Shares tag: Mobile • Shares 12 IOCs • Published within a week
Operation Blockbuster Goes Mobile
2017-11-20 • Paloalto Networks •
https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbuster-goes-mobile/
Unit 42 identified a mobile-focused malware cluster tied by code, mutex, and infrastructure overlaps to Operation Blockbuster activity, with targeting evidence pointing to Korean language speakers using Samsung devices. A Windows PE server named JAVAC.EXE serves JavaScript, ELF ARM files, and nested APK payloads, including a chain that installs a final Android backdoor. The Android implant can persist across boot, manipulate files, record microphone and camera data, collect GPS, contacts, SMS/MMS, browsing history, bookmarks, and Wi-Fi information. The ELF ARM samples use fake TLS-style command-and-control by placing legitimate-looking domains in SNI while connecting to embedded C2 IPs, and the report notes reused infrastructure such as 175.100.189.174 and 119.29.11.203 across related malware. The findings matter because they extend Operation Blockbuster-linked tradecraft into mobile targeting and show both technical reuse and social disguise elements aimed at South Korean victims.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 4cf164497c275ae0f86c28d7847b10f… | 2017-11-20 | 2020-03-09 |
| HASH | a606716355035d4a1ea0b15f3bee30a… | 2017-11-20 | 2020-03-09 |
| HASH | 7429a6b6e8518a1ec1d1c37a8786359… | 2017-08-14 | 2020-03-09 |
| IPv4 | 217.117.4.110 | 2017-11-20 | 2020-02-25 |
| IPv4 | 181.119.19.100 | 2017-11-20 | 2018-04-07 |
| IPv4 | 197.211.212.31 | 2017-11-20 | 2018-04-07 |
| IPv4 | 114.215.130.173 | 2017-11-20 | 2018-04-07 |
| IPv4 | 61.106.2.96 | 2017-11-20 | 2018-04-07 |
| IPv4 | 110.45.145.103 | 2017-11-20 | 2018-04-07 |
| IPv4 | 139.196.55.146 | 2017-11-20 | 2018-04-07 |
| IPv4 | 199.180.148.134 | 2017-11-20 | 2018-04-07 |
| IPv4 | 119.29.11.203 | 2017-11-20 | 2018-04-07 |
| IPv4 | 124.248.228.30 | 2017-11-20 | 2018-04-07 |
| IPv4 | 14.139.200.107 | 2017-11-20 | 2018-04-07 |
| IPv4 | 175.100.189.174 | 2017-11-20 | 2018-04-07 |
| HASH | 1d195c40169cbdb0f50eca40ebda623… | 2017-11-20 | 2017-12-12 |
| HASH | c98e7241693fbcbfedf254f2edc8173… | 2017-11-20 | 2017-11-20 |
| HASH | af71ba26fd77830eea345c638d8c232… | 2017-11-20 | 2017-11-20 |
| HASH | a984a5ac41446db9592345e547afe7f… | 2017-11-20 | 2017-11-20 |
| HASH | 2b15e4289a3eb8e4eb8c2343895002d… | 2017-11-20 | 2017-11-20 |
| HASH | 4607082448dd745af3261ebed970130… | 2017-11-20 | 2017-11-20 |
| HASH | 941cd0662cae55bc06727f1d658aba6… | 2017-11-20 | 2017-11-20 |
| HASH | 0ff83f3b509c0ec7070d33dceb43cef… | 2017-11-20 | 2017-11-20 |
| HASH | 7576bfd8102371e75526f545630753b… | 2017-11-20 | 2017-11-20 |
| HASH | 4694895d6cc30a336d125d20065de25… | 2017-11-20 | 2017-11-20 |
| HASH | ffdc53425ce42cf1d738fe22016492e… | 2017-11-20 | 2017-11-20 |
| HASH | 800f9ffd063dd2526a4a43b7370a8b0… | 2017-11-20 | 2017-11-20 |
| HASH | 153db613853fb42357acb91b393d853… | 2017-11-20 | 2017-11-20 |
| HASH | b183625c006f50f2b64ebe0aebda7b6… | 2017-11-20 | 2017-11-20 |
| HASH | cf3e9baaac7efcaff8a9864da9f12b4… | 2017-11-20 | 2017-11-20 |
| HASH | 06cadaac0710ed1ef262e79c5cf12d8… | 2017-11-20 | 2017-11-20 |
| HASH | 790662a047047b0470e2f243e2628d8… | 2017-11-20 | 2017-11-20 |
| HASH | ed9e373a687e42a84252c2c01046824… | 2017-11-20 | 2017-11-20 |
| HASH | 410959e9bfd9fb75e51153dd3b04e24… | 2017-11-20 | 2017-11-20 |
| IPv4 | 211.115.205.41 | 2017-11-20 | 2017-11-20 |
| IPv4 | 173.0.138.250 | 2017-11-20 | 2017-11-20 |
| IPv4 | 98.101.211.250 | 2017-11-20 | 2017-11-20 |
| IPv4 | 4.3.3.1 | 2017-11-20 | 2017-11-20 |
| IPv4 | 113.10.170.98 | 2017-11-20 | 2017-11-20 |
| IPv4 | 97.211.212.31 | 2017-11-20 | 2017-11-20 |
Related Reports
Shares tag: Blockbuster • Shares 3 IOCs • Published within a month
Shares tag: Mobile • Shares 12 IOCs
Shares tag: Blockbuster • Shares 1 IOC • Same author: Paloalto Networks
2018-01-11 •
30% Match
#Mobile
Shares tag: Mobile
Shares tag: Mobile