Spymax RAT Targets Indian Defense Personnel

Diving into details

• The campaign has been ongoing since at least July 2021. The APK file masquerades as a promotion letter that promises ‘Subs Naik’ rank.
• Upon installation, the app appears as a lookalike Adobe Reader icon. It asks for multiple permissions, including storage, camera, microphone, and internet.
• The threat actors have been using the variant of Spymax RAT, whose source code is already available in underground forums in their attacks.
• They used a Google Drive link with a PDF file that listed Indian defense personnel who were recently promoted to higher ranks. The link was propagated via WhatsApp.

Attribution

• As the campaign has been active for quite some time and is extremely targeted, researchers surmise that this is the act of a nation state threat actor, attempting to pilfer confidential information.
• However, based on the analyzed data, the researchers couldn’t attribute the campaign to a particular nation state threat actor. 
• Cyfirma concluded that the geopolitical situation in South Asia has resulted in India suffering multiple cyberattacks from its neighbors.

A bit on Spymax RAT

• This Android RAT is capable, readily available, and does not require root privileges on the victim device. 
• Spymax RAT provides several Android packages builds, with one of them having a web view feature that enables the attacker to inject any web link into the web view module.
• Once it is installed, it pretends to be a full-fledged Android app. 

The bottom line