Support the label: languageofcolours.bandcamp.com/album/undefined-threat Released on digital format by Language of Colours [LOC-9]. Performed, written, produced, and artwork by push ebp. Mastered by

We’re on a journey to advance and democratize artificial intelligence through open source and open science.

Astaroth, also known as Guildma, is a sophisticated piece of malware that first emerged in 2018 and has since undergone significant evolution, adapting to new security measures and refining its attack methodologies.

In 2021, researchers reported that PJobRAT – an Android RAT first observed in 2019 – was targeting Indian military personnel by imitating various dating and instant messaging apps. Since then, there’s been little news about PJobRAT – until, during a recent threat hunt, Sophos X-Ops researchers uncovered a new campaign – now seemingly over – that appeared to target users in Taiwan. PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices. ## Distribution and infection In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan. The apps included ‘SangaalLite’ (possibly a play on ‘SignalLite’, an app used in the 2021 campaigns) and CChat (mimicking a legitimate app of the same name that previously existed on Google Play). The apps were available for download from various WordPress sites (now defunct, albeit we have reported them to WordPress regardless). The earliest sample was first seen in Jan 2023 (although the domains hosting the malware were registered as early as April 2022) and the most recent was from October 2024. We believe the campaign is now over, or at least paused, as we have not observed any activity since then. This campaign was therefore running for at least 22 months, and perhaps for as long as two and a half years. However, the number of infections was relatively small, and in our assessment the threat actors behind it were not targeting the general public. _Figure 1: One of the malicious distribution sites – this one showing a boilerplate WordPress template, with a link to download one of the samples_ _Figure 2: Another malicious distribution site – this one hosting a fake chat app called SaangalLite_ We don’t have enough information to confirm how users were directed to the WordPress distribution sites (e.g., SEO poisoning, malvertising, phishing, etc), but we know that the threat actors behind previous PJobRAT campaigns used a variety of tricks for distribution. These included third-party app stores, compromising legitimate sites to host phishing pages, shortened links to mask final URLs, and fictitious personae to deceive users into clicking on links or downloading the disguised apps. Additionally, the threat actors may have also distributed links to the malicious apps on military forums. Once on a user’s device and launched, the apps request a plethora of permissions, including a request to stop optimizing battery usage, in order to continuously run in the background. _Figure 3: Screenshots from the interface of the malicious SaangalLite app_ The apps have a basic chat functionality built in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others’ user IDs). They also check the command-and-control (C2) servers for updates at start-up, allowing the threat actor to install malware updates ## A shift in tactics Unlike the 2021 campaign, the latest iterations of PJobRAT do not have a built-in functionality for stealing WhatsApp messages. However, they do include a new functionality to run shell commands. This vastly increases the capabilities of the malware, allowing the threat actor much greater control over the victims’ mobile devices. It may allow them to steal data – including WhatsApp data – from any app on the device, root the device itself, use the victim’s device to target and penetrate other systems on the network, and even silently remove the malware once their objectives have been completed. _Figure 4: Code to execute shell commands_ ## Communication The latest variants of PJobRat have two ways to communicate with their C2 servers. The first is Firebase Cloud Messaging (FCM), a cross-platform library by Google which allows apps to send and receive small payloads (up to 4,000 bytes) from the cloud. As we noted in our coverage of an Iranian mobile malware campaign in July 2023, FCM usually uses port 5228, but may also use ports 443, 5229, and 5230. FCM provides threat actors with two advantages: it enables them to hide their C2 activity within expected Android traffic, and it leverages the reputation and resilience of cloud-based services. The threat actor used FCM to send commands from a C2 server to the apps and trigger various RAT functions, including the following: **Command** | **Description** ---|--- _ace_am_ace_ | Upload SMS _pang_ | Upload device information _file_file_ | Upload file _dir_dir_ | Upload a file from a specific folder __start__scan__ | Upload list of media files and documents _kansell_ | Cancel all queued operations _chall_ | Run a shell command _kontak_ | Upload contacts _ambrc_ | Record and upload audio _Figure 5: Table showing PJobRAT commands_ The second method of communication is HTTP. PJobRAT uses HTTP to upload data, including device information, SMS, contacts, and files (images, audio/video and documents such as .doc and .pdf files), to the C2 server. The (now inactive) C2 server (westvist[.]myftp[.]org) used a dynamic DNS provider to send the data to an IP address based in Germany. _Figure 6: Stealing device information from an infected device (from our own testing)_ _Figure 7: Stealing contacts from an infected device (from our own testing)_ _Figure 8: Stealing a list of files from an infected device (from our own testing)_ ## Conclusion While this particular campaign may be over, it’s a good illustration of the fact that threat actors will often retool and retarget after an initial campaign – making improvements to their malware and adjusting their approach – before striking again. We’ll be keeping an eye out for future activity relating to PJobRAT. In the meantime, Android users should avoid installing apps from links found in emails, text messages or any communication received from untrusted sources, and use a mobile threat detection app such as Sophos Intercept X for Mobile to defend from such threats. A list of the apps, hosting domains, and C2 domains we discovered during this investigation is available on our GitHub repository. The samples described here are detected by Intercept X for Mobile as **Andr/AndroRAT-M**. ### Share this: * Mastodon * Bluesky * Reddit * LinkedIn * More * * Tumblr * Pocket * Print * Email *

