Android Malware Appears Linked to Lazarus Cybercrime Group
2017-11-20 • Mcafee •
McAfee analyzed a repackaged Korean Bible-reading Android APK that contained and executed a backdoor ELF from its assets, turning infected devices into bots. The implant stored encoded control-server IPs in /data/system/dnscd.db, randomly selected a server, and sent callback beacons disguised as SSL ClientHello traffic with well-known domains in the SNI field. After connecting, it accepted command codes from the controller and returned execution results using a custom protocol. McAfee linked the mobile backdoor to Lazarus with high confidence based on reused campaign infrastructure, similar encryption-key generation routines, fake TLS callback logic, and protocol similarities to executables used by the group.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 217.117.4.110 | 2017-11-20 | 2020-02-25 |
| HASH | 24f61120946ddac5e1d15cd64c48b7e6 | 2017-11-20 | 2018-04-07 |
| HASH | 9ce9a0b3876aacbf0e8023c97fd0a21d | 2017-11-20 | 2018-04-07 |
| IPv4 | 181.119.19.100 | 2017-11-20 | 2018-04-07 |
| IPv4 | 197.211.212.31 | 2017-11-20 | 2018-04-07 |
| IPv4 | 114.215.130.173 | 2017-11-20 | 2018-04-07 |
| IPv4 | 61.106.2.96 | 2017-11-20 | 2018-04-07 |
| IPv4 | 110.45.145.103 | 2017-11-20 | 2018-04-07 |
| IPv4 | 139.196.55.146 | 2017-11-20 | 2018-04-07 |
| IPv4 | 199.180.148.134 | 2017-11-20 | 2018-04-07 |
| IPv4 | 119.29.11.203 | 2017-11-20 | 2018-04-07 |
| IPv4 | 124.248.228.30 | 2017-11-20 | 2018-04-07 |
| IPv4 | 14.139.200.107 | 2017-11-20 | 2018-04-07 |
| IPv4 | 175.100.189.174 | 2017-11-20 | 2018-04-07 |
| HASH | 8b98bdf2c6a299e1fed217889af54845 | 2017-11-20 | 2017-11-20 |
| DOMAIN | vmware-probe.zol.co | 2017-11-20 | 2017-11-20 |
| DOMAIN | mail.wavenet.com | 2017-11-20 | 2017-11-20 |
| DOMAIN | wtps.org | 2017-11-20 | 2017-11-20 |