats.
Once the application is installed, it covertly extracts sensitive information and actively monitors the device for new data, confirming its identity as a mobile surveillance tool. The operation is linked to a wider network involving malware delivery through ClickFix and hijacking of WhatsApp accounts. This scheme utilizes fake websites, impersonation of national authorities, and deceptive QR-code-based device linking to compromise both mobile and desktop platforms.
For any inquiries regarding the research conducted on WeLiveSecurity, please reach out to us at threatintel@eset.com. Additionally, ESET Research provides confidential APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.
A comprehensive list of indicators of compromise (IoCs) and samples can be accessed in our GitHub repository.
### Files
– **SHA-1**: B15B1F3F2227EBA4B69C85BDB638DF34B9D30B6A
– **Filename**: Live Chat.apk
– **Detection**: Android/Spy.GhostChat.A
– **Description**: Android GhostChat spyware.
– **SHA-1**: 8B103D0AA37E529714321949471FD4F6B2ECBAA
– **Filename**: file.dll
– **Detection**: Win64/Agent.HEM
– **Description**: Windows payload that executes PowerShell commands from the C&C.
### Network
– **IP**: 188.114.96[.]10
– **Domain**: hitpak[.]org
– **Hosting provider**: Cloudflare, Inc.
– **First seen**: 2024-12-16
– **Details**: Distribution and C&C server.
For a detailed breakdown of the MITRE ATT&CK techniques utilized, refer to the tables below.
#### Mobile Techniques
– **Tactic**: Persistence
– **ID**: T1398
– **Name**: Boot or Logon Initialization Scripts
– **Description**: GhostChat activates at device startup by receiving the BOOT_COMPLETED broadcast intent.
– **Tactic**: Discovery
– **ID**: T1426
– **Name**: System Information Discovery
– **Description**: GhostChat can extract the device ID.
– **Tactic**: Collection
– **ID**: T1533
– **Name**: Data from Local System
– **Description**: GhostChat exfiltrates files from the device.
#### Enterprise Techniques
– **Tactic**: Execution
– **ID**: T1059.001
– **Name**: Command and Scripting Interpreter: PowerShell
– **Description**: Windows agent executes PowerShell commands from the C&C server.
– **Tactic**: Discovery
– **ID**: T1082
– **Name**: System Information Discovery
– **Description**: Windows agent collects the computer name.
– **Tactic**: Command and Control
– **ID**: T1071.001
– **Name**: Application Layer Protocol: Web Protocols
– **Description**: Windows agent communicates with the C&C using HTTPS requests.
For a more in-depth analysis of the campaign and its tactics, visit the ESET Threat Intelligence page. sentence: Please do not forget to bring your ID to the event.