Reaper Group’s Updated Mobile Arsenal
Contents
This post is also available in: 日本語 (Japanese)
Summary
A recent post from EST Security revealed the use of Android spyware in spear phishing email attachments linked to the North Korean Reaper group (also known as APT37, Scarcruft, Group 123 or Red Eyes), highlighting a new mobile vector added to the threat group’s toolkit.
Unit 42 has looked further into EST’s findings and found a more advanced variant of the Trojan mentioned in their original article. Talos has written on this variant and named it KevDroid.
This post provides our analysis of KevDroid., as well as details on the discovery of previously unknown trojanized versions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application, that are downloaders for the spyware variants.
Background
The post by EST Security detailed an Android spyware disguising itself as an Anti-Virus app from Naver (the largest search and web portal service provider in South Korea). While hunting for similar …
Summary
A recent post from EST Security revealed the use of Android spyware in spear phishing email attachments linked to the North Korean Reaper group (also known as APT37, Scarcruft, Group 123 or Red Eyes), highlighting a new mobile vector added to the threat group’s toolkit.
Unit 42 has looked further into EST’s findings and found a more advanced variant of the Trojan mentioned in their original article. Talos has written on this variant and named it KevDroid.
This post provides our analysis of KevDroid., as well as details on the discovery of previously unknown trojanized versions of a Bitcoin Ticker Widget and a PyeongChang Winter Games application, that are downloaders for the spyware variants.
Background
The post by EST Security detailed an Android spyware disguising itself as an Anti-Virus app from Naver (the largest search and web portal service provider in South Korea). While hunting for similar …
IoC
06222141a684de8a0b6e5dc1f7a2b14603c98dbe404ad7605dc9eb9d903c3df8
0de087ffb95c88a65e83bd99631d73d0176220e8b740785de78d2d79294f2303
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7
86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
d29895aa3f515ec9e345b05882ee02033f75745b15348030803f82372e83277a
d5de09cc5d395919d2d2000f79326a6997f4ec079879b11b05c4d1a1a847ed00
f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
http://cgalim.com
http://cgalim.com/admin/hr/1.apk
http://hakproperty.com/new/plat/pu.php?do=download_rc&aid=
http://hakproperty.com/new/plat/pu.php?do=upload
0de087ffb95c88a65e83bd99631d73d0176220e8b740785de78d2d79294f2303
28c69801929f0472cef346880a295cdf4956023cd3d72a1b6e72238f5b033aca
679d6ad1dd6d1078300e24cf5dbd17efea1141b0a619ff08b6cc8ff94cfbb27e
6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7
86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378
990d278761f87274a427b348f09475f5da4f924aa80023bf8d2320d981fb3209
d29895aa3f515ec9e345b05882ee02033f75745b15348030803f82372e83277a
d5de09cc5d395919d2d2000f79326a6997f4ec079879b11b05c4d1a1a847ed00
f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
http://cgalim.com
http://cgalim.com/admin/hr/1.apk
http://hakproperty.com/new/plat/pu.php?do=download_rc&aid=
http://hakproperty.com/new/plat/pu.php?do=upload