Scarcruft Bolsters Arsenal for targeting individual Android devices
Contents
Scarcruft Bolsters Arsenal for targeting individual Android devices
Author: BLKSMTH | S2W TALON
Last Modified: Mar 23, 2023
Executive Summary
- According to an analysis report published by InterLab in December 2022, a South Korean journalist received a message requesting a conversation via the Wechat messenger, and the requestor instructed the journalist to install a malicious APK file disguised as a messenger called “Fizzle.apk” — InterLab named the malicious APK "RambleOn"
- We found similar features and codes to the mobile version of the ROKRAT malware that the Scarcruft group has been using since 2017.
- In tracking the Scarcruft group, researchers within S2W's Talon have identified additional samples that perform similar functions to those disclosed in this release, with significant upgrades from previous releases.
- Scarcruft is strongly believed to conduct initial penetration by contacting individuals directly via messengers, such as in this case, to trick them into installing a malicious APK disguised as legitimate.
- S2W …
Author: BLKSMTH | S2W TALON
Last Modified: Mar 23, 2023
Executive Summary
- According to an analysis report published by InterLab in December 2022, a South Korean journalist received a message requesting a conversation via the Wechat messenger, and the requestor instructed the journalist to install a malicious APK file disguised as a messenger called “Fizzle.apk” — InterLab named the malicious APK "RambleOn"
- We found similar features and codes to the mobile version of the ROKRAT malware that the Scarcruft group has been using since 2017.
- In tracking the Scarcruft group, researchers within S2W's Talon have identified additional samples that perform similar functions to those disclosed in this release, with significant upgrades from previous releases.
- Scarcruft is strongly believed to conduct initial penetration by contacting individuals directly via messengers, such as in this case, to trick them into installing a malicious APK disguised as legitimate.
- S2W …
IoC
0711102cbfcf18a3672a892c4ea31ad1
15470bafbaf3841bac1813881e6524fa
1d4683844c8429ad141f9f66bcf29728
1f2c23c7c9ecb28bfdc6627a3ad23783
214ead5c75899b8d1382e558e542574a
27e0dcceb68c03b246874c9fcc9b744e
3ae92bc233dd6a4412aa77da4dc44a19
445922b01b3f8f463cb9f48d74efd9a8
464df52f091f95a561474d4de62a821b
580f22dde975ac5e3544f3a74f4a91b9
5dde5f5fcc1ebfd932e1ef0bfcc7b272
72182f83e771fcaaa1e86c7c932014cb
759b26631a660d82f6a93621991c4292
8092bb293352ef572464c682e81f329f
89c669739066ac655a1e2b772bb020f3
957ebfbd0b23a164529d7510ca89ddae
97856a842ff8161576fee5ad3fd0ec67
97a750f33812195cc2add4ebd120b468
97a9ab76af215241ad2a07856b40242e
97ecdb46b8325a845e998cfe3bd2262e
a90e3bd0e2de1b6a6bec269dc0f09369
a97e22b8ca16452a4ddcb32284d7c7a7
ae767e4658a5d235ec614eaa8655da0d
be6f13d6e7ae5039aed46d1f8844f3ee
ce3104fe4184558feea707368846c226
d7723de89903a04b93c7a9a92d8309c2
e4f781e00bc48f88a717095deb78be6f
f58fed1e492f40d28e0bc38dc0f76b35
fe11b08764fba51236325be852ca1406
15470bafbaf3841bac1813881e6524fa
1d4683844c8429ad141f9f66bcf29728
1f2c23c7c9ecb28bfdc6627a3ad23783
214ead5c75899b8d1382e558e542574a
27e0dcceb68c03b246874c9fcc9b744e
3ae92bc233dd6a4412aa77da4dc44a19
445922b01b3f8f463cb9f48d74efd9a8
464df52f091f95a561474d4de62a821b
580f22dde975ac5e3544f3a74f4a91b9
5dde5f5fcc1ebfd932e1ef0bfcc7b272
72182f83e771fcaaa1e86c7c932014cb
759b26631a660d82f6a93621991c4292
8092bb293352ef572464c682e81f329f
89c669739066ac655a1e2b772bb020f3
957ebfbd0b23a164529d7510ca89ddae
97856a842ff8161576fee5ad3fd0ec67
97a750f33812195cc2add4ebd120b468
97a9ab76af215241ad2a07856b40242e
97ecdb46b8325a845e998cfe3bd2262e
a90e3bd0e2de1b6a6bec269dc0f09369
a97e22b8ca16452a4ddcb32284d7c7a7
ae767e4658a5d235ec614eaa8655da0d
be6f13d6e7ae5039aed46d1f8844f3ee
ce3104fe4184558feea707368846c226
d7723de89903a04b93c7a9a92d8309c2
e4f781e00bc48f88a717095deb78be6f
f58fed1e492f40d28e0bc38dc0f76b35
fe11b08764fba51236325be852ca1406