Kyle Schmittle-俄罗斯Gamaredon APT 集团-移动监控工具.pdf

《Kyle Schmittle-俄罗斯Gamaredon APT 集团-移动监控工具.pdf》由会员分享，可在线阅读，更多相关《Kyle Schmittle-俄罗斯Gamaredon APT 集团-移动监控工具.pdf（59页珍藏版）》请在三个皮匠报告上搜索。

1、Russian Gamaredon APT GroupMobile Surveillance Tools2Kyle Schmittle-CISSP,CCSPSenior Security Intelligence Researcher Threat Research Team Lookout15+years in Threat Intelligence3AgendaBackgroundLookouts InvestigationSurveillanceware CapabilitiesCommand&ControlVictim Targeting4Threat Actor:Gamaredona

2、ka:Primitive Bear,Aqua Blizzard,Armageddon,Shuckworm5source:SSU6Targeting Ukraine+military,NGOs since 2013Spear-phishing for initial accessLow focus on stealth&obfuscation7Dynamic DNS or fast-flux DNS for C2 hosting8Dynamic DNS or fast-flux DNS for C2 hostingRussian bulletproof hosting providers9Loo

3、kouts Investigation10BoneSpy Android Surveillance Family11Investigation Timeline DecemberEarliest BoneSpy Samples PackagedFebruaryInitial detectionsJulyApp themes solidifyJanuaryPlainGnome Gamaredon attributionSeptemberFirst Threat Intelligence AnalysisRussian criminal groupWide variety of featuresT

4、elegramImage ViewerCode structure maturesCapabilities standardizeLures standardizeSeptemberMajor refactoring of PlainGnomeContinued BoneSpy deployment202120222023202412DecemberEarliest BoneSpy Samples PackagedFebruaryInitial detectionsJulyApp themes solidifyJanuaryPlainGnome Gamaredon attributionSep

5、temberFirst Threat Intelligence AnalysisRussian criminal groupWide variety of featuresTelegramImage ViewerCode structure maturesCapabilities standardizeLures standardizeSeptemberMajor refactoring of PlainGnomeContinued BoneSpy deployment2021202220232024Investigation Timeline 13Redline&Trickbot sampl

6、es share C2 Russian-language filenames DroidWatcher open-source codebase14Surveillance capabilities:Browser historySMSLocation trackingContact lists15Surveillance capabilities:Call logsPhone call audio recordingTaking photos from cameras16Persistence&Abuse MechanismsHeadless foreground servicesServi