Iranian Hackers MuddyWater Use Fake VPN and Banking Apps to Distribute DCHSpy to Governments

• What happened: MuddyWater deploys DCHSpy surveillanceware against government and private institutions.
• Why it matters: The hackers are believed to operate under the auspices of Iran's Ministry of Intelligence and Security.
• Overall impact: The spyware masquerades as legitimate applications, such as VPN or banking apps, disseminated via Telegram.

The DCHSpy Android surveillanceware has been linked to the Iranian cyber espionage group MuddyWater. This sophisticated tool has been deployed to gather sensitive data from targeted devices worldwide, posing as legitimate apps in the backdrop of the Iran-Israel tensions.  

Capabilities of DCHSpy  

New DCHSpy samples exhibit advanced capabilities, as per cybersecurity firm Lookout. It collects a wide range of sensitive data, including:

• Accounts logged into on the device
• Contacts
• SMS messages
• Files stored on the device
• Location data
• Call logs
• Audio recordings through microphone access
• Photos via taking control of the camera
• WhatsApp data

Key Targets  

MuddyWater, believed to operate under Iran's Ministry of Intelligence and Security (MOIS), deploys DCHSpy surveillanceware against a spectrum of government and private institutions. 

Sectors such as telecommunications, defense, local governments, and oil and gas industries are primary targets across regions, including Asia, the Middle East, Europe, and North America. 

The significant Android spyware threat demonstrates precise targeting, often exploiting geopolitical conflicts like the recent Israel-Iran tension to amplify its reach and effectiveness.  

Distribution Methods  

Appearing as legitimate applications like VPN or banking apps, DCHSpy employs political lures to trick victims into installing it. The gang leverages anti-Iran themes to attract English and Farsi speakers in VPN advertisements distributed through deceptive links via messaging platforms such as Telegram. 

In previous reports, the threat actor advertised HideVPN, and now it is advertising EarthVPN and ComodoVPN, with the former claiming to be located in Romania and the latter in Canada. The listed contacts for these fake apps actually belong to random businesses in those respective countries.

A recent campaign disguised DCHSpy samples with filenames referencing StarLink, after recent reports of Elon Musk’s company offering support to Iranian citizens during internet outages imposed by the Iranian government following hostilities between Israel and Iran.

According to Sekoia, the group generally utilizes public exploits to compromise Internet-exposed servers, including Exchange and SharePoint servers.

Broader Implications  

Businesses and individuals are advised to avoid installing apps from unknown sources and utilize trusted security solutions to mitigate exposure to emerging threats, such as DCHSpy.  

In July 2024, Iran's MuddyWater new backdoor targeted Israeli organizations, with over 50 phishing emails sent to representatives.