Lookout Discovers North Korean APT37 Mobile Spyware
Contents
Lookout Discovers New Spyware by North Korean APT37
- KoSpy is a new Android spyware attributed to the North Korean group APT37. It masquerades as utility apps and targets Korean and English speaking users.
- The spyware was first observed in March 2022 and remains active with new samples still publicly hosted. It uses a two-stage C2 infrastructure that retrieves initial configurations from a Firebase cloud database.
- KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins.
- The spyware has Korean language support with samples distributed across Google Play and third-party app stores such as Apkpure.
- There is evidence of infrastructure being shared with APT43, which is another notorious North Korean state-sponsored group also known as Kimsuky.
Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium …
- KoSpy is a new Android spyware attributed to the North Korean group APT37. It masquerades as utility apps and targets Korean and English speaking users.
- The spyware was first observed in March 2022 and remains active with new samples still publicly hosted. It uses a two-stage C2 infrastructure that retrieves initial configurations from a Firebase cloud database.
- KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins.
- The spyware has Korean language support with samples distributed across Google Play and third-party app stores such as Apkpure.
- There is evidence of infrastructure being shared with APT43, which is another notorious North Korean state-sponsored group also known as Kimsuky.
Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium …
IoC
http://mailcorp.center
http://resolveissue.org
http://naverfiles.com
http://crowdon.info
http://27.255.79.225
http://nidlogon.com
http://joinupvts.org
27.255.79.225
[email protected]
f08f036a0c79a53f6b0c9ad84fb6eac1ac79c168
ea6d12e4a465a7a44cbad12659ade8a4999d64d1
985fd1f74eb617b1fea17095f9e991dcaceec170
1cc97e490b5f8a582b6b03bdba58cb5f1a389e78
df39ab90c89aa77a92295721688b18e7f1fdb38d
1a167b65be75fd0651bbda072c856628973a3c1e
2d1537e92878a3a14b5b3f55b32c91b099513ae0
062a869caac496d0182decfadc57a23057caa4ab
3278324744e14ddf4f4312d375f82b31026f51b5
911d9f05e1c57a745cb0c669f3e1b67ac4a08601
744e5181e76c68b8b23a19b939942de9e1db1daa
5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171
b84604cad2f3a80fb50415aa069cce7af381e249
cd62a9ab320b4f6be49be11c9b1d2d5519cc4860
http://resolveissue.org
http://naverfiles.com
http://crowdon.info
http://27.255.79.225
http://nidlogon.com
http://joinupvts.org
27.255.79.225
[email protected]
f08f036a0c79a53f6b0c9ad84fb6eac1ac79c168
ea6d12e4a465a7a44cbad12659ade8a4999d64d1
985fd1f74eb617b1fea17095f9e991dcaceec170
1cc97e490b5f8a582b6b03bdba58cb5f1a389e78
df39ab90c89aa77a92295721688b18e7f1fdb38d
1a167b65be75fd0651bbda072c856628973a3c1e
2d1537e92878a3a14b5b3f55b32c91b099513ae0
062a869caac496d0182decfadc57a23057caa4ab
3278324744e14ddf4f4312d375f82b31026f51b5
911d9f05e1c57a745cb0c669f3e1b67ac4a08601
744e5181e76c68b8b23a19b939942de9e1db1daa
5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171
b84604cad2f3a80fb50415aa069cce7af381e249
cd62a9ab320b4f6be49be11c9b1d2d5519cc4860