Cloudsek, a Canadian Cyber Security firm, detected the activity of a suspected criminal advanced persistent threat group over the 2015 holiday season. The group, dubbed Santa APT because some of their malware masqueraded as Santa Claus applications, steals intellectual property for economic gain. Cloudsek believes that the malware developers are located in South Asia.

The group came to the attention of security professionals who noticed them selling information stealer malware, capable of jumping air gapped systems, on underground markets. The attackers were using the malware to steal classified data from software companies and government organizations. The malware collects files and screenshots and stores them in hidden files on any connected USB device. When the device is connected to an internet enabled system, the data is sent back to command and control infrastructure located in Germany. Empty voice recording and key log files on the C2C servers suggest that the malware is still under development. Cloudsek claims to have found the malware attributed to the group masquerading as Santa Claus mobile games, which had infected about 8000 systems. The malware stole contact lists, SMS messages, call records, location information, calendars, pictures, video, environment readings, camera specifications, browser history, program information, sim card information, and device status. The mobile malware communicated with the C2C infrastructure via HTTP about once a minute. The C2C servers corresponding to the mobile infrastructure had separate login sections for user profiles and for administrative profiles. The victim information was organized according to user and then according to data type. The attacker could also arm the malware to send them an SMS alert if the victim left a regional area. This could allow the actor to track whether a victim has left home or the office, in real time. The adversary could also receive regular updates if a particular victim received an SMS message or phone call.

Cloudsek used passive DNS to track the group activity of a South Asian company that sells spy software to monitor employees. The company is recruiting mobile application developers for iPhone and Android.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google