A company that was sanctioned by the U.S. government for allegedly helping Russia interfere with the 2016 elections has developed an advanced set of offensive spyware tools with functionality that researchers claim they have never before witnessed in real-life attack campaigns.
Dubbed Monokle, the spyware toolset was actually developed as far back as 2015, according to a new blog post and technical report from researchers at Lookout. Samples have been observed in the wild since March 2016, with sightings peaking in the first half of 2018. But activity to this day has remained restrained and limited, suggesting that Monokle is used sparingly in highly targeted campaigns.
Typically, victims are infected when they download trojanized versions of what appear to be legitimate Android applications that otherwise operate as intended. Based largely on the apps that were chosen to carry the spyware, Lookout has assessed that the malware has been used against users based in the Caucasus region as well as those interested in Ahrar al-Sham militant group that opposes the current Syrian government under Bashar al-Assad.
Examples of trojanized apps include a messaging app called UzbekChat, and Ahrar Maps, which is offered via a third-party site with an affiliation to Ahrar al-Sham. Other apps that are more well-known to Americans, including Skype, Signal and Pornhub. Many titles of these apps appear in English, but others are written in Arabic and Russia.
Lookout provided SC Media with a more complete list of trojanized apps, which also include: Home Workouts, Flashlight, Evernote, Muslim Pro, BBM, DiskDigger Pro, Блокировка Камеры, Pro Shooter: Sniper, Wickr Messenger, All-In-One Offline Maps +, Videoder Video Downloader, Steganos Online Shield, UC Browser, ES File Explorer, Ultra GPS Logger and GolosShama.
Monokle operates much like a remote access trojan (RAT) and demonstrates advanced data and media exfiltration capabilities, even without root access to the victimized device
The spyware possesses several traits that make it along the more sophisticated toolsets of its kind. First and foremost, it enables man-in-the-middle attacks against TLS- or SSL-protected traffic by allowing its operators to install their own malicious certificate to an infected device’s trusted certificates — a unique ability that Lookout says has not been seen before in the wild.
Additionally, Monokle heavily abuses Android accessibility services to harvest and exfiltrate data from third-party applications by reading the text that is displayed on a device’s screen. Affected apps includes include Microsoft Word, Google Docs, Facebook Messenger, WhatsApp Skype, Snapchat and more. The surveillance-ware also captures user-defined words captured for predictive-text input — which may reveal certain tendencies and interests of the target — and can even record users’ device screens while they are unlocking it in order to capture their PINs, patterns and passwords.
Monokle has a host of other functionality as well, including collecting contacts, call histories, browser histories and calendar information; enabling the plaintext retrieval of a user’s password by capturing the salt used when storing it at rest; recording calls and environmental audio; retrieving accounts and associated passwords, retrieving emails, taking screenshots, tracking device location and gathering nearby cell tower information; and more.
Lookout is attributing Monokle’s development to St. Petersburg, Russia-based defense contractor Special Technology Centre, Ltd. In late 2016, STC was sanctioned under former President Barack Obama for allegedly providing material support the efforts of Russian intelligence agency GRU to undermine the 2016 U.S. presidential election. (APT actor Fancy Bear, which launched cyberattacks against the Democratic National Committee, is widely recognized as a GRU-sponsored group.)
Researchers at Lookout definitively connected Monokle to STC because the spyware shares the same command-and-control infrastructure and signing certificates as STC’s Android antivirus solution, called Defender. The researchers also found references to several potential software developer names that are linked to both STC and Monokle.
“Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years,” Lookout’s blog post states.
Lookout credited the following researchers and executives as report contributors: Adam Bauer, senior staff security intelligence engineer; Apurva Kumar, staff security intelligence engineer; Christoph Hebeisen, had of research; Michael Murray, chief security officer, and Michael Flossman, former head of threat intelligence.