Threat Research

Coper / Octo – A Conductor for Mobile Mayhem… With Eight Limbs?

CTI

Coper/Octo is an Android malware-as-a-service evolved from the Exobot family, offering customers a configurable payload with injects, keylogging, VNC remote control, SMS interception, and a feature-rich C2 panel. Analysis details encrypted Dex classes (RC4 key lU0jgv9f6hgMZI48x), AES+Base64 C2 traffic decryptable via extracted AES keys, and identifiable infrastructure such as 94.156.68.191 and certificate subjects like CN=www.example.com. #Coper #Octo

Keypoints

  • Coper/Octo originates from the Exobot family and is offered as a Malware-as-a-Service with a panel and builder for customers to run regionally targeted campaigns.
  • The malware’s payload is highly configurable via a JSON-like configuration (fields include block_push_apps, desired_apps, domains_bot/extra_domains, keylogger_enabled, injects_list, smarts_ver, net_delay, uninstall_apps/uninstall_delay).
  • Main capabilities include keylogging, UI injects/overlays (fake login, pattern, URL injects), VNC remote control (requires Accessibility Service), and SMS interception/forwarding.
  • C2 communications are AES encrypted and Base64 encoded; Dex classes are RC4-encrypted with a hardcoded key (lU0jgv9f6hgMZI48x), enabling analysts to decrypt components and traffic using extracted keys and tools like CyberChef.
  • The bot registration process collects IMEI, model, Android version, uptime, $country and $lang, and enforces filters to exclude CIS countries, China, and Ukraine; it also detects emulators/VMs.
  • Operators control infected devices via commands (e.g., delete_bot, intercept_off/_on, lock_off/_on, open_url, set_vnc_task, sms, start_/stop_keylogger, vnc_start/_stop) and can retrieve screenshots and keylogger files which are deleted after reading.
  • Infrastructure indicators include specific C2 IPs (e.g., 94.156.68.191, 91.240.118.224) and recurring X.509 certificate subjects (e.g., CN=www.example.com, OU=Department, O=Company) used to track C2 servers.

MITRE Techniques

  • No MITRE ATT&CK technique IDs are explicitly mentioned in the article.

Indicators of Compromise

  • [Domain/URL] C2 and payload URLs used to deliver or host lures – karmelinanoonethousandbaby[.]net/YzI4MGFhZjI2MmM5/, sanagerekkalmaz1453[.]shop/MTFiMzQ4NGQ2MWU4/, and 7 other listed URLs.
  • [IP Address] Observed C2 controllers mentioned in traffic and server analysis – 94.156.68.191, 91.240.118.224, and other related IPs used across campaigns.
  • [X.509 Certificate] Reused certificate subject used as an infrastructure marker – CN=www.example.com, OU=Department, O=Company (seen across multiple C2 servers).
  • [Spoofed Apps / Lures] Applications used as social-engineering vectors – fake Bancolombia “Personas” app, spoofed Facebook and Google Chrome lures (used in payload parameters).

Rewritten technical summary:

Coper/Octo is delivered as a configurable Android payload whose installer includes a per-customer configuration specifying targeted apps (desired_apps), blocked push apps (block_push_apps), primary and backup C2 domains (domains_bot and extra_domains), network timing (net_delay), inject selections (injects_list and smarts_ver), keylogger toggle (keylogger_enabled), and uninstall schedules. Operators interact with bots over AES-encrypted, Base64-encoded channels and issue commands such as delete_bot, intercept_off/_on, lock_off/_on, open_url, set_vnc_task, sms, start_/stop_keylogger, and vnc_start/_stop; all communication parameters and bot state are stored and updated on the C2 backend (registration captures IMEI, model, Android version, uptime, $country, $lang, etc.).

The malware uses multiple data-exfiltration methods: a keylogger that writes keystrokes to a temporary file (deleted after reading), UI injects/overlays (fake pattern/unlock screens, Gmail login forms, URL injects that capture inputs via onblur handlers and post them to files like gmail_login), VNC remote-control functions (screen capture, virtual keyboard, pattern input, backlight manipulation) which require Accessibility Service, and SMS interception that aborts broadcasts (EXC_SMSRCV) while recording sender (sA), body (sB), and timestamp (sT). Dex classes in the APK are RC4-encrypted with the hardcoded key lU0jgv9f6hgMZI48x; analysts can decrypt these and extracted C2 AES keys (from sandbox configuration extractions) to decrypt PCAP traffic and reveal payload parameters using tools like CyberChef.

For hunting and infrastructure mapping, notable indicators include C2 IPs observed in intercepted traffic (e.g., 94.156.68.191, 91.240.118.224), a recurring X.509 certificate subject (CN=www.example.com, OU=Department, O=Company) often used when provisioning new C2 servers, and the URL patterns listed in the IoC set; analysts should monitor for the RC4-encrypted Dex pattern with the known key and AES-encrypted Base64 exchanges that, when decoded with extracted keys, reveal bot parameters (e.g., lB identifying the spoofed app) and victim metadata.

Read more: https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs