DragonEgg | |
Type of Malware | Spyware |
Country of Origin | China |
Date of initial activity | 2021 |
Associated Groups | APT 41 (aka Wicked Panda) |
Targeted Countries | Southern Asia, Possibly India |
Motivation | Gathering sensitive data from Android devices, such us Device contacts, SMS messages, External device storage files, Device location, Audio recording, Camera photos |
Attack vectors | DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging apps like Telegram. |
Targeted systems | Android |
Overview
DragonEgg, a spyware malware, infiltrates Android operating systems, leveraging multiple downloaded modules for surveillance activities. Its inception dates back to January 2021, marking its prolonged presence in the cyber threat landscape.
Attributed to the Chinese state-sponsored cyber-espionage faction APT41, also known as BARIUM, Double Dragon, and Winnti, DragonEgg signifies a novel venture into mobile device targeting for the group. This evolution underscores APT41’s adaptability and expanding reach in the realm of cyber warfare.
DragonEgg has been associated with the iOS surveillance tool LightSpy due to similar configuration patterns, command-and-control server communications, and runtime structure and plugins
Targets
Governmental bodies, pro-democratic Hong Kong activists, universities, computer hardware manufacturers, software developers, telecommunication service providers, social media platforms, and video game companies.
How they operate
DragonEgg appears to rely on additional payloads to implement the full scale of its surveillance functionality.
According to Dutch mobile security firm ThreatFabric, DragonEgg attack chains involve the use of a trojanized Telegram app that’s designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core.
In DragonEgg’s logging messages, the developers refer to the tertiary module acquired by the “smallmload” class files as “forensics program (T1 version)”. Naming surveillance tools as “forensics program” is common amongst Chinese-speaking defense or software development firms. This is in contrast to the use of “trojan” or other malware-related moniker that independent developers of surveillance tools would use.
Researchers suspect that by trojanizing legitimate chat apps like Telegram, APT41 is trying to remain inconspicuous while requesting access to extensive device data. Messaging apps typically request access to sensitive device data, and by hiding its surveillance functionality within a large, fully-functional app, the threat actor is better able to remain inconspicuous while the app is running on the device or statically analyzed by a researcher.
MITRE Techniques Used
Initial Access
Masquerade as a Legitimate Application
Persistence
App Auto-Start at Device Boot
Defense Evasion
Download New Code at Runtime
Obfuscated Files or Information
Credential Access
Capture SMS Messages
Discovery
File and Directory Discovery
Location Tracking
System Information Discovery
Collection
Access Calendar Entries
Access Contact List
Capture SMS Messages
Location Tracking
Command and Control
Commonly Used Port
Standard Application Layer Protocol
Exfiltration
Commonly Used Port
Standard Application Layer Protocol
Significant Malware Campaigns
- WyrmSpy and DragonEgg use modules to hide their malicious intentions and avoid detection. (July 2023)
- ThreatFabric discovered DragonEgg Android implant and set of 14 plugins that are responsible for private data exfiltration. (October 2023)
