The AES key and initialization vector (IV) are hardcoded into this sample: KEY: 3544c085656c997, IV: 4fcff6864c594343. The communication between the malware and the C2 server is compressed via GZIP, AES encrypted and BASE64 encoded.
flower shop that’s been active since July 2020. X-Force says that the C2 server masquerades as a U.S. X-Force determined that “WhatsApp.apk” was Android malware that the researchers dubbed “LittleLooter” based on its information-stealing capabilities.įor command-and-control (C2) communication, LittleLooter attempts to establish communication to the C2 server via HTTP POST requests and responses. Most recently, “things like this” included X-Force’s discovery of a file named “WhatsApp.apk” (md5: a04c2c3388da643ef67504ef8c6907fb) on infrastructure associated with ITG18 operations. “And God, I love my job with things like this happening.” “If that is not amusing, I do not know what is,” Wikoff said. On Wednesday, in a session titled “The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker,” X-Force researchers Allison Wikoff and Richard Emerson said you just have to laugh about all the errors the group keeps making.
The latest: a custom Android backdoor dubbed “LittleLooter” – used exclusively by the threat actor, as far as researchers have been able to determine – that IBM Security X-Force detailed for the first time at Black Hat USA 2021. LAS VEGAS – The suspected Iranian threat group that IBM Security X-Force calls ITG18 and which overlaps with the group known as Charming Kitten keeps leaving a trail of paw prints.
0 kommentar(er)
