June 16, 2022

Lookout Uncovers Hermit Spyware Deployed in Kazakhstan

Map with the country Kasachtan centered in the image.

Lookout researchers have uncovered enterprise-grade Android surveillanceware used by the government of Kazakhstan within its borders. While we’ve been following this threat for a while using Lookout Endpoint Detection and Response (EDR) these latest samples were detected in April 2022, four months after nation-wide protests against government policies were violently suppressed.

Based on our analysis, the spyware, which we named “Hermit,” is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company.

This isn't the first time Hermit has been deployed. We know that the Italian authorities used it in an anti-corruption operation in 2019. We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts. 

While some Hermit samples have been detected before and are broadly recognized as generic spyware, the connections we make in this blog to developers, campaigns, and operators are new.

RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics, and government officials.

What is Hermit spyware?

Named after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed.

We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.

We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.

We’re aware of an iOS version of Hermit but were unable to obtain a sample for analysis.

Kazakhstan deployment

Our analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national government is likely behind the campaign. To our knowledge, this marks the first time that a current customer of RCS Lab’s mobile malware has been identified.

We first detected samples from this campaign in April 2022. They were titled “oppo.service” and impersonated Chinese electronic manufacturer Oppo. The website the malware used to mask its malicious activity is an official Oppo support page (http://oppo-kz.custhelp[.]com) in the Kazakh language that has since gone offline. We also found samples that impersonate Samsung and Vivo.

The now defunct Kazkhak language Oppo support page is loaded and displayed to users as malicious activities happen in the background.

The samples used in the Kazakh targeted campaign connected to the C2 address at 45.148.30[.]122:58442. However, further analysis of the spyware’s C2 server revealed that this IP address is used as a proxy for the real C2 server at 85.159.27[.]61:8442. The real C2 IP address is administered by STS Telecom, a small internet service provider (ISP) operating out of Nur-Sultan, Kazakhstan’s capital. Based on sparse online records, STS specializes in “other wired telecommunications” and cable services.

Our interaction with a poorly configured C2 server revealed the true C2 IP address.

Syria, Italy and other targets

Prior to detecting the Kazakhstan samples, we found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria, in the passive DNS records of Hermit. This is significant because the region has been the site of ongoing crises, such as the Syrian civil war and conflicts between the Islamic State (IS) and U.S.-led coalition support of the Kurdish-led Syrian Democratic Forces (SDF). Most recently, Turkey conducted a series of military operations against the SDF that resulted in partial occupation of the region.

The domain we found (rojavanetwork[.]info) specifically imitates “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations.

The domain rojavanetwork[.]info seems to be specifically imitating “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations.

Outside Syria, Hermit has been deployed in Italy. According to a document released by the Italian lower house in 2021, Italian authorities potentially misused it in an anti-corruption operation. The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis.

RCS Lab and its controversial connections 

Like many spyware vendors, not much is known about RCS Lab and its clientele. But based on the information we do have, it has a considerable international presence.

According to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller for another Italian spyware vendor HackingTeam, now known as Memento Labs, as early as 2012. Correspondences between the two companies revealed that RCS Lab engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan — the latter three ranked as authoritarian regimes by the Democracy Index

RCS Lab also has past dealings with Syria, another authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.

Countries that had ties to RCS Lab’s past business connections. Top row: Chile, Pakistan, Mongolia and Bangladesh; bottom row: Myanmar, Vietnam, Turkmenistan and Syria.

Tykelab and its connection to RCS Lab

According to its own website, Tykelab provides innocuous technology solutions. However, we found various publicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found several pieces of evidence tying Tykelab to RCS Lab. 

For example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition, the company offers services that require skills that may be useful in the development and delivery of surveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis, SMS services, and mobile app development. One of the Tykelab job postings for a security engineer we found spells out desired skills that would have direct application to surveillance of mobile networks and devices.

This Tykelab job listing highlights interest in mobile network vulnerabilities, penetration testing, and reverse engineering: skills that can serve both defensive and offensive purposes.

In our own analysis of Hermit, we were able to tie Tykelab to Hermit and RCS Lab. One of the IP addresses Hermit used for C2 communications revealed an SSL certificate shared with another IP, 93.51.226[.]53. Notably, the shared certificate has Milan, Italy in the locality field which is where RCS Lab is headquartered.

This second IP used another SSL certificate that directly named RCS as the organization and Tykelab as the organization unit. The location references Rome, which is the headquarters location of Tykelab.

