Rewterz Threat Alert – LokiBot IOCs
February 15, 2021Rewterz Threat Advisory – IBM Spectrum Protect Operations Center denial of service
February 16, 2021Rewterz Threat Alert – LokiBot IOCs
February 15, 2021Rewterz Threat Advisory – IBM Spectrum Protect Operations Center denial of service
February 16, 2021Severity
High
Analysis Summary
Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.
Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake “Google Security Framework,” local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population.
Impact
- Spyware
- Exposure of sensitive data
- Information theft and espionage
Indicators of Compromise
Filename
falconry-connect_2[.]0[.]apk
MD5
91df5d08f8732362f8620e793bfba109
SHA-256
f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70
SHA1
1b5f4850a5b7eea0f69f44c71f6b10041952cd32
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.