otx.alienvault.com Open in urlscan Pro
13.227.222.104  Public Scan

URL: https://otx.alienvault.com/pulse/6139c6cffcb1a0ba0ed60bc5?utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=otx&utm_c...
Submission: On September 09 via api from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

×

On Friday, September 10th, 2021 at 5pm US/Central time, OTX will be undergoing
an internal migration. It is not expected that there will be any downtime, but
all such migrations come with some risk. If you see any unexpected behavior,
please report it to otx-support@alienvault.com. Screenshots and error messages,
if available, would be very useful to diagnose problems.

   
 * Browse
 * Scan Endpoints
 * Create Pulse
 * Submit Sample
 * API Integration
   
   
 * Login | Sign Up
   

All
   
 * Login | Sign Up
   
 * 
   


Share
Actions
Subscribers (157081)
Suggest Edit
Clone
Embed
Download
Report Spam



BLADEHAWK GROUP: ANDROID ESPIONAGE AGAINST KURDISH ETHNIC GROUP

   
 * Created 38 minutes ago by AlienVault
 * Public
 * TLP: White

ESET researchers have investigated a targeted mobile espionage campaign against
the Kurdish ethnic group. This campaign has been active since at least March
2020, distributing (via dedicated Facebook profiles) two Android backdoors known
as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to
be providing Android news in Kurdish, and news for the Kurds’ supporters. Some
of the profiles deliberately spread additional spying apps to Facebook public
groups with pro-Kurd content. Data from a download site indicates at least 1,481
downloads from URLs promoted in just a few Facebook posts.

Reference:
https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/
Tags:
android, kasablanka, rat, facebook, kurdish, spynote, bladehawk
Adversary:
BladeHawk
Targeted Countries:
Turkey , Iran, Islamic Republic of , Iraq , Syrian Arab Republic
Malware Families:
Android , Kasablanka
Att&ck IDs:
T1036 - Masquerading , T1070 - Indicator Removal on Host , T1566 - Phishing ,
T1402 - Broadcast Receivers , T1411 - Input Prompt , T1412 - Capture SMS
Messages , T1418 - Application Discovery , T1420 - File and Directory Discovery
, T1429 - Capture Audio , T1430 - Location Tracking , T1432 - Access Contact
List , T1433 - Access Call Log , T1444 - Masquerade as Legitimate Application ,
T1447 - Delete Device Data , T1508 - Suppress Application Icon , T1509 -
Uncommonly Used Port , T1512 - Capture Camera , T1513 - Screen Capture , T1533 -
Data from Local System , T1582 - SMS Control

Endpoint Security
Scan your endpoints for IOCs from this Pulse!
Learn more
 * Indicators of Compromise (36)
 * Related Pulses (1)
 * Comments (0)
 * History (0)

URL (9)Domain (2)FileHash-MD5 (4)FileHash-SHA256 (4)FileHash-SHA1 (17)

TYPES OF INDICATORS

Show
10 25 50 100
entries
Search:

type

indicator

Role

title

Added

Active

related Pulses

domainapkup.xyzSep 9, 2021, 8:33:20 AM1

domain888-tools.comSep 9, 2021, 8:33:20 AM0

FileHash-SHA256e69699299e9718936826bb4b9a99b80a0094480911861f7d0cf1303caf7d19b2TrojanSpy:AndroidOS/Krbot.A!MTBSep
9, 2021, 8:33:20 AM1

FileHash-SHA256bf64e31acf11bc27ea489429e84676f1ec7afaff2bc108b75bcfde6614f3497eTrojanSpy:AndroidOS/Krbot.A!MTBSep
9, 2021, 8:33:20 AM1

FileHash-SHA256bc0c55efffe32ba0d2bdc23d5aa9d60200b50c5a373bce9822af6316cdd4f2fbTrojanSpy:AndroidOS/Krbot.A!MTBSep
9, 2021, 8:33:20 AM1

FileHash-SHA2562a4cf22220b95ad1f802efd1ae8abea56e83dc598d66eb073d75882d20858e39TrojanSpy:AndroidOS/InfoStealer.L!MTBSep
9, 2021, 8:33:20 AM0

FileHash-SHA1fed42ab6665649787c6d6164a6787b13513b4a41Sep 9, 2021, 8:33:20 AM1

FileHash-SHA1f26ada23739366b9ebbf08babd5000023921465cSep 9, 2021, 8:33:20 AM1

FileHash-SHA1f0751f2715bea20a6d5cd7e9792dba0fa45394a5Sep 9, 2021, 8:33:20 AM1

FileHash-SHA1ef9d9bf1876270393615a21ab3917fcbe91bfc60Sep 9, 2021, 8:33:20 AM1


SHOWING 1 TO 10 OF 36 ENTRIES
1
2
3
4
Next


COMMENTS

You must be logged in to leave a comment.

Refresh Comments

 * © Copyright 2021 AlienVault, Inc.
   
 * Legal
   
 * Status