An SSL certificate tied to Hermit infrastructure shows that Tykelab and RCS Lab are both connected to the spyware.

Technical analysis: Hermit’s advanced capabilities

Hermit is a highly configurable surveillanceware with enterprise-grade capabilities to collect and transmit data. 

For example, it uses 20-plus parameters, which enables any operator to tailor it to their campaign. The spyware also attempts to maintain data integrity of collected ‘evidence’ by sending a hash-based message authentication code (HMAC). This allows the actors to authenticate who sent the data as well as ensure the data is unchanged. Using this method for data transmission may enable the admissibility of collected evidence.

To cover up its true intentions, Hermit is built to be modular. This means malicious functionality is hidden inside additional payloads that the malware downloads as needed.

How it tricks victims and avoids detection

As we mentioned earlier, Hermit pretends to come from legitimate entities, namely telecommunications companies or smartphone manufacturers. To keep up this facade, the malware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background.

The first malicious step is to decrypt an embedded configuration file with properties that are used to communicate with the C2 server. But before communication happens, Hermit performs a series of checks to ensure that it isn’t being analyzed. This includes looking for the presence of an emulator and signs that the app itself has been modified to make analysis easier.

Modules and data collection 

Once the malware connects with the C2, it takes instructions on what modules to download, each with distinct capabilities. In addition to the modules, the permissions that the malware requests indicate the various ways it could collect data.

Hermit can be asked by the C2 to download modules from any URL and then load them dynamically.

In total we acquired 16 modules by interacting with the IP address (45.148.30[.]122:58442) “oppo.service” used for C2 communications. Based on identification numbers assigned to the modules in Hermit’s code, there are at least 25 modules.

Within the core app, we found an abstract class called “module” that provided additional hints as to what the rest of the modules are capable of. The code contained references to exploit usage, which was further confirmed by clues found in obtained modules. While we weren’t served exploits during testing, we can tell that an exploited device will have a local root service listening on 127.0.0.1:500 that the malware will “ping” for.

Some variables hint that Hermit has modules that can use exploits.

If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state, and the ability to ignore battery optimization.

Beyond the root service, some of the modules expect or attempt to use root access directly through a su binary. These modules will attempt to modify the shared preferences of the SuperSU app in order to enable the execution of root commands without user interaction.

While this may be a generic attempt at using root without user awareness, SuperSU may also be a part of the unknown exploitation process. If root is not available, the modules may prompt the user to take actions which will accomplish the same goals.

These are the modules we were able to acquire (refer to the appendix for a complete breakdown of each modules):

Accessibility Event Account Address Book
Audio Browser Calendar
Camera Clipboard Device Info
File download File upload Log
Notification Listener Screen Capture Telegram
WhatsApp

Like other weaponry, spyware can easily be abused

Vendors of so-called “lawful intercept” spyware, such as RCS Lab, the NSO Group, and Gamma Group, usually claim to only sell to entities that have a legitimate use for surveillanceware such as police forces fighting organized crime or terrorism. However, there have been many reports, especially in recent years, of spyware being misused. 

We found evidence of Hermit being deployed in Kazakhstan and Syria, countries with poor human rights records. Even in the case of the anti-corruption operations in Italy, there was alleged mishandling of personal and private data. 

In a sense, electronic surveillance tools are not that different from any other type of weaponry. Just this month, faced with financial pressure, CEO of the NSO group Shalev Hulio opened up the possibility of selling to “risky” clients. Spyware makers operate in secrecy and with limited oversight and the legitimacy of the use of their products is rarely as clear-cut as they project.

How to protect yourself from spyware like Hermit

With sophisticated data collection capabilities, and the fact that we carry them all the time, mobile devices are the perfect target for surveillance. While not all of us will be targeted by sophisticated spyware, here are some tips to keep yourself and your organization safe:

  • Update your phone and apps: Operating systems and apps will often have vulnerabilities that need to be patched. Update them to ensure the exploits are resolved.
  • Don’t click on unknown links: One of the most common ways for an attacker to deliver malware is by sending you a message pretending to be a legitimate source. Don’t click on links, especially when you don’t know the source.
  • Don’t install unknown apps: Exercise caution when installing unknown apps, even if the source of the app seems like a legitimate authority.
  • Periodically review your apps: Sometimes malware can change settings or install additional content to your phone. Check your phone periodically to ensure nothing unknown has been added.

In addition to following the security best practices outlined above, we strongly recommend having a dedicated mobile security solution to ensure that your device is not compromised by malware or phishing attacks.

To the best of our knowledge the apps described in this article were never distributed through Google Play. Users of Lookout security apps are protected from these threats.

Indicators of Compromise

Core App indicators

SHA1 Hash Values
ca101ddfcf6746ffa171dc3a0545ebd017bf689a
b1dfb2be760d209846f2147ce32560954d2f71b5
cf610aae906ffcfd52c08d6ba03d9ce2c9996ac8
22f49fa7fe1506d2639f08e9ae198e262396c052
97ead8dec0bf601ba452b9e45bb33cb4a3bf830f
527141e1ee5d76b55b7c7640f7dcf222cb93e010
4f8145805eec0c4d8fc32b020744d4f3f1e39ccb
9f949b095c2ab4b305b2ea168ae376adbba72ffb

Network indicators

IP Address Port
2.229.68[.]182 8442
2.228.150[.]86 8443
93.57.84[.]78 8443
93.39.197[.]234 8443
45.148.30[.]122 58442
85.159.27[.]61 8442

Sample of domains used in Hermit’s targeting operations

Domain List 1 Domain List 2
119-tim[.]info milf[.]house
133-tre[.]info mobdemo[.]info
146-fastweb[.]info mobilepays[.]info
155-wind[.]info kena-mobile[.]info
159-windtre[.]info poste-it[.]info
iliad[.]info rojavanetwork[.]info
amex-co[.]info store-apple[.]info
cloud-apple[.]info wind-h3g[.]info
fb-techsupport[.]com

Parameter configurations Hermit uses

Parameter Configuration
vps Certificate fingerprint, IP address, and port, for C2 communication
p1,p3,p4,p5,p6 Server endpoints for various C2 communications
redirectUrl This is the benign URL opened when the application is launched
hidden Determines if the icon of the application will be hidden.
vpsseed String used along with android_id as a unique device identifier
certificateSignature Expected signature of the app. If the signature does not match the app will not run.
wdpn Package name of another app interacted with on device
wdcn Component name of a service contained in wdpn app
xAuthToken HTTP header added to every request for authentication
psk Pre-shared key used for message authentication
deleteApk Boolean indicating whether APK files should be deleted if anti-emulation checks fail
fp Fingerprint for protobuf encryption setup
pk Public key for protobuf encryption setup
applicationId, gcmSenderId, projectId, storageBucket, apiKey Firebase Messaging Service setup parameters

Modules downloaded by Hermit

Authors

Justin Albrecht

Global Director, Mobile Threat Intelligence

Justin Albrecht is the Global Director of Mobile Threat Intelligence. He works with his team to uncover new mobile threats, track actors and targets, and provide accurate research and reporting on these issues. Justin has over 20 years of experience tracking cyber threat actors, terrorists, and intelligence activities in both the intelligence community, and more recently as a member of Lookout’s Threat Intelligence Team.

Paul Shunk

Staff Security Intelligence Researcher

Paul is a security researcher with a primary focus on reverse engineering mobile malware. Prior to Lookout, he worked in a security operations centre first as a cyber threat intelligence analyst and later in security investigations. Paul graduated with a Bachelor of Applied Information Sciences (Information Systems Security) from Sheridan College in 2015.

Discovered By
Lookout
Threat Type
Spyware
Entry Type
Threat Summary
Platform(s) Affected
Lookout
Spyware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Module Name Function Note
Accessibility Event Track foreground app.
Account Steal stored account emails.
Address Book Steal contacts.
Audio Record audio.
Browser Steal browser bookmarks / searches.
Calendar Steal calendar events, attendees.
Camera Take pictures.
Clipboard Steal current and future clipboard content.
Device Info Exfiltrate device information, including applications, kernel information, model, manufacturer, OS version, phone number, security patch, root/exploitation status.
File Download Download and install APK files on the device. Use root to silently install apps.
File Upload Upload files from the device. Use root to copy files the app doesn’t have access to.
Log Enable/disable verbose logging.
Notification Listener Exfiltrate notification content. Dismiss/snooze notifications that reference, but don’t originate from, the Hermit app.
Screen Capture Take pictures of the screen. Use root to run ‘screencap’.
Telegram Prompt the user to reinstall Telegram on the device with a downloaded APK. Use root to silently uninstall/reinstall Telegram. Also copy the old app’s data to the new app’s folder, changing the files’ SELinux contexts and owners.
WhatsApp Prompt the user to reinstall WhatsApp via Play Store.
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell