Threat group behind Vamp still active, researchers claim

Security researchers at Trend Micro have discovered a new mobile malware family believed to be a new variant of Vamp, indicating the threat group known as APT-C-23 is still active and improving its product.

APT-C-23 first came to light earlier this year, when researchers disclosed a targeted attack campaign across the Middle East. The Vamp and FrozenCell mobile components were subsequently identified.

Now, Trend Micro says it is likely that APT-C-23 is still operational, after the company’s security intelligence researchers identified a new mobile malware family – dubbed ‘GnatSpy’ – that makes use of similar components to Vamp, but with several added improvements.

“We believe that this is a new variant of Vamp, indicating that the threat actors behind APT-C-23 are still active and continuously improving their product,” Trend Micro said in a blog post.

“Some C&C domains from Vamp were reused in newer GnatSpy variants, indicating that these attacks are connected.”

While the capabilities of GnatSpy are similar to early versions of Vamp, Trend Micro said there have been some changes in its behavior that highlight the “increasing sophistication” of the threat actors.

“The structure of the new GnatSpy variants is very different from previous variants,” the company said. “More receivers and services have been added, making this malware more capable and modular.

“We believe this indicates that GnatSpy was designed by someone with more knowledge in good software design practices compared to previous authors.”

While Trend Micro said it is unclear exactly how the malware files are being distributed, the company said it is possible that threat actors sent them directly for users to download.

“They had names like ‘Android Setting’ or ‘Facebook Update’ to make users believe they were legitimate,” Trend Micro stated. “We have not detected significant numbers of these apps in the wild, indicating their use is probably limited to specific targeted groups or individuals.”