Wyrmspy

Malware updated 7 months ago (2024-05-04T21:18:34.940Z)

Download STIX

Preview STIX

WyrmSpy is a sophisticated malware attributed to the Chinese espionage group APT41, also known as Double Dragon, BARIUM, and Winnti. This harmful software, designed to exploit and damage computer systems or devices, infects systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The malware, along with another called DragonEgg, provides threat actors with advanced surveillance capabilities and access to sensitive data, particularly on mobile devices. Cybersecurity firm Lookout linked WyrmSpy and DragonEgg to APT41 in a report published after their Threat Lab researchers analyzed these two mobile malware families. Discovered in July 2023, WyrmSpy (also known as AndroidControl) was found to share the same infrastructure as LightSpy and is believed by ThreatFabric researchers to be its successor. These malware variants were used by APT41 to target over 100 public and private sector organizations, primarily targeting Android mobile devices. Notably, unique strings—win10 + microsoft and andropwn—were found in two of the WyrmSpy Indicators of Compromise (IoCs), suggesting connections to Microsoft and Android ownership. Further analysis revealed other connected artifacts that could put organizations at risk. Similarities between APT41 and DragonEgg were also found through DNS searches, indicating close ties between them. This highlights the evolving threat landscape and the increasing sophistication of malicious actors in leveraging malware for cyber espionage.

Description last updated: 2024-05-04T20:41:57.312Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
DragonEgg is a possible alias for Wyrmspy. DragonEgg is a malware associated with the notorious Chinese Advanced Persistent Threat (APT) group, APT41. This malicious software was developed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. The malware has been linked to surveillance	4
APT41 is a possible alias for Wyrmspy. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Spyware

Malware

Apt

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Winnti Threat Actor is associated with Wyrmspy. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	Unspecified	2
The Barium Threat Actor is associated with Wyrmspy. Barium, also known as BRONZE ATLAS or APT41, is a threat actor that has been associated with various malicious activities. Originating from China and active since at least 2007, this group has been implicated in cyberespionage efforts targeting multiple sectors across the globe. In 2017, according t	Unspecified	2

Source Document References

Information about the Wyrmspy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Lookout \| Webinar: Analyzing Scattered Spider and APT41 Attacks \| Lookout Webinar
CERT-EU	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	LightSpy iPhone Spyware Linked to Chinese APT41 Group
BankInfoSecurity	a year ago	Chinese APT Actors Target WeChat Users
CERT-EU	a year ago	Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
CERT-EU	a year ago	Why Should You Care About Chinese APTs and Nation State Attacks? \| Lookout
CERT-EU	a year ago	Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware \| IT Security News
CERT-EU	a year ago	In Other News: Military Emails Leaked, Google Restricts Internet Access, Chinese Spyware
CERT-EU	a year ago	Cyber Security Week In Review: July 21, 2023
BankInfoSecurity	a year ago	Chinese Threat Group APT41 Linked To Android Malware Attacks
CERT-EU	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group \| IT Security News
Securityaffairs	a year ago	Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group
DARKReading	a year ago	China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware
CERT-EU	a year ago	Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware