Showing posts from October, 2022


As always, IOCs at the end.  Characteristics: Uses IRC to send data to the attacker and FTP. Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service. Get list of applications Send SMS using the device. Requests several permissions: android.permission.INTERNET android.permission.READ_EXTERNAL_STORAGE android.permission.RECEIVE_BOOT_COMPLETED android.permission.REBOOT android.permission.CALL_PHONE android.permission.READ_SMS android.permission.READ_CONTACTS android.permission.SEND_SMS android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_CALL_LOG android.permission.SYSTEM_ALERT_WINDOW Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country.  The IP the duckdns serves the APK from is from Spain. Useful links: Virustotal Graph:  Virustotal Collection: https://www.virusto