Threat Research

Analyzing Konfety’s Malicious Twin Apps via DNS Insights

CircleID

Short Summary:

Satori has reported on a significant fraud campaign named “Konfety,” which exploits the CaramelAds mobile ad SDK to create malicious duplicates of popular apps. The investigation revealed numerous indicators of compromise (IoCs), including 250 evil twin apps on Google Play, 302 email-connected domains, and multiple IP addresses linked to malware distribution.

Key Points:

  • Satori’s report highlights a fraud campaign called “Konfety.”
  • Konfety abuses the CaramelAds mobile ad SDK.
  • 250 evil twin apps were identified on Google Play.
  • 23 indicators of compromise (IoCs) were published, including 17 domains and 6 IP addresses.
  • Additional findings included 302 email-connected domains and 326 string-connected domains.
  • The majority of domain IoCs were registered in Russia, with some in the Bahamas and the Netherlands.
  • The domain IoCs were created between 2017 and 2023, with a peak in 2020.
  • Historical WHOIS records revealed 30 email addresses linked to the IoCs.
  • Further research and artifacts are available for download on their website.

MITRE ATT&CK TTPs – created by AI

  • Malicious Software Installation (T1203)
    • Threat actors create malicious duplicates of popular apps to distribute malware.
  • Domain Generation Algorithms (T1483)
    • Use of numerous domain names to evade detection and maintain persistence.
  • Credential Dumping (T1003)
    • Potential use of compromised email addresses to access additional domains.

Satori recently published a report on a massive fraud campaign they have dubbed “Konfety” (Russian word for “candy”). Sounds sweet, right? But that’s not the case, as the name references CaramelAds, the mobile ad SDK they abused to create evil twins or malicious duplicates of popular apps available on the world’s biggest app marketplaces. At the time of publication, 250 evil twin apps have been found on Google Play alone.

The researchers published 23 indicators of compromise (IoCs) comprising 17 domain names and six IP addresses, which the WhoisXML API research team expanded using extensive WHOIS, IP, and other DNS intelligence sources. Our in-depth investigation led to the discovery of:

  • 302 email-connected domains
  • Five additional IP addresses, two of which turned out to be malicious
  • Eight IP-connected domains, one of which turned out to be associated with malware distribution
  • 326 string-connected domains, one of which turned out to be connected with malware distribution

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the IoCs

First we gathered more information about the threat by querying the 17 domains identified as Konfety IoCs on Bulk WHOIS Lookup. We found out that:

  • One of the domain IoCs didn’t have details in its current WHOIS record, leaving us with 16 domain IoCs for further analysis.
  • Internet Domain Service led the pack of registrars, accounting for eight domain IoCs. TLD Registrar Solutions took the second spot with four domain IoCs, followed by Namecheap with two. Danesco Trading and Metaregistrar tied in last place with one domain IoC each.

  • The domain IoCs were created between 2017 and 2023, which shows the threat actors didn’t favor using newly registered domains (NRDs). The highest number of domain IoCs, five to be exact, were created in 2020, in fact.

  • A majority of the domain IoCs, nine to be exact, were registered in Russia. Bahamas accounted for four domain IoCs, while the Netherlands accounted for one. Two domain IoCs didn’t have registrant countries in their current WHOIS records.

Next, we queried the six IP addresses identified as IoCs on Bulk IP Geolocation Lookup and discovered that:

IoC List Expansion Findings

We started our hunt for connected threat artifacts with WHOIS History API queries for the 16 domains identified as IoCs. That led to the discovery of 30 email addresses in their historical WHOIS records. Eight of them were public email addresses that we then used as search terms for Reverse WHOIS API. Our queries allowed us to unearth 302 email-connected domains after filtering out duplicates and the IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

Source: Original Post

Tags: RUSSIA, full, DISCOVERY, MOBILE, CREDENTIAL, EMAIL, HUNT, PERSISTENCE