{ "id": "12157028-ad29-4959-9e00-8316089e0674", "created_at": "2026-04-06T00:18:59.899218Z", "updated_at": "2026-04-10T03:30:33.399579Z", "deleted_at": null, "sha1_hash": "06ff9f4885f47aadaf6b5a452fb4854e39ea40e8", "title": "Operation Blockbuster Goes Mobile", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 948519, "plain_text": "Operation Blockbuster Goes Mobile\r\nBy Anthony Kasza, Juan Cortes, Micah Yates\r\nPublished: 2017-11-20 · Archived: 2026-04-05 18:16:08 UTC\r\nUnit 42 has discovered a new cluster of malware samples, which targets Samsung devices and Korean language speakers,\r\nwith relationships to the malware used in Operation Blockbuster. The specific points of connection between these new\r\nsamples and Operation Blockbuster include:\r\npayloads delivered by the macros discussed in Operation Blockbuster Sequel\r\nmalware used by the HiddenCobra threat group\r\nmalware used in the 2016 attack on the Bangladesh SWIFT banking system\r\nAPK samples mimicking legitimate APKs hosted on Google Play\r\nAlthough Unit 42 cannot provide a full picture of the details surrounding the delivery of these samples, we are confident this\r\nactivity targets Korean language speakers who use Samsung devices. Based on this evidence we believe this new malware is\r\nlikely targeting South Koreans.\r\nThe newly discovered samples show new capabilities not previously documented. A strong relationship between previously\r\nidentified malware samples attributed to these campaigns and the newly discovered samples examined in this report.\r\nNew Malware Cluster\r\nAt the center of the cluster of new malware samples is a PE\r\n(ed9e373a687e42a84252c2c01046824ed699b32add73dcf3569373ac929fd3b9) uploaded to VirusTotal with the filename\r\n\"JAVAC.EXE\".  The sample requires two command line parameters to run, the first is a port number which the binary binds\r\nto, acting as a webserver, and the second is also a port number which is used for encrypted protocol communications.\r\nThe first port mimics an Apache server, using header values that Apache would use and will serve different resources to\r\nrequests on the port, depending on the User-Agent header values used. Some of the responses given are embedded in the\r\noriginal PE, whilst others are expected to be found on the local disk. The following JavaScript files are embedded in the\r\nresource section of JAVAC.exe:\r\n Filename SHA256 Purpose\r\njquery50.js\r\n \r\n2b15e4289a3eb8e4eb8c2343895002dde7f5b2791e3c799b4f869be0aa85d2e8\r\nGets and sets client\r\nHTTP Cookie header\r\nvalues e.g.\r\n\"GoogleAppCookie\".\r\nRedirects clients to\r\n\"main.js\"\r\njquery52.js b183625c006f50f2b64ebe0aebda7b68ae285e53d1b4b00c8f49cde2dfc89348\r\nGets and sets client\r\nHTTP Cookie header\r\nvalues e.g.\r\n\"GoogleAppCookie\".\r\nRedirects clients to\r\n\"update.js\"\r\njquery99.js\r\n \r\n941cd0662cae55bc06727f1d658aba67f33442e63b03bebe012dad495e9e37dc\r\nRedirect all client\r\nrequests to\r\nmboard_ok.css.\r\nmain.js\r\n \r\n790662a047047b0470e2f243e2628d8f1b62794c1359b75ed9b856325e9c961a\r\nCollect system\r\ninformation and invoke\r\na system shell. These\r\nare used to accomplish\r\nthe following:\r\n  Install and invoke an\r\nAPK\r\nWrite an ELF file to\r\ndisk on the client\r\numc.apk\r\n \r\n4694895d6cc30a336d125d20065de25246cc273ba8f55b5e56746fddaadb4d8a Three nested APKs\r\nwhich ultimately lead\r\nto a backdoor APK\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 1 of 8\n\nimplant. This file is\r\nlikely installed silently\r\nby visiting the next\r\nresource with an HTTP\r\nclient.\r\n  Further details on this\r\nAPK follow below.\r\nupdate.js\r\n \r\ncf3e9baaac7efcaff8a9864da9f12b4115ba3f148ae5cfc21f3c158f6182b792\r\nRedirect all client\r\nrequests to a URL\r\nwhich triggers a\r\nvulnerability in\r\nSamsung devices to\r\ninstall an APK.