Iran-linked APT MuddyWater has been deploying a new version of the DCHSpy Android spyware in the context of the Israel-Iran conflict, mobile security firm Lookout reports.
Active since at least 2017 and also tracked as Mango Sandstorm, Mercury, Seedworm, and Static Kitten, the hacking group is known for conducting espionage operations focused on the Middle East, and was linked by the US to the Iranian Ministry of Intelligence and Security (MOIS).
One week after the Israel-Iran conflict started, Lookout identified new DCHSpy samples, which appear to have been deployed against adversaries disguised as VPNs or banking applications, using political lures.
DCHSpy, Lookout explains in a fresh report, is likely developed and maintained by MuddyWater for surveillance purposes, and shares infrastructure with SandStrike, another Android spyware linked to the hacking group.
Lookout analyzed a SandStrike sample that contained a malicious VPN configuration file connecting to the espionage group’s infrastructure. The sample was used to deploy a MuddyWater PowerShell RAT.
“DCHSpy uses similar tactics and infrastructure as SandStrike. It is distributed to targeted groups and individuals by leveraging fake URLs shared directly over messaging apps such as Telegram,” Lookout notes.
From the infected devices, the modular malware can harvest user accounts, contacts, SMS messages, local files, location data, call logs, and WhatsApp information. It can also take over the microphone and camera to record audio and take photos.
The collected information is compressed, encrypted with a password received from the command-and-control (C&C) server, and uploaded to an SFTP server.
The DCHSpy samples identified since the beginning of the Israel-Iran conflict were distributed under the name of Earth VPN, Comodo VPN, Hide VPN, and Hazrat Eshq, advertised on various Telegram channels to English and Farsi speakers, using anti-Iran themes and language.
One of the Earth VPN samples has been distributed using Starlink lures, likely taking advantage of the “recent reports of Starlink offering internet services to the Iranian population during the internet outage imposed by the Iranian government following hostilities between Israel and Iran,” Lookout notes.
To date, the cybersecurity firm has identified 17 mobile malware families that at least 10 Iranian APTs have been using in surveillance attacks against mobile phone users.
“These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel,” Lookout notes.
Related: US Calls Reported Threats by Pro-Iran Hackers to Release Trump-Tied Material a ‘Smear Campaign’
Related: Iranian Hackers’ Preferred ICS Targets Left Open Amid Fresh US Attack Warning
Related: US Braces for Cyberattacks After Bombing Iranian Nuclear Sites
Related: Iranian Hackers Target UAE Firms With Polyglot Files
