穷源溯流:KONNI APT组织伪装韩国Android聊天应用的攻击活动剖析
2019-12-23 • Qihoo360 • Traceability: Analysis of KONNI APT organization's attack activities disguised as Korean Android chat application •
QiAnXin's RedDrip team analyzed Android malware activity targeting users in South Korea with fake versions of common mobile apps such as KakaoTalk. Delivery used SMS or instant-message short links that led either directly to malicious APKs or to fake app-download pages, including domains such as oaass-torrent.com and download-apks.com. The trojan hid by opening the legitimate KakaoTalk app when present, then collected contacts, SMS records, installed-app lists, SD-card directory data, phone information, and audio recordings. Command and control used HTTP polling of /manager/files/To_[IMEI].txt on 2.56.151.8, and the researchers found strong code overlap with previously disclosed KONNI Android malware that ESTsecurity had associated with Kimsuky.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | rambler.ru | 2019-12-12 | 2026-04-17 |
| HASH | 2487a29d1193b5f48d29df02804d8172 | 2019-12-23 | 2020-11-22 |
| HASH | 9e9745415793488ecf0774c7477bf2ae | 2019-12-23 | 2020-11-22 |
| IPv4 | 2.56.151.8 | 2019-12-23 | 2020-11-22 |
| HASH | e039be15ddf7334311ee01711ba69481 | 2019-12-23 | 2019-12-23 |
| HASH | 2cbf145eb39818d2b43b8c03ddb28ddf | 2019-12-23 | 2019-12-23 |
| [email protected] | 2019-12-23 | 2019-12-23 | |
| URL | http://oaass-torrent.com | 2019-12-23 | 2019-12-23 |
| URL | http://download-apks.com | 2019-12-23 | 2019-12-23 |
| URL | http://download-apks.com/Kaokao… | 2019-12-23 | 2019-12-23 |
| URL | http://download-apks.com/KakaoT… | 2019-12-23 | 2019-12-23 |
| URL | http://oaass-torrent.com/KakaoT… | 2019-12-23 | 2019-12-23 |
| URL | http://download-apks.com/ | 2019-12-23 | 2019-12-23 |
| DOMAIN | oaass-torrent.com | 2019-12-23 | 2019-12-23 |
| DOMAIN | download-apks.com | 2019-12-23 | 2019-12-23 |