\r\n \r\n \r\nThe system name this PE HTTP server is intended to execute on has a hostname of \"RUMPUS-5ED8EE00\". This is checked\r\nby JAVAC.exe during execution. Besides the resources listed in the table above, it is important to note that JAVAC.exe\r\nexpects additional files located on the system due to some of the resources referencing local JavaScript files. These include\r\nthe following filenames:\r\nmboard_ok.css\r\nnode_n.js\r\nnode_e.js\r\nnode_g.js\r\nnode_p.js\r\nnode_ok.js\r\nnode_nc.js\r\nnode_ex.js\r\nWe have not been able to obtain copies of these resources.\r\nRelated ELF ARM Samples\r\nThe ELF ARM file embedded in main.js is written to HTTP clients' disks by the logic in main.js. Below is a table outlining\r\nindicators from this embedded ELF ARM.\r\nSHA256 Description\r\nEmbedded IPv4\r\nAddresses\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d\r\nELF ARM file\r\nembedded in\r\nmain.js\r\n 97.211.212.31\r\n14.139.200.107\r\n175.100.189.174\r\n \r\nThis ELF ARM file is one of three we identified. These ELF files are similar to PE files named Cruprox by Symantec,\r\nManuscrypt by Kaspersky, and Clevore by Trend Micro. The ELF ARM samples contain lists of domains (used for\r\ndeception) and IPv4 addresses (used for command and control). These domains and IPv4 addresses are used to generate\r\ncrafted TLS sessions similarly to the \"fake TLS\" communication mechanisms in section 4.3.3.1 of the Operation\r\nBlockbuster report by Novetta.\r\nThe ELF ARM samples choose one of the embedded domains to populate an SNI field of a TLS connection to one of the\r\nembedded IPv4 addresses. By doing command and control in this way an analyst observing the connection stream only sees\r\nwhat looks like (but is not) a TLS connection to a legitimate domain name. The domain names included in\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d are as follows:\r\nmyservice.xbox[.]com\r\nuk.yahoo[.]com\r\nweb.whatsapp[.]com\r\nwww.apple[.]com\r\nwww.baidu[.]com\r\nwww.bing[.]com\r\nwww.bitcoin[.]org\r\nwww.comodo[.]com\r\nwww.debian[.]org\r\nwww.dropbox[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 2 of 8\n\nwww.facebook[.]com\r\nwww.github[.]com\r\nwww.google[.]com\r\nwww.lenovo[.]com\r\nwww.microsoft[.]com\r\nwww.paypal[.]com\r\nwww.tumblr[.]com\r\nwww.twitter[.]com\r\nwww.wetransfer[.]com\r\nwww.wikipedia[.]org\r\nAn example TLS \"Client Hello\" record generated by\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d is given below. It includes a legitimate domain\r\nname in its SNI field yet is sent to a command and control IPv4 address.\r\nBy examining strings, binary functions, and embedded IPv4 addresses of\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d, we were able to hunt for and locate two\r\nadditional ELF ARM samples. Below is a table of the related ELF ARM samples:\r\nSHA256 Description\r\n800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266\r\nELF ARM file likely of the same malware family as\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7\r\nEmbedded in\r\n06cadaac0710ed1ef262e79c5cf12d8cd463b226d45d0014b2085432cd\r\n(described below)\r\n153db613853fb42357acb91b393d853e2e5fe98b7af5d44ab25131c04af3b0d6\r\n \r\nELF ARM file likely of the same malware family as\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7\r\nRelated APK Samples\r\nIn addition to ELF ARM files the HTTP Server can also serve APK files. As previously stated, an APK with SHA256\r\n4694895d6cc30a336d125d20065de25246cc273ba8f55b5e56746fddaadb4d8a is embedded as a resource in the HTTP PE\r\nserver sample with a name of \"umc.apk\".\r\nUmc.apk defines intent filters to receive events from the Android operating system when the APK is replaced\r\n(PACKAGE_REPLACED), when the device receives a text message (SMS_RECEIVED), and when the device is in use by\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 3 of 8\n\na user (USER_PRESENT). Umc.apk installs an embedded APK with the SHA256 value of\r\na984a5ac41446db9592345e547afe7fb0a3d85fcbbbdc46e16be1336f7a54041.