New Android Spyware Campaign Targets South Koreans via AWS
Oct. 1, 2024, 8:20 p.m.
Description
A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts, images, and videos. The spyware, which has evaded detection by major antivirus solutions, mimics legitimate applications and operates with minimal permissions. Upon installation, it collects data and stores it in JSON files before transmitting it to the C&C server. The campaign highlights a growing trend of attackers using trusted cloud services to host malicious infrastructure, making detection more challenging.
Tags
Date
- Created: Oct. 1, 2024, 7:25 p.m.
- Published: Oct. 1, 2024, 7:25 p.m.
- Modified: Oct. 1, 2024, 8:20 p.m.
Indicators
- c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
- a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
- 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
- https://refundkorea.cyou/REFUND%20KOREA.apk
- https://bobocam365.icu/downloads/pnx01.apk
- refundkorea.cyou
- bobocam365.icu
Attack Patterns
- T1486
- T1082
- T1105
- T1083
- T1140
- CVE-2017-11882
- CVE-2024-21893
- CVE-2024-21887
- CVE-2023-46805
- CVE-2021-44228
Additional Informations
- Telecommunications