Android address book server lab5/25/2023 ![]() RCS Lab also has past dealings with Syria, another authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.Ĭountries that had ties to RCS Lab’s past business connections. ![]() Correspondences between the two companies revealed that RCS Lab engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan - the latter three ranked as authoritarian regimes by the Democracy Index. But based on the information we do have, it has a considerable international presence.Īccording to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller for another Italian spyware vendor HackingTeam, now known as Memento Labs, as early as 2012. Like many spyware vendors, not much is known about RCS Lab and its clientele. RCS Lab and its controversial connections The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis. According to a document released by the Italian lower house in 2021, Italian authorities potentially misused it in an anti-corruption operation. Outside Syria, Hermit has been deployed in Italy. ![]() The domain rojavanetworkinfo seems to be specifically imitating “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations. We also found samples that impersonate Samsung and Vivo. The website the malware used to mask its malicious activity is an official Oppo support page (com) in the Kazakh language that has since gone offline. They were titled “rvice” and impersonated Chinese electronic manufacturer Oppo. We first detected samples from this campaign in April 2022. To our knowledge, this marks the first time that a current customer of RCS Lab’s mobile malware has been identified. Our analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national government is likely behind the campaign. We’re aware of an iOS version of Hermit but were unable to obtain a sample for analysis. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages. We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. Named after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics, and government officials. Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. While some Hermit samples have been detected before and are broadly recognized as generic spyware, the connections we make in this blog to developers, campaigns, and operators are new. We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts. We know that the Italian authorities used it in an anti-corruption operation in 2019. This isn't the first time Hermit has been deployed. While we’ve been following this threat for a while using Lookout Endpoint Detection and Response (EDR) these latest samples were detected in April 2022, four months after nation-wide protests against government policies were violently suppressed.īased on our analysis, the spyware, which we named “Hermit,” is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company. Lookout Threat Lab researchers have uncovered enterprise-grade Android surveillanceware used by the government of Kazakhstan within its borders.
0 Comments
Leave a Reply. |