Hackers target Taiwan with malware delivered via fake messaging apps

Avatar

Hackers have been targeting users in Taiwan with PJobRAT malware delivered through malicious instant messaging apps, according to new research.

The malicious apps — SangaalLite and CChat — were designed to mimic legitimate platforms, according to a report published Thursday by cybersecurity firm Sophos. The apps were available for download on multiple WordPress sites, which have since been taken offline. Researchers believe the campaign has now ended or is on pause, as no recent activity has been observed.

PJobRAT, an Android remote access trojan first identified in 2019, has previously been used to steal SMS messages, contacts, device information, documents and media files. In 2021, the malware was linked to attacks on Indian military personnel via fake dating and messaging apps.

The latest cyber-espionage campaign targeting users in Taiwan ran for nearly two years, but affected only a limited number of users. Researchers said the threat actors likely focused on targeting specific individuals.

Unlike earlier versions, the latest PJobRAT malware does not include built-in functionality to steal WhatsApp messages. However, it gives attackers greater control over infected devices, allowing them to steal data from various applications, use compromised devices to infiltrate networks and even remove the malware once they achieve their goal.

It is unclear how the threat actors behind PJobRAT distributed the malicious apps in the latest campaign. Previously, they used third-party app stores, phishing pages hosted on compromised sites, shortened links to obscure final destinations, and fake personas to deceive victims. 

Once installed, the apps request extensive permissions, including disabling battery optimization to ensure they run continuously in the background. They feature basic chat functionalities, allowing users to register and communicate with one another.

While the latest campaign appears to be over, “it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign — making improvements to their malware and adjusting their approach — before striking again,” Sophos researchers said.

CybercrimeIndustryNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Researchers Uncover 46 Critical Flaws in Solar Inverters From Sungrow, Growatt, and SMA

Next Post

BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability

Related Posts

Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide

Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information. The tech giant, which detected the activity in early December 2024, is tracking it under the broader umbrella Storm-0408, a moniker used for a set of threat actors
Avatar
Read More