It looks like these spyware developers are fans of popular porn star Mia Khalifa.
Researchers at security firm Trend Micro have identified a dangerous new spyware that is being distributed via adult games. Dubbed as Maikspy spyware, the main target of this malicious new campaign are Android and Windows users. The primary objective of this campaign is to steal sensitive personal data.
According to the blog post from Trend Micro, Maikspy is a ‘multi-platform spyware’ that has been named after Maikspy, a famous adult film actress in America, and has been active since 2016. Further probe revealed that a website ‘hxxp://miakhalifagamecom/,’ is responsible for delivering the spyware.
This particular website is already known to be distributing malicious apps. Once the user contracts with the spyware, the C&C server is contacted and data is uploaded from the infected device or computer.
The adult game Virtual Girlfriend is being used to distribute the spyware and Trend Micro researchers discovered that various Twitter handles are being used for promotion and sharing of the infected domain through short links. After analyzing several samples, which were last seen active in March 2018, Maikspy spyware lured users into visiting the malicious domain by appearing as the harmless Virtual Girlfriend game. Trend Micro initially detected it as AndroidOS_MaikSpy.HRX.
As soon as the domain’s short link version is clicked upon by unsuspecting users, a page appears displaying gender option buttons. After this, another page appears that asks the user to choose “first girlfriend” after which a download page appears.
A variant of Maikspy spyware was designed to run on Android and trick victims into checking out the infected domain while Twitter served as the perfect promotional platform for the malicious campaign. When the device is infected it shows an error: “Error: 401. App not compatible. Uninstalling…”
This is, however, a fake message that is displayed only to make the user believe that the app will be removed from the device, which obviously isn’t the case. In reality, the app continues to spy silently in the background of the infected Android device.
It keeps a check on permissions and also obtains sensitive user data including a phone number, accounts, installed apps information, SMS data and contacts list. The information is transferred to the C&C server and lands into the hands of the attacker.
The same Twitter handle is used to distribute Windows variant of Maikspy spyware. Users are compelled to visit a malicious link: hxxp://miakhalifagamecom/. Once this link is visited, the users are asked for downloading a file ‘MiaKhalifa.rar .’
This file contains a README.txt file, which contains information about how to turn off anti-virus software and how to enable the network. This information is required by the attackers for performing data stealing.
There is another file Uninstall.exe, which is a replica of the open-source hacking tool called Mimikatz; it can extract plaintext passwords, PIN codes, hash and Kerberos tickets from memory. But in the case of Maikspy, this file is used for obtaining the account and password of Windows device. The result is written to C:\Users\%username%\AppData\local\password.txt.
The Setup.exe file is also present in the RAR, which has to perform the main stealing function. It manages to steal files with the following extensions: “.jpg, .jpeg, .png, .txt, .wav, .html, .doc, .docx and .rtf,” while the following directories are scanned for obtaining required data:
C:/Users/%username%/Desktop
C:/Users/%username%/Pictures
C:/Users/%username%/Documents
C:/Users/%username%/Downloads.
It also steals files lists from these directories. Just like the case in the Android variant of the spyware, data stolen from Windows device is also transferred to a C&C server.
Trend Micro also identified a Chrome extension plugin called VirtualGirlfriend.crx, which Windows users got exposed to while visiting hxxp://miakhalifagamecom. The plugin BREX_INFOSTEAL.A of the malicious extension when gets downloaded, the user is informed about how to load it into the browser and then the malware starts collecting the username and password from web pages.
The information is sent to this address: hxxps://miakhalifagamecom/testinnphp. Trend Micro also identified that one of the Twitter handles used to spread the spyware was named: Round Year Fun (hxxps://twittercom/RoundYear_Fun).