Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

Stealth Mango Proves Malware Success Doesn't Require Advanced Tech

At Black Hat USA, a pair of researchers will show how unsophisticated software can still be part of a successful surveillance campaign.

Reports on new strains of malware and dissection of its operation are common at security conferences. Less common: Full end-to-end reports of the malware, the infrastructure underneath it, and the organization behind it. But on Aug. 9, that's what Lookout's Andrew Blaich and Michael Flossman will present at Black Hat USA.

"Our presentation is covering a targeted surveillance campaign where we identified an Android tool called Stealth Mango being deployed in targeted attacks, as well as a related iOS tool that was identified as being created by the same developers," says Flossman, head of Lookout's threat intelligence services. "While we do focus primarily on the Android tool and the information that the actors behind that tool were able to steal, we also dive into the background information around the group that was responsible for its development and creation."

Stealth Mango and the related iOS software, Tangelo, are surveillanceware that is based on technology developers use for their more common offerings in spouseware. "The capabilities are really similar between [Stealth Mango and], for example, a spouseware tool — an application that is something that you would deploy on your significant other's phone or desktop to keep tabs on them," Flossman says. "Basically what we've found in a lot of our investigations is that the kind of people that would deploy spouseware are interested in the same kinds of information that a nation-state would be interested in."

(See Blaich and Flossman's Black Hat USA talk on August 9, "Stealth Mango and the Prevalence of Mobile Surveillanceware")

The two researchers weren't necessarily looking for Stealth Mango when it showed up in the research. "We were just looking for interesting cases of surveillanceware, and as we were working in-depth and started to examine the malware and look at more about the servers it was talking to, we really discovered what we had on our hands there," says Blaich, security researcher and head of device intelligence at Lookout.

And what they had was a campaign that was successful despite its lack of cutting-edge technology or technique.

"We're quite certain that it was created specifically for this customer," Flossman says. "So in that regard, it's like a bespoke solution" — though one built almost entirely from "off-the-rack" parts.

"It's quite standard, and nothing really stands out," Flossman says. "What I would say is interesting is the overall context around its use: the actors deploying it, but also just how much success they've had with this tool despite what might be taken as a lack of sophistication."

That success offers an economics lesson to other threat actors. "It really shows that sometimes you don't need a very complex or expensive solution to achieve your goals," Blaich says.

"A good way of thinking about this is that if you purchased Pegasus and it came with a bunch of zero-day exploits, you'd be quite cautious in how you deploy them. You'd make sure that they never would fall into the hands of researchers because basically, if that happened, you'd be burning a zero-day investment which these days is well over $100,000," Flossman says. "Comparatively, an attack like [Stealth Mango] is something that would cost several thousand dollars, max."

Those several thousands dollars in this case would be spent with a group that Blaich and Flossman say has been behind earlier attacks against the Indian military, including Operation C Major and Operation Transparent Tribe. In the current Stealth Mango campaign, they're covering their bases by using both their surveillanceware and commodity Trojans like Crimson RAT.

Flossman says that the group's Trojan use isn't new, but, like the surveillanceware, it is evolving. "If we look at the mobile malware they used in [C Major and Transparent Tribe], it was even less sophisticated than what we saw now, so they've evolved that tool and have worked on building it out," he says. "And we can see they're getting a fair bit of value from the mobile side of things now."

"[As a whole], this ties back into providing really good insight into exactly what adversaries in the mobile space need to do in order to be effective," Flossman adds. "It's a lot lower than what we often expect."

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sofialais
50%
50%
sofialais,
User Rank: Apprentice
8/2/2018 | 2:48:20 PM
vigilance

I wonder how many of us are exposed to these goods as we continue to listen to extensive vigilance.

 

curso de manutenção de notebook
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2018 | 9:25:10 AM
Cost
It's a lot lower than what we often expect." Not only sophistication of attack is less bit also cost is less and the lilleyhood of attack is high as a result.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2018 | 9:23:32 AM
Mobile
"And we can see they're getting a fair bit of value from the mobile side of things now." Obviously mobile is difficult but more likely as more people use mobile more than desktop.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2018 | 9:21:07 AM
Sophisticated
Trojan use isn't new, but, like the surveillanceware, it is evolving. "If we look at the mobile malware they used in [C Major and Transparent Tribe], it was even less sophisticated Do less sophisticated but the same impact, a good day for hackers.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2018 | 9:19:16 AM
Stealth Mango
Stealth Mango and the related iOS software, Tangelo, are surveillanceware " I wonder how many of us are exposed to these wares as we keep hearing extensive surveillance.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2018 | 9:15:59 AM
Any tool
Obviously any tool may be good enough to exploits vulnerabilities, I think we need to take a look at vulnerabilities to address some of the security chalanges.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20491
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...