Kaspersky Lab has been working to locate Galileo’s command and control (C&C) servers around the globe. With its connectivity data obtained by reverse engineering samples, researchers mapped more than 320 RCS C&C servers in over 40 countries, the majority of them in the U.S.A., Kazakhstan, Ecuador, the U.K. and Canada.
Sergey Golovanov, principal security researcher, Kaspersky Lab, said in a press release, “The presence of these servers in a given country doesn’t mean to say they are used by that particular country’s law enforcement agencies. However, it makes sense for the users of RCS to deploy C&Cs in locations they control – where there are minimal risks of cross-border legal issues or server seizures.”
Although HackingTeam’s Trojans have been in existence for some time, no one has identified them or noticed that they have been used in attacks until now. Kaspersky Lab has been researching the RCS malware for some time, and earlier this year identified samples of mobile modules that matched other RCS malware configurations. During the course of Kaspersky Lab’s research, new variants of samples were received from victims through the Kaspersky Lab cloud-based KSN network. The company’s experts worked with Morgan Marquis-Boire from Citizen Lab who has been researching HackingTeam’s malware.
The Galileo RCS operators build a specific malicious implant, and once ready the attacker delivers it to the victim’s mobile device. Some known infection vectors are spearphishing via social engineering, coupled with exploits, including zero-days.
One of the discoveries has been learning how a Galileo RCS mobile Trojan infects an iPhone, which requires first the device be jailbroken. Non-jailbroken iPhones are vulnerable too because a jailbreaking tool like ‘Evasi0n’ can conduct a remote jailbreak via a previously infected computer, followed by the infection. To avoid this scenario from playing out, Kaspersky recommends that people not jailbreak their iPhones and constantly update the latest version iOS on the device.
These malware implants are meticulously designed in a discreet manner. For example, an audio recording may start only when the device is connected to a particular Wi-Fi network, or when the SIM card is changed, or while charging battery. Overall, this type of malware can perform various surveillance functions, reporting the target’s location, taking photos, copying events from the device’s calendar, and registering new SIM cards inserted in the infected device. It can intercept phone calls, SMS messages, chat messages sent from Viber, WhatsApp and Skype.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…