Attacks leveraging fraudulent messaging apps to deploy a new PJobRAT Android trojan variant have been deployed against Taiwan as part of a 22-month cyberespionage campaign, according to Infosecurity Magazine.
Hijacked WordPress sites have been used by threat actors to spread the fake "SangaalLite" and "CChat" apps containing the updated PJobRAT malware, which has been improved with shell command execution capabilities, a report from Sophos X-Ops researchers revealed. Aside from running shell commands, the new PJobRAT payload also enables the exfiltration of SMS messages, device details, contacts, and media files, while bypassing detection through the utilization of Firebase Cloud Messaging. "While this particular campaign may be over, it's a good illustration of the fact that threat actors will often retool and retarget after an initial campaign making improvements to their malware and adjusting their approach before striking again," said Sophos, which urged Android users to mitigate the risk of compromise by downloading apps from trusted sources and adopting mobile security systems.
The Windows variants, WIN_DRV and WIN_PLUS, retain the core architecture of their Linux predecessor, including command-and-control (C2) protocols and encryption methods.
Kaspersky researchers have identified that malicious actors are exploiting the Steam Workshop platform, specifically through the Wallpaper Engine application, to distribute malware.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
