Spynote

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
SpyNote is a malicious software (malware) designed to exploit and damage computer systems, often infecting devices through suspicious downloads, emails, or websites. A newer variant of SpyNote has been observed using the Accessibility API to target well-known cryptocurrency wallets. The malware is distributed via SecuriDropper, disguised as a Google Translate app, allowing it to continuously infect devices, even on Android 13, without needing code modifications. Notably, it has been utilized in attacks against financial institutions to steal sensitive information and has returned with SMS phishing campaigns targeting banking customers. In a campaign discovered by Zscaler's ThreatLabz in December 2023, spoofed Google Meet, Zoom, and Skype websites were used to deploy various remote access trojans (RATs), including SpyNote RAT for Android users and NjRAT and DCRat for Windows users. These RATs can steal confidential information, log keystrokes, and compromise system security. The fake sites provided links to download malicious applications disguised as legitimate ones, such as a phony Skype application which was actually the SpyNote RAT. The distribution domains, including avast-securedownload[.]com and bitdefender-app[.]com, distribute the SpyNote trojan as an Android package file ("Avast.apk") and a ZIP archive file (“setup-win-x86-x64.exe.zip”), respectively. Once installed, these files request intrusive permissions like reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency. If users clicked on deceptive links on the spoofed Zoom page, they would download a file named "Zoom02.apk" containing the SpyNote RAT, further spreading the malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Spynote Rat
1
SpyNote RAT, a malicious software (malware), was first detected in 2017 when it was found embedded within counterfeit Android applications posing as popular platforms such as Netflix, WhatsApp, and Facebook. The malware is designed to exploit and damage systems, with capabilities ranging from steali
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Rat
Trojan
Malware
Windows
Payload
Skype
Phishing
Spyware
Smishing
Zscaler
Financial
Banking
Exploits
Telegram
Avast
Whatsapp
Google
Exploit
Fraud
Facebook
Hackread
Threatfabric
European
Python
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
njRATUnspecified
3
NjRAT is a remote-access Trojan (RAT) that has been commonly used in both criminal and targeted attacks since as early as 2013. It is part of a suite of RATs used by attackers, including Remcos and AsyncRAT, to exploit and damage computer systems. NjRAT can identify remote hosts on connected network
DcratUnspecified
3
DcRAT is a malicious software that has been used in various cyberattacks throughout 2023 and into 2024. The malware, distributed through fake OnlyFans content, deceptive Google Meet sites, and spoofed Skype and Zoom websites, downloads a DcRAT payload when users click on certain elements. This Remot
LummaUnspecified
1
Lumma is a malicious software (malware) that has been identified as an information stealer, and it has been observed in various cybercrime activities. It infects systems through suspicious downloads, emails, or websites, often without the victim's knowledge. Once inside, Lumma can steal personal inf
XenomorphUnspecified
1
Xenomorph, a notorious malware known for its damaging capabilities, has resurfaced after several months of inactivity. Malware, short for malicious software, is designed to exploit and damage computer systems or devices. It can infiltrate systems through dubious downloads, emails, or websites, often
TeabotUnspecified
1
TeaBot, also known as Anatsa, is a sophisticated Android banking Trojan that has been active in the malware landscape. It was among the most notorious banking malware families for Android in 2022 alongside Hydra, Flubot, and Sharkbot. Measured by the number of banks targeted, TeaBot ranks alongside
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SnakeUnspecified
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Spynote Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
2 months ago
Fake AV websites used to distribute info-stealer malware
CERT-EU
4 months ago
Online meeting app lures leveraged for RAT delivery
InfoSecurity-magazine
4 months ago
RATs Spread Via Fake Skype, Zoom, Google Meet Sites
CERT-EU
4 months ago
Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware – GIXtools
DARKReading
4 months ago
Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs
InfoSecurity-magazine
4 months ago
Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign
CERT-EU
4 months ago
Android and Windows RATs Distributed Via Online Meeting Lures | Zscaler
CERT-EU
4 months ago
Android and Windows RATs Distributed Via Online Meeting Lures | Zscaler
CERT-EU
4 months ago
New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs
CERT-EU
5 months ago
Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations 
CERT-EU
5 months ago
More countries targeted by Anatsa banking trojan
Fortinet
5 months ago
Android/SpyNote Moves to Crypto Currencies | FortiGuard Lab
Quick Heal Technologies Ltd.
7 months ago
Beware: Fake Apps posing as Open AI’s ChatGPT App
CERT-EU
7 months ago
Gaming Under Siege: The Most Targeted Games by Hackers in 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
7 months ago
Gaming Under Siege: The Most Targeted Games by Hackers in 2023
CERT-EU
8 months ago
New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications
CERT-EU
8 months ago
Damaging Malware Uncovered in the Google Play Store
CERT-EU
8 months ago
Kaspersky gaming-related threat report 2023
CERT-EU
9 months ago
Android trojan spotted in the wild can record audio and phone calls
CERT-EU
10 months ago
Appdome unveils advanced Anti-Malware protections against Android accessibility service threats