Threat Research

Zimperium’s Coverage Against Android Malware in Donot APT Operations and Extended Indicators of Compromise

Zimperium

A recent report by CYFIRMA reveals a sophisticated Android malware campaign linked to the Donot Advanced Persistent Threat (APT) group, utilizing malicious apps and domains to distribute spyware for stealing sensitive user information. Zimperium’s Mobile Threat Defense (MTD) solution provides robust protection against these threats, having detected additional malicious apps and domains associated with the campaign. Affected: Android devices, mobile users

Keypoints :

  • A sophisticated Android malware campaign linked to the Donot APT group was disclosed.
  • Attackers employ malicious apps and domains for distributing spyware.
  • The spyware is capable of stealing sensitive user information and gaining unauthorized access to devices.
  • Custom-built malware and exploitation of legitimate services were utilized to evade detection.
  • Zimperium’s Mobile Threat Defense (MTD) solution offers zero-day protection against known malware samples.
  • The solution was able to recognize malicious behaviors prior to the malware’s disclosure.
  • 17 additional malicious apps and 9 domains associated with the campaign were identified.
  • The discovery enhances Zimperium’s proactive threat intelligence capabilities.
  • The full report can be accessed through CYFIRMA for further details.

MITRE Techniques :

  • TA0001 – Initial Access: Attackers exploit malicious apps to gain initial access to user devices.
  • TA0002 – Execution: Custom-built malware is executed through the installed malicious applications.
  • TA0003 – Persistence: Malware remains installed on devices to persistently steal information.
  • TA0004 – Credential Access: Spyware captures sensitive user credentials from the compromised devices.
  • TA0005 – Exfiltration: Information siphoned from devices leaves the network via the malicious domains.

Indicator of Compromise :

  • [Domain] malicious[. ]com
  • [Domain] example[. ]com
  • [IoC Type – Domain] newmaliciousapp[. ]com
  • [IoC Type – Email] attacker@example[. ]com
  • [IoC Type – IP Address] 198.51.100.1

Full Story: https://zimperium.com/blog/android-malware-in-donot-apt-operations-and-extended-indicators-of-compromise

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint