113.txt

Detailed Analysis of the Primary Attack Arsenal Employed by APT-C-27 (GoldenJackal)  
The Middle East's volatile geopolitical landscape stems from historical complexities and contemporary power struggles, with the Syrian-Turkish conflict epitomizing regional tensions. APT-C-27 (GoldenJackal), active since November 2014, persistently targets Syria and Turkey through multi-platform attacks. PC and Android malware masquerades as chat applications, delivered via watering hole attacks and social engineering tactics, with operators demonstrating Arabic proficiency. 360 Advanced Threat Research Center recently obtained numerous internal tools and attack samples, including Android RATs, file decryption utilities, social engineering toolkits, and automated components. Analysis reveals updated TTPs, undisclosed tools, and potential unreported campaigns. PC-side weaponry includes encrypted document handlers (using *.enc17 extension), disk enumeration tools scanning C-M drives for office documents, Facebook contact scrapers, TXT-to-VCF converters, and phone number validation tools leveraging public APIs. Internal diagnostic utilities perform registry checks (SOFTWARE\\Microsoft\\Windows\\CurrentVersion), process/connection enumeration, task scheduling manipulation, and Skype database operations (account insertion/deletion). The njRAT variant employs C&C 82.xxx and disguises as attractive female images for payload delivery, featuring keylogging, CMD execution, and file transfer capabilities. Android RATs demonstrate persistence via su privileges, screen-unlock triggers, and fake Telegram update notifications in Arabic. Updated mobile RATs (control codes 16-41) incorporate GPS tracking, contact/sms exfiltration, audio recording, command execution, and string obfuscation (reverse order + @→a substitution). Process persistence mechanisms check file paths (/data/data/com.GttmaphhhllbtDCC262x64tg26.release.updt/android-updtt-20206x64-ttlog.txt) and APK installation status. The Raddex string remains consistent across historical samples. As regional conflicts increasingly shift to cyber domains, APT groups exploit PC/workstation vulnerabilities while expanding mobile targeting due to smartphones' rich PII repositories. Attack vectors diversify rapidly across both platforms, demanding heightened defensive measures.