<p>Quote Posts are a popular feature of many social media platforms. They offer the ability to share another person’s post to one’s own followers, while adding a comment.</p><p>We want to share our thinking process in implementing Quote Posts in Mastodon, and explain why it has taken us some time to do so.</p><h2 id="background">Background</h2><p>In the past couple of years, as Mastodon has grown, we’ve spent time meeting with community leaders across a spectrum of interests, to understand their needs. We have learned that many groups use Quote Posts as their primary means to build consensus and community on other platforms. Quote Posts used in this way convey trust and respect for the original post, building on or enhancing an original idea.</p><p>On the other hand, back when Mastodon was first developed, we had seen the feature used for malicious purposes on other platforms, for example, to intentionally quote someone out of context, to direct hate speech and harass people. At that time, it was an easy decision for us: Mastodon would not have quote posts.</p><p>The continued popularity of requests for us to implement the feature has shown that their absence prevents many people from joining the Fediverse. We want to add Quote Posts to help people to transition away from proprietary, billionaire-owned social media to the open social web.</p><p>If you’ve been following our project, we first mentioned that we were considering bringing Quote Posts to Mastodon <a href="https://blog.joinmastodon.org/2023/05/a-new-onboarding-experience-on-mastodon/">back in 2023</a>. During 2024, we applied for <a href="https://nlnet.nl/project/Mastodon-Quoting/">a grant from the NGI0 Entrust Fund</a>, to support our research and implementation efforts. With that support, we have done a lot of research and thinking, and we are sharing the outcomes of this work with you here.</p><h2 id="challenges">Challenges</h2><p>There are two primary elements to bringing Quote Posts to Mastodon: user-centric, and technical.</p><p>As explained above, the team started out with a shared view that Quote Posts can be misused. Many people simply do not want their content to be reframed by others; or they may find that if it is reposted, they receive unwelcome attention.</p><p>In order to mitigate these issues, we plan to include several features in our implementation:</p><ul><li>You will be able to choose whether your posts can be quoted at all.</li><li>You will be notified when someone quotes you.</li><li>You will be able to withdraw your post from the quoted context at any time.</li></ul><p>We also want to build a tight integration for Quote Posts with the reporting functionality, to help people to feel more safe.</p><p>On the technical side, the concept of Quote Posts is not standardised - there is no agreed way to build this feature into a W3C ActivityPub implementation so that it is automatically interoperable with the other applications in the Fediverse. Today, some third party Mastodon clients approximate quote posts, by showing a preview if a post contains a link to another post - but those efforts do not come with any of the features that we want to include. We want to collaborate to create a specification, so that we can encourage a better (and safer) way for all clients to have this functionality. We’ve spent time talking with users, with other Fediverse software developers (which include user facing applications), and with the developers of our own client apps, about how they might expect to see or implement Quote Posts. The output from this will be concrete proposals to help everyone building on the Fediverse.</p><h2 id="the-process">The process</h2><p>We are in the process of writing ActivityPub extensions (which we will publish as <a href="https://codeberg.org/fediverse/fep">Fediverse Enhancement Proposals</a>), in collaboration with other developers, to cover these features for any ActivityPub software that chooses to use them. These specifications can allow everyone to efficiently implement this same feature in an interoperable way. We’ve shared <a href="https://socialhub.activitypub.rocks/t/pre-fep-quote-posts-quote-policies-and-quote-controls/5031">initial work on this</a> for ActivityPub developers, and we’re also posting the <a href="https://github.com/mastodon/specs-background/blob/main/quote-posts/quote-posts-research-and-goals.md">background research</a> we performed, that was discussed with others - in both cases, these are being posted as deeper-dives for technical audiences and other implementers; they do not represent final outputs and choices.</p><p>In addition to these proposals, this feature will impact many parts of the Mastodon codebase, including the ActivityPub-handling code, the public API, web user interface, moderation panel and capabilities, the administration panel, and the official iOS and Android applications. We’re working on it, but Quote Posts will still take more time to develop.</p><h2 id="the-future">The future</h2><p>We know that Quote Posts are a source of concern for some members of the community, and highly-requested by others. We’re committed to sharing our progress, and listening to your feedback. Thanks for being a part of the federated open social web, and for using Mastodon.</p><div class="not-prose rounded-md p-8 flex flex-col items-center mt-8 border border-blurple-500"><h3 class="text-lg font-bold mb-2 text-center">Thank you for supporting Mastodon</h3><p class="text-md mb-8 text-center">We develop and maintain the free and open-source software that powers the social web. There is no capital behind this—we rely entirely on your support through platforms like Patreon.</p><div class="flex flex-col md:flex-row gap-4"><a class="flex-0 text-sm items-center justify-center rounded-md border-2 border-blurple-500 bg-blurple-500 py-2 px-4 !font-semibold text-white transition-colors hover:border-blurple-600 hover:bg-blurple-600 flex" href="https://patreon.com/mastodon">Donate on Patreon</a> <a class="flex-0 text-sm items-center justify-center rounded-md border-2 border-blurple-500 bg-blurple-500 py-2 px-4 !font-semibold text-white transition-colors hover:border-blurple-600 hover:bg-blurple-600 flex" href="https://donate.stripe.com/00g5l42h8ezY3YcaEE">Donate directly</a> <a class="flex-0 text-sm items-center justify-center rounded-md border-2 border-blurple-500 py-2 px-4 !font-semibold text-blurple-500 transition-colors hover:border-blurple-600 hover:text-blurple-600 flex" href="https://joinmastodon.org/sponsors">View our sponsors</a></div></div>

We’ve recently come across a complex delivery chain utilizing multiple script languages designed to deploy high-profile malware families such as the open-source-made DCRat or the Rhadamanthys infostealer.

Conference Talks