Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices

2023-10-05 S2W

https://www.virusbulletin.com/conference/vb2023/abstracts/cumulus-scarcruft-bolsters-arsenal-targeting-individual-android-devices/

Attachments

Into-the-Cumulus-Scarcruft-bolsters-arsenal-for-targeting-individu_7cWxwip.pdf (4 MB)

Thumbnail for Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices

S2W's Virus Bulletin paper attributes Cumulus, also called RambleOn, to Scarcruft/APT37 and frames it as an Android extension of the group's ROKRAT tooling. The malware has targeted individual Android users since at least 2019, building on earlier Scarcruft mobile operations against North Korean human rights officials, North Korea-focused journalists, and South Korean journalists approached through KakaoTalk, Facebook, Google Play, or WeChat. Cumulus is distributed as legitimate-looking APKs such as messengers, image viewers, or coin-mining apps, then uses FCM or Pushy messaging and separate Clugin plug-ins to receive commands and leak data. S2W also recovered cloud-stored attacker test data, victim conversations, distribution guidance, an attacker IP, and unpublished Clugin samples.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 48a12ac12d881c81e9060c27b5656a2… 2023-10-05 2023-10-05
HASH fe7a8e5a5085c5043336be86a6a6301… 2023-10-05 2023-10-05
HASH 1ccfeebfd3c5732711bc8c242c6c0dc… 2023-10-05 2023-10-05
HASH 1975ea1d437653a1bc85896525a10bc… 2023-10-05 2023-10-05
HASH fd8b46e3e1e0423d8d9617886286736… 2023-10-05 2023-10-05
HASH a5b975288b4fdc56b6cd85f6e0ab969… 2023-10-05 2023-10-05
HASH 97d8aed87ec78d975aaff4a63415bad… 2023-10-05 2023-10-05
HASH e8eba9d664eb23557338b9179b8ddfc… 2023-10-05 2023-10-05
HASH e15c0e621e1a9e850acd5abc4008327… 2023-10-05 2023-10-05
HASH f4c8b84d6aad1b6375cbdb2269d354d… 2023-10-05 2023-10-05
HASH 9ba144ab275a9714bb5dba2ea009d4d… 2023-10-05 2023-10-05
HASH 1439fc0112f1dc32c34f3ed04ef47e4… 2023-10-05 2023-10-05
HASH c8a0fb2c3e7c320f5bcd531a8777f63… 2023-10-05 2023-10-05
HASH 840a1029e1923c47c5eaba4f2a2e3f7… 2023-10-05 2023-10-05
HASH 9190dfb4d9f5ec294c5b385b50e2791… 2023-10-05 2023-10-05
HASH 89cec458a13fdbc7cebce1ea60325a1… 2023-10-05 2023-10-05
HASH 1333675be92bb1011b6777a49b2df48… 2023-10-05 2023-10-05
HASH d64bf46c8bc3ea8ba58b5b7c530fc82… 2023-10-05 2023-10-05
HASH 30b4668d400221df61c449aa6c3c731… 2023-10-05 2023-10-05
HASH 28d61253ba13a24b5dfe01a81606ef5… 2023-10-05 2023-10-05
HASH 437c4348a34067872f1ef2456e4dd9e… 2023-10-05 2023-10-05
HASH e415b5caf27990f982a71ffccef937b… 2023-10-05 2023-10-05
HASH 2e9cd231641de301d4bbcaa9914dcfc… 2023-10-05 2023-10-05
HASH 5fb81fee599baa9ee58d3d11cfdbdc0… 2023-10-05 2023-10-05
HASH e80b454d6fb6477568c7c1f2ce474aa… 2023-10-05 2023-10-05
HASH 1efc95af7490493f4302bc755f0d8f4… 2023-10-05 2023-10-05
HASH 478d4d7644d94214ee83d8219bdfbf2… 2023-10-05 2023-10-05
HASH c70860c9569245c243566e960f25d1f… 2023-10-05 2023-10-05
HASH b08b46a36112919afc8bf533d3dc152… 2023-10-05 2023-10-05
HASH 76e20aa484a4867eadc2ab49cc3c391… 2023-10-05 2023-10-05
IPv4 175.45.178.3 2023-10-05 2023-10-05
HASH 0dadf1240fd097d15dee890d448cfab… 2023-10-04 2023-10-05
HASH e6a7615d29b287f14ee044cd4e8e786… 2023-10-04 2023-10-05
HASH 748f0724c50bb4e494f8e92e495fa8e… 2023-10-04 2023-10-05

Related Actors

Related Reports

« Back