lazarusholic

Everyday is lazarus.dayβ

Unmasking State-Sponsored Mobile Surveillance Malware from Russia, China, and North Korea

2024-12-11, Lookout
https://i.blackhat.com/EU-24/Presentations/EU-24-V2-Islamoglu-Unmasking-State-Sponsored-Mobile-Surveillance.pdf
EU-24-V2-Islamoglu-Unmasking-State-Sponsored-Mobile-Surveillance.pdf, 6.5 MB
#Mobile #Slides #Kimsuky #KoSpy #ScarCruft

Contents

Unmasking State-Sponsored Mobile
Surveillance Malware from Russia,
China, and North Korea
Threat Actors, Tactics, and
Defense Strategies
Kyle Schmittle
Alemdar Islamoglu
Kristina Balaam

1


Who We Are

Kristina Balaam

Kyle Schmittle





Senior Security Intelligence
Researcher

Russia & Iran
BouldSpy, GuardZoo
Threat intelligence,
reverse engineering

https://www.linkedin.com/in
/kyle-s-b851ab151/





Senior Staff Security Intelligence
Researcher

Campaigns initiated by Chinese
threat actors.
DragonEgg/WyrmSpy, MOONSHINE
& Android BadBazaar
Passion for uncovering threats that
target marginalized populations
within mainland China and abroad.

Alemdar Islamoglu

Senior Staff Security Intelligence





Researcher

North Korea and Middle East.
Hermit, BouldSpy and GuardZoo
Reverse engineering, penetration
testing, and security software
development.

https://www.linkedin.com/in/alemdarh/

https://linkedin.com/in/kebalaam
#BHEU @BlackHatEvents


Agenda
▪ I - Overview of the Mobile APT Landscape
▪ Russia, China, North Korea
▪ II - APTs and Their Tricks
▪ Accessing Devices
▪ Detection Countermeasures
▪ Who’s Under Attack
▪ How We Attribute Activity
3

#BHEU @BlackHatEvents


Agenda
▪ III - Takeaways
▪ Fingerprints of State-Backed Surveillance
▪ Mitigation Techniques
▪ Call to Action

4

#BHEU @BlackHatEvents


I - Overview of the
Mobile APT Landscape
Russia, China, North Korea

5


Mobile APT Groups:
Russia


Mobile APT Groups: Russia

2019

Monokle

2022

BoneSpy

2023

Infamous Chisel

2024

PlainGnome

#BHEU @BlackHatEvents


Mobile APT Groups: Russia

2019

Monokle

2022

BoneSpy

2023

Infamous Chisel

2024

PlainGnome

Developer - STC
Used by Likely Turla
(FSB Center 16)

#BHEU @BlackHatEvents


Mobile APT Groups: Russia

2019

2022

Monokle

BoneSpy

Developer - STC

Based on
DroidWatcher

Used by …

IoC

http://llkeyvost.ddns.net
https://www.linkedin.com/in
http://detroito.ru
http://bashaardi.ru
https://interlab.or.kr/archives/2567
https://www.linkedin.com/in/alemdarh/
http://buckso.ru
http://vasifgo.ru
http://47.112.137.199
https://linkedin.com/in/kebalaam
http://loperto.ru
http://hitrovana.ru
http://secure-bdf.com
http://molotiras.ru
http://secure-qonto-pro.com
http://drowrang.ru
http://milashto.ru
http://baloglandi.ru
http://binace.homes
http://dsp2formulaire-bdf.net
http://89.185.84.81
47.112.137.199
89.185.84.81