A sophisticated malware campaign has emerged, targeting Indonesia’s most vulnerable digital citizens through a calculated exploitation of trust in the nation’s pension fund system.

The malicious operation impersonates PT Dana Tabungan dan Asuransi Pegawai Negeri (TASPEN), the state-owned pension fund managing over $15.9 billion in assets for millions of Indonesian civil servants and retirees.

This campaign represents a disturbing evolution in cybercrime tactics, weaponizing institutional trust to conduct large-scale financial fraud against senior citizens who are increasingly encouraged to adopt digital services for pension management.

The attack leverages a meticulously crafted phishing website hosted at taspen[.]ahngo[.]cc, which mimics an official mobile application download page complete with TASPEN’s branding and the Indonesian slogan “Aplikasi Andal, semudah bersama TASPEN” (A reliable app, easy with TASPEN).

The fraudulent site features weaponized Google Play and Apple App Store buttons, with the Android version initiating direct downloads of malicious APK files while the iOS button displays a deceptive maintenance message in Bahasa Indonesia to maintain credibility.

CloudSEK analysts identified this campaign through their threat intelligence monitoring, revealing that the malware employs advanced evasion techniques to bypass traditional security measures.

The malicious application is protected by DPT-Shell, an open-source Android packer that encrypts the executable code and deploys it only during runtime, effectively defeating static analysis tools used by security researchers.

Runtime Payload Deployment and Surveillance Capabilities

The malware’s most concerning aspect lies in its sophisticated deployment mechanism and comprehensive surveillance capabilities once installed on victim devices.

Upon execution, the DPT-Shell protection system first decrypts the hidden malicious payload in memory before writing it to the application’s private code_cache directory as a ZIP archive named i111111.zip.

This runtime unpacking ensures that the true malicious functionality remains completely hidden from security scanners until the application is actively running on a live device.

Once operational, the malware deploys multiple background services designed for comprehensive data theft.

The SmsService component provides persistent SMS interception capabilities, automatically reading and forwarding all incoming messages including critical two-factor authentication codes.

Simultaneously, the ScreenRecordService enables real-time visual monitoring of all user activities, while the CameraService facilitates facial video capture for biometric data harvesting.

These components work in concert with a ContactData class that systematically exfiltrates the victim’s complete address book, including names, phone numbers, email addresses, and call history.

The malware establishes encrypted communication with its command and control server at rpc.syids.top through both HTTP POST requests for credential theft and persistent WebSocket connections for real-time command execution.

When victims enter their banking credentials, the malware encrypts and transmits this data while deliberately displaying Indonesian error messages to mask the successful exfiltration, creating the illusion of a simple failed login attempt.

Attribution analysis reveals strong linguistic indicators pointing to Chinese-speaking threat actors, with error messages in Simplified Chinese found embedded within both the phishing infrastructure and C2 server responses.

The campaign’s success threatens to establish a dangerous precedent for similar attacks against other critical Indonesian public institutions, potentially affecting millions of citizens who rely on digital government services for essential financial and healthcare needs.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Malware Attack Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens appeared first on Cyber Security News.

Over the past year, the Underground ransomware gang has emerged as a formidable threat to organizations across diverse industries and geographies.

First identified in July 2023, the group resurfaced in May 2024 with a Dedicated Leak Site (DLS), signaling a renewed and more sophisticated operational phase.

Their campaigns now span from the United Arab Emirates to South Korea, targeting companies in construction, manufacturing, IT, and beyond.

Victims report encrypted critical assets and threatened data leaks, with ransom demands that exploit both technical and psychological pressure.

In their latest modus operandi, Underground operators meticulously tailor each attack to the victim’s environment.

Initial infiltration often leverages stolen credentials or unpatched vulnerabilities in remote desktop services.

Once inside, they disable shadow copies using the vssadmin delete shadows /all /quiet command, stripping victims of quick rollback options.

ASEC analysts noted that this hands-on approach transforms routine environments into fully compromised landscapes, leaving forensic traces that complicate incident response.

Following reconnaissance, the ransomware proceeds with encryption routines that combine AES symmetric encryption and RSA asymmetric wrapping.

Each file is encrypted with a unique AES key, while the key material and initialization vector (IV) are sealed with a hardcoded RSA public key before being appended to the file.

No external C2 communication occurs during encryption, ensuring that local evidence alone cannot facilitate decryption.

The encryption metadata—spanning the file’s original size, flag sets, version, and magic values—is structured in an 0x18-byte block affixed at the end of each file.

Infection Mechanism Deep Dive

The core of Underground’s infection mechanism lies in its multi-stage payload execution. Upon launch, the binary checks its command-line parameters and exits immediately if more than two arguments are detected, a rudimentary anti-analysis safeguard.

The malware then declares a mutex string, “8DC1F7B9D2F4EA58,” to prevent multiple instances.

Without employing advanced sandbox evasion techniques, it swiftly executes pre-encryption routines: deleting shadow copies, modifying registry keys to restrict remote desktop disconnections, and halting SQL services with commands such as:-

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ /v MaxDisconnectionTime /t REG_DWORD /d 1209600000 /f
net stop MSSQLSERVER /f /m
net stop SQLSERVERAGENT /f /m
net stop MSSQLFDLauncher /f /m

By excluding system directories and executable extensions—such as .exe, .dll, and .sys—the malware avoids crippling the operating system, focusing its destructive power on user-generated content.

Once the environment is primed, a 0x30-byte random number is generated via the BCrypt API, partitioned into a 0x20-byte AES key and a 0x10-byte IV.

Files are read into memory, encrypted in place, and then appended with the RSA-encrypted key material (0x200 bytes).

For large files, a striping method encrypts head, tail, and periodic segments using flag values that dictate encryption unit size and gap intervals, balancing performance and file impact.

Finally, the ransomware deploys an _eraser.bat script to purge Windows event logs via wevtutil.exe, erasing traces of its activity and hindering root cause analysis.

Through these refined tactics, Underground leverages a blend of classic and advanced methods, underscoring the importance of proactive patching, segmented backups, and robust endpoint monitoring to defend against its evolving threat.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Underground Ransomware Gang With New Tactics Against Organizations Worldwide appeared first on Cyber Security News.