apt attack

APT-C-23 Uses Voice Changing Software in Espionage Attempt

Cado security company discovered that APT-C-23 organized the latest espionage activities against the Middle East, aimed at surveillance of targets. The group used voice conversion software to pretend to be a female, and then generated audio messages to talk to the target with the purpose of sending a video with to infect the target system.

The members of the -C-23 group are all men. The group used to pretend to be women to trick the target into installing malicious applications. Once the application is downloaded, it can give the attacker complete control of the phone: including file transfer to The server allows access to functions such as mobile phone data, SMS messages, contacts, microphone, and camera.

When researchers reviewed the group’s malware servers in 2020, due to configuration errors, researchers could access the group’s attack set, which contains the following files:

● Malware used for espionage against political opponents,

● Identify vulnerable router tools;

● Voice conversion application;

● Custom tools to send phishing emails using infected email accounts

● Phishing code for webmail login

apt-c-23

Public directory on the server

The file “88.zip” contains a photo of a female model’s Instagram account (the photo is blurred):

apt-c-23

File “00.zip” contains Morph Vox Pro installation, Morph Vox Pro is a change of voice applications, including key and voice packets:

apt-c-23

  Voice change application Morph Vox Pro 

The attacker uses Morph Vox to generate female audio messages for spear phishing attacks.

The server also provides information about how the attacker spread the malware. The file recon.exe is used to send malicious phishing emails to the target in batches:

clip_image004

-C-23 is a medium-complex threat group. They usually rely on social engineering to convince targets to install malicious software. In the group’s recent attacks on political opponents, spear phishing attacks have been raised to a new level by using voice conversion software to pretend to be women.

IOCs

mslove.mypressonline.com
postmail.website
israanews.zz.com.ve
adamnews.for.ug
martnews.aba.ae
fateh.aba.ae
mmksba100.linkpc.net
new2019.mine.nu
webhoptest.webhop.info
mmksba.simple-url.com
mmksba.dyndns.org
formore.for-more.biz


e2448384afff94f2cc825d0a6c285e35
bf14b74f212cf642c83a34f633732b5d
95194b04018a200d1413f501ff31ecf1
45e8c947b0ab082d3facab579aefda2a
d38592133501622f7a649a2b16d0d1d6
678a7c9e8156105b952b101b66b4d925
272c75de8b0a23d8f3fb576f57b6bd32
bcf07f1f4e7fb783f29e8dc12ffee719
75ea74251fa57750681c8e6f99696b1b
0ae4947f90e8e371aa4f16a0ee1307d4
d9e7f6806bb4ebe030ef12247ac2f252
e59a7cedcaeb1e5e8c620d3860d9e819
a91f2c7552f9c7a42a8901c9cdd85bb7
462155461717e0b30e634da9676ed4b47c0e2cc7
a56b04e55620f4f46caaf93dc48d5f44c6c7242e
3174176ccf5ff5172bfd7f98850b54006a9789b5
55ca04e4bdb97cb234d56bca2636983451147a66
0dfff105ac325bbb17e71e9e92f6f5934e359d83
f97e31fedc260352d68f6fca2e6369da6130601c
3924ab873c0bafe0c0ce74b286dbc80865102215
44f249c2a4bd4a5e0a7bc4674129761d179a5427
80260fec5df9da4d10086b3659c06fc7609fd7f3
4a4a70af7d4ddcb10a43c05205b05ca5763b18ad
2dd48394e4985d24ac05e2db17917251f514a84e
c2361443e14add3a814d6526a5e2c85620046201
2660a7c8f6fc89255492db411cd78fe1abce4bb2
B6a31f6c12c2a51b507be44ce14b39728e38a63392b0f327dbbc4b71785d6148
7d3386e0659e1a7be0588b2401c9f8b54831be4d131b9ee89d43b98361331364
3c9f7f5ca27cb2c376a70d0aa2bd19b2008702e7c03c0802d8b9140fa712390e
03d82852bbb28d1740e50206e7726c006b9b984a8309e2f203e65a67d7d3bcad
ed7e46b0cf27b8f728cdd71a7c4ae98afde8d2e63f0817eb322c8e77bdd767c5
e15a9edb83570ecf5a77db28ee365a9498f522eab3c89d6dce4b9644571e9344
e04869dc0ad21a83279655bff6ac4d78262269c94766198e7e947beb99c13025
cab92dd0d3fea724edd141f5cc5ebc5758a10acead18c238a0b8cb747a991f8c
94b95524fe91cba52371bd41a81be4643458fe4402401ab10699005254de1c5d
367853e84f366ca08a437e10fda28dae42f3863af359736c46f018dac0c529be
01b9d12713708ea911df3798eed67a5ae682b474c7390a0f7053791c479c8ed1
3853e0bf00d6dbfc574bc0564f0c90b93a66d644dd4dc8b8c00564f0b6edf581
B767d0e9892cf7b554e74bc7d0d26d64a3262959763ddc0efd525abc2addc375