|
Satori recently published a report on a massive fraud campaign they have dubbed “Konfety” (Russian word for “candy”). Sounds sweet, right? But that’s not the case, as the name references CaramelAds, the mobile ad SDK they abused to create evil twins or malicious duplicates of popular apps available on the world’s biggest app marketplaces. At the time of publication, 250 evil twin apps have been found on Google Play alone.
The researchers published 23 indicators of compromise (IoCs) comprising 17 domain names and six IP addresses, which the WhoisXML API research team expanded using extensive WHOIS, IP, and other DNS intelligence sources. Our in-depth investigation led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
First we gathered more information about the threat by querying the 17 domains identified as Konfety IoCs on Bulk WHOIS Lookup. We found out that:
The domain IoCs were created between 2017 and 2023, which shows the threat actors didn’t favor using newly registered domains (NRDs). The highest number of domain IoCs, five to be exact, were created in 2020, in fact.
A majority of the domain IoCs, nine to be exact, were registered in Russia. Bahamas accounted for four domain IoCs, while the Netherlands accounted for one. Two domain IoCs didn’t have registrant countries in their current WHOIS records.
Next, we queried the six IP addresses identified as IoCs on Bulk IP Geolocation Lookup and discovered that:
OVHCloud was the top ISP with three IP address IoCs, followed by HZ-NL with two. ITL Company accounted for the last IP address IoC.
We started our hunt for connected threat artifacts with WHOIS History API queries for the 16 domains identified as IoCs. That led to the discovery of 30 email addresses in their historical WHOIS records. Eight of them were public email addresses that we then used as search terms for Reverse WHOIS API. Our queries allowed us to unearth 302 email-connected domains after filtering out duplicates and the IoCs.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byVerisign