APT-C-23

APT-C-23 or Two-Tailed Scorpion is an Advanced Persistent Threat group that collects information from Windows and Android systems with custom-made threats. Their campaigns can use intricate social engineering techniques with customized Web content and applications for collecting passwords and other data. Users should change passwords ASAP after disinfecting any compromised devices and possess reputable security products for containing APT-C-23's spyware and Trojans.

A Pest with More Stingers than the Name Suggests

With analyses of its campaigns available since 2017, APT-C-23 is a well-understood group of hackers that still can pull surprises out of its supply of tools. Also bearing the more memorable name of Two-Tailed Scorpion, the Advanced Persistent Threat or APT tends towards attacking victims in the Middle East, albeit non-exclusively. The group is responsible for data theft through various weaponized programs, and, notably, hacks Android devices alongside Windows computers.

Broadly, most of APT-C-23's tools are classifiable as two types: remote access-style threats that give attackers access to the system, or spyware that collects and transfers information to their servers. VAMP, MICROPSIA, and Android/Spy23C.A are examples of data collectors, while KASPERAGENT is a backdoor Trojan. However, these programs aren't disposable, one-time-use entities necessarily; for instance, Android/Spy23C.A shows massive updates to its capabilities for hiding, such as blocking notifications.

Most of the infection methods in APT-C-23's employ use some social engineering elements. These aspects vary between custom-built fake applications, misleading application storefront website and e-mails crafted for specific recipients. Generally, victims compromise their computers or phones through installing an application or following a link to a document with a background drive-by-download attack.

Persistent Defenses in the Face of Never-Ending Dat Collectors

With the apparent resources at its disposal, APT-C-23 is unlikely to stop its attacks against Android and Windows users any time soon. Although this fact should concern Middle Easterners more than most people, APT-C-23 also deploys its threats against other parts of the world, such as targets in the United States. That the APT updates their methods and software over time also calls for appropriately-diligent, day-to-day defense from at-risk users in their workplace and home environments.

Brief examples of some of APT-C-23's techniques include:

• E-mails carrying obfuscated (bit.ly shortened), corrupted links
• Fake, non-working application downloads like WeMessage
• Bundles with working applications and software like Telegram and Threema.

Users always should be careful about following links that conceal their Web addresses or have URLs that don't match a trusted site. Unofficial application storefronts also can be havens for multiple threat types, along with APT-C-23's preferred payloads of backdoor Trojans and spyware. Those who download applications only from generally-safe locations like Google's Chrome Web Store or Play Store will significantly lower, if not entirely prevent, the potential for infections.

Users also should monitor any devices for blank screens, strange behavior from applications, unexpected notifications, and similar misbehavior. Upon signs of infection, they should disinfect their system with a compatible anti-malware product and change any passwords that APT-C-23 might collect.

APT-C-23's geographical region of operation is less noteworthy than the extent of its dedication to customized and threatening software. As long as this scorpion around, few users are safe from its sting – mainly since the carapace around it keeps evolving.