Spynote

Malware updated 6 months ago (2024-05-26T03:17:32.498Z)

Download STIX

Preview STIX

SpyNote is a malicious software (malware) designed to exploit and damage computer systems, often infecting devices through suspicious downloads, emails, or websites. A newer variant of SpyNote has been observed using the Accessibility API to target well-known cryptocurrency wallets. The malware is distributed via SecuriDropper, disguised as a Google Translate app, allowing it to continuously infect devices, even on Android 13, without needing code modifications. Notably, it has been utilized in attacks against financial institutions to steal sensitive information and has returned with SMS phishing campaigns targeting banking customers. In a campaign discovered by Zscaler's ThreatLabz in December 2023, spoofed Google Meet, Zoom, and Skype websites were used to deploy various remote access trojans (RATs), including SpyNote RAT for Android users and NjRAT and DCRat for Windows users. These RATs can steal confidential information, log keystrokes, and compromise system security. The fake sites provided links to download malicious applications disguised as legitimate ones, such as a phony Skype application which was actually the SpyNote RAT. The distribution domains, including avast-securedownload[.]com and bitdefender-app[.]com, distribute the SpyNote trojan as an Android package file ("Avast.apk") and a ZIP archive file (“setup-win-x86-x64.exe.zip”), respectively. Once installed, these files request intrusive permissions like reading SMS messages and call logs, installing and deleting apps, taking screenshots, tracking location, and mining cryptocurrency. If users clicked on deceptive links on the spoofed Zoom page, they would download a file named "Zoom02.apk" containing the SpyNote RAT, further spreading the malware.

Description last updated: 2024-05-26T03:15:35.541Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Rat

Trojan

Malware

Windows

Skype

Phishing

Smishing

Payload

Spyware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Dcrat Malware is associated with Spynote. DcRAT is a malicious software (malware) known as a Remote Access Trojan (RAT), which has been utilized in a widespread campaign to exploit computer systems. The malware infiltrates systems through deceptive methods, including downloads from fake Google Meet and OnlyFans sites. When a user interacts	Unspecified	3
The njRAT Malware is associated with Spynote. NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, d	Unspecified	3

Source Document References

Information about the Spynote Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	6 months ago	Fake AV websites used to distribute info-stealer malware
CERT-EU	8 months ago	Online meeting app lures leveraged for RAT delivery
InfoSecurity-magazine	8 months ago	RATs Spread Via Fake Skype, Zoom, Google Meet Sites
CERT-EU	8 months ago	Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware – GIXtools
DARKReading	9 months ago	Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs
InfoSecurity-magazine	9 months ago	Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign
CERT-EU	9 months ago	Android and Windows RATs Distributed Via Online Meeting Lures \| Zscaler
CERT-EU	9 months ago	Android and Windows RATs Distributed Via Online Meeting Lures \| Zscaler
CERT-EU	9 months ago	New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs
CERT-EU	9 months ago	Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations
CERT-EU	9 months ago	More countries targeted by Anatsa banking trojan
Fortinet	9 months ago	Android/SpyNote Moves to Crypto Currencies \| FortiGuard Lab
Quick Heal Technologies Ltd.	a year ago	Beware: Fake Apps posing as Open AI’s ChatGPT App
CERT-EU	a year ago	Gaming Under Siege: The Most Targeted Games by Hackers in 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	Gaming Under Siege: The Most Targeted Games by Hackers in 2023
CERT-EU	a year ago	New SecuriDropper Malware Bypasses Android 13 Restrictions, Disguised as Legitimate Applications
CERT-EU	a year ago	Damaging Malware Uncovered in the Google Play Store
CERT-EU	a year ago	Kaspersky gaming-related threat report 2023
CERT-EU	a year ago	Android trojan spotted in the wild can record audio and phone calls
CERT-EU	a year ago	Appdome unveils advanced Anti-Malware protections against Android accessibility service threats