Reaper Group’s Updated Mobile Arsenal
2018-04-05 • Paloalto Networks •
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/
Unit 42 links an expanded Android spyware set to the North Korean Reaper group, also known as APT37, Scarcruft, Group 123, or Red Eyes. The activity includes trojanized versions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application that prompt users to update, then download spyware from cgalim[.]com. The newer KevDroid variant can record audio and video, list files, collect device and account data, root the device, and exfiltrate call recordings. Stolen data is staged under /sdcard/_pu, AES-encrypted with the key 08D03B0B6BE7FBCD, and uploaded to hakproperty.com infrastructure, showing Reaper’s mobile operations were actively evolving around topical lures.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://cgalim.com/admin/hr/1.apk | 2018-04-02 | 2018-08-22 |
| DOMAIN | cgalim.com | 2018-04-02 | 2018-08-22 |
| HASH | 0de087ffb95c88a65e83bd99631d73d… | 2018-04-05 | 2018-04-05 |
| HASH | d5de09cc5d395919d2d2000f79326a6… | 2018-04-05 | 2018-04-05 |
| HASH | d29895aa3f515ec9e345b05882ee020… | 2018-04-05 | 2018-04-05 |
| HASH | 28c69801929f0472cef346880a295cd… | 2018-04-05 | 2018-04-05 |
| HASH | 06222141a684de8a0b6e5dc1f7a2b14… | 2018-04-05 | 2018-04-05 |
| HASH | 679d6ad1dd6d1078300e24cf5dbd17e… | 2018-04-05 | 2018-04-05 |
| HASH | 990d278761f87274a427b348f09475f… | 2018-04-05 | 2018-04-05 |
| URL | http://hakproperty.com/new/plat… | 2018-04-05 | 2018-04-05 |
| URL | http://hakproperty.com/new/plat… | 2018-04-05 | 2018-04-05 |
| DOMAIN | hakproperty.com | 2018-04-05 | 2018-04-05 |
| HASH | 6b1f2dfe805fa0e27139c5a48400425… | 2018-04-02 | 2018-04-05 |
| HASH | f33aedfe5ebc918f5489e1f8a9fe19b… | 2018-04-02 | 2018-04-05 |
| HASH | 86887ce368d9a3e7fdf9aa62418cd68… | 2018-04-02 | 2018-04-05 |