Indian hackers are notoriously known for targeting Pakistanis time and time again, but our country’s hackers don’t fall short in this matter either.
This time, the hackers are focusing on compromising WhatsApp backups and other critical data for Indian users.
The hacking group in question is called SpaceCobra and its responsible for creating an instant messaging application with the capability to extract sensitive information from targeted devices.
Notably, the threat actors exhibit precise targeting, indicating a clear objective. As a result, researchers have encountered difficulties in accessing and downloading the application for further analysis.
Recently, cybersecurity researchers at ESET made a significant discovery regarding two messaging applications known as BingeChat and Chatico. These seemingly innocent apps were found to be distributing a remote access trojan (RAT) known as GravityRAT.
This sophisticated malware has the capability to extract a plethora of sensitive information from compromised endpoints. The compromised data includes call logs, contact lists, SMS messages, device location, basic device information, as well as files with specific extensions for pictures, photos, and documents.
What sets this malware apart is its unique distribution method. Unlike typical malware apps that can be found and downloaded from app stores like the Play Store, BingeChat and Chatico are not available on any app store.
Instead, they can only be acquired by visiting a specific website and creating an account. This adds an additional layer of complexity to the infection process.
When researchers from ESET attempted to register on the website, they encountered a “closed” status for registrations, indicating a deliberate and selective approach by the hackers. This observation suggests that the threat actors may be targeting specific locations or IP addresses with their attacks.
Notably, the majority of identified victims in this campaign are based in India, which aligns with the country’s widespread use of WhatsApp.
The attackers themselves originate from Pakistan. It is worth noting that this campaign has been active since the previous year, indicating a prolonged and sustained effort by the threat actors.
