Contents:
In a report published last week, Amnesty International revealed the connection between an Indian cybersecurity firm and an Android spyware program that was meant to target a well-known Togolese human rights defender.
Security Researchers Found Evidence
Amnesty International’s experts conducted the inquiry after finding evidence of surveillance against the Togolese activist, as well as indications of spyware installation in numerous important regions of Asia.
The international non-governmental organization declared it believes there are ties between the Android spyware and Innefu Labs, a cybersecurity company based in India. The statement comes after they discovered that the spyware payload was distributed using an Innefu Labs IP address on multiple occasions.
Amnesty International linked the campaign to a collective of Indian cybercriminals tracked as ‘Donot Team’ (APT-C-35) known for targeting governments in Southeast Asia since at least 2018.
Innefu Labs’s Reaction
Amnesty International believes that Innefu may be unaware of how its clients or other third parties use its tools. Nevertheless, now that full technical details are available, an external audit could disclose everything.
Here is Innefu Labs’s response:
At the outset we firmly deny the existence of any link whatsoever between Innefu Labs and the spyware tools associated with the ‘Donot Team’ group and the attacks against a Human Rights Defender in Togo. As has already been stated by us in our previous letter, we are not aware of any ‘Donot Team’ or have any relationship with them.
In your letter dated 20.09.2021, references have been made to a Xiaomi Redmi 5A phone, which has allegedly accessed the IP address of Innefu Labs, and also of some other private VPN server to access the Ukrainian hosting company called Deltahost. We believe this phone does not belong to any person associated with Innefu Labs. Merely because our IP address has been accessed using this phone does not ipso facto conclude Innefu Labs’ involvement in any of the alleged activities.
Operation Mode
The persistent attacks over WhatsApp email attempted to fool the victim into installing a malicious app that posed as a reliable chat app dubbed ‘ChatLite.’
The app was actually a piece of custom Android spyware created to collect some of the most important and private data held on the activist’s mobile device.
When the WhatsApp attempt failed, the threat actors began to send an email from a Gmail account that contained a malware-laced Microsoft Word file that takes advantage of an already fixed RCE flaw to drop the malicious software.
According to the researchers, the spyware can be used to “steal files from the infected computer and any connected USB drives, record keystrokes, take regular screenshots of the computer, and download additional spyware components.”
When Amnesty’s researchers analyzed a sample of the spyware, they discovered that it has similarities to “Kashmir_Voice_v4.8.apk” and “SafeShareV67.apk”, two malware tools associated with previous Donot Team campaigns.
As mentioned by BleepingComputer, this is the first time the Donot Team has been seen attacking organizations in African countries, which could be an indication that the gang is providing ‘hacker for hire’ services to governments.