Description
A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts, images, and videos. The spyware, which has evaded detection by major antivirus solutions, mimics legitimate applications and operates with minimal permissions. Upon installation, it collects data and stores it in JSON files before transmitting it to the C&C server. The campaign highlights a growing trend of attackers using trusted cloud services to host malicious infrastructure, making detection more challenging.
Date
| Published | Created | Modified |
|---|---|---|
| Oct. 1, 2024, 7:25 p.m. | Oct. 1, 2024, 7:25 p.m. | Oct. 1, 2024, 8:20 p.m. |
Indicators
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
https://refundkorea.cyou/REFUND%20KOREA.apk
https://bobocam365.icu/downloads/pnx01.apk
Attack Patterns
T1486
T1082
T1105
T1083
T1140
CVE-2017-11882
CVE-2024-21893
CVE-2024-21887
CVE-2023-46805
CVE-2021-44228
Additional Informations
Telecommunications