Satori recently published a report on a massive fraud campaign they have dubbed “Konfety” (Russian word for “candy”). Sounds sweet, right? But that’s not the case, as the name references CaramelAds, the mobile ad SDK they abused to create evil twins or malicious duplicates of popular apps available on the world’s biggest app marketplaces. At the time of publication, 250 evil twin apps have been found on Google Play alone.

The researchers published 23 indicators of compromise (IoCs) comprising 17 domain names and six IP addresses, which the WhoisXML API research team expanded using extensive WHOIS, IP, and other DNS intelligence sources. Our in-depth investigation led to the discovery of:

• 302 email-connected domains
• Five additional IP addresses, two of which turned out to be malicious
• Eight IP-connected domains, one of which turned out to be associated with malware distribution
• 326 string-connected domains, one of which turned out to be connected with malware distribution

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the IoCs

First we gathered more information about the threat by querying the 17 domains identified as Konfety IoCs on Bulk WHOIS Lookup. We found out that:

• One of the domain IoCs didn’t have details in its current WHOIS record, leaving us with 16 domain IoCs for further analysis.
• Internet Domain Service led the pack of registrars, accounting for eight domain IoCs. TLD Registrar Solutions took the second spot with four domain IoCs, followed by Namecheap with two. Danesco Trading and Metaregistrar tied in last place with one domain IoC each.

  

• The domain IoCs were created between 2017 and 2023, which shows the threat actors didn’t favor using newly registered domains (NRDs). The highest number of domain IoCs, five to be exact, were created in 2020, in fact.

  

• A majority of the domain IoCs, nine to be exact, were registered in Russia. Bahamas accounted for four domain IoCs, while the Netherlands accounted for one. Two domain IoCs didn’t have registrant countries in their current WHOIS records.

  

Next, we queried the six IP addresses identified as IoCs on Bulk IP Geolocation Lookup and discovered that:

• They were spread across three geolocation countries led by Poland, which accounted for three IP address IoCs. Two IP address IoCs were geolocated in the Netherlands and one in Sweden. Only the Netherlands appeared in both the lists of registrant and geolocation countries.

  

• OVHCloud was the top ISP with three IP address IoCs, followed by HZ-NL with two. ITL Company accounted for the last IP address IoC.

  

IoC List Expansion Findings

We started our hunt for connected threat artifacts with WHOIS History API queries for the 16 domains identified as IoCs. That led to the discovery of 30 email addresses in their historical WHOIS records. Eight of them were public email addresses that we then used as search terms for Reverse WHOIS API. Our queries allowed us to unearth 302 email-connected domains after filtering out duplicates and the IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.