\r\nA984a5ac41446db9592345e547afe7fb0a3d85fcbbbdc46e16be1336f7a54041 has a name of \"install.apk\".\r\nThe purpose of install.apk is to cleanup umc.apk and install a third APK with a SHA256 hash of\r\n4607082448dd745af3261ebed97013060e58c1d3241d21ea050dcdf7794df416 and a name of \"object.apk\".\r\nObject.apk is the final malicious payload. This APK ensures that it is running when the device is booted and provides\r\nbackdoor capabilities to its controller.\r\nRecord the microphone\r\nCapture from the camera\r\nUpload, execute, and manipulate local files\r\nDownload remote files\r\nRecord GPS information\r\nRead contact information\r\nObserve SMS or MMS messages\r\nRecord web browsing history and bookmarks\r\nScan and capture WiFi information\r\nBelow is an image of decompiled code from a main component of the backdoor. It shows the internal version number for\r\nthis APK is “4.2.160713” it is unclear if this is an accurate representation of the number of iterations of development\r\nundertaken on this malware family, or if it is to give the APK an air of legitimacy.\r\nConfiguration information for object.apk is included in the APK as a resource named \"assest.png\". The configuration\r\ninformation can be decoded using the following Python function:\r\ndef cnfdecr(s):\r\n  b = ''\r\n  for each in s:\r\n    tmp = ord(each)\r\n    tmp = tmp - 55\r\n    tmp = tmp ^ 0x12\r\n    b += chr(tmp)\r\n  return b\r\nThe decoded configuration values and their purposes follow:\r\nValue Purpose\r\n4 Proxy Count\r\n113.10.170.98 IPv4\r\n443 Port Number\r\n98.101.211.250 IPv4\r\n443 Port Number\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 4 of 8\n\n173.0.138.250 IPv4\r\n443 Port Number\r\n192.168.1.49 IPv4\r\n443 Port Number\r\n60 Sleep Time\r\n5 Max Repetition Count\r\n \r\nFollowing our analysis of the payload APK, we were able to locate an additional related APK. The APK with SHA256 hash\r\nvalue of 06cadaac0710ed1ef262e79c5cf12d8cd463b226d45d0014b2085432cdabb4f3 contains\r\n800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266, one of the ELF ARM files discussed in a table\r\nunder the section titled, \"Related ELF ARM Samples\".\r\nThis APK, 06cadaac0710ed1ef262e79c5cf12d8cd463b226d45d0014b2085432cdabb4f3, contains resources which reference\r\nlegitimate applications of varying popularity. We hypothesize the inclusion of these resources are to disguise the\r\napplication's true intent and to make the application seem legitimate. The inclusion of KaKaoTalk resources leads us to\r\nbelieve this APK is targeting South Koreans. The image below shows some of the referenced mobile applications resources:\r\nThe purpose of 06cadaac0710ed1ef262e79c5cf12d8cd463b226d45d0014b2085432cdabb4f3 is to execute the ELF ARM file\r\nis contains. Below shows decompiled source code of the \"com.godpeople.GPtong.ETC.SplashActivity\" resource in the APK\r\nwhich contains the main functionality of the APK. It executes the ELF ARM file named \"while\" and logs activity to the\r\ndebug log named \"snowflake\".\r\nRelationships to Known Samples\r\nOriginally, the PE server was identified by its binary overlaps with the following samples:\r\n410959e9bfd9fb75e51153dd3b04e24a11d3734d8fb1c11608174946e3aab710\r\n4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 5 of 8\n\nWhen executing, both samples create the mutex \"FwtSqmSession106839323_S-1-5-20\" which has ties to Operation\r\nBlockbuster and the attacks on the SWIFT banking system. Once this overlap in indicators was identified, and manual\r\ninvestigation began, additional overlaps began to emerge.\r\nAdditional functional code overlaps are found between the following samples and the PE server:\r\n1d195c40169cbdb0f50eca40ebda62321aa05a54137635c7ebb2960690eb1d82\r\naf71ba26fd77830eea345c638d8c2328830882fd0bd7158e0abc4b32ca0b7b74\r\nThe PE server sample is not the only sample with ties to previously identified malware. Infrastructure reuse also exist\r\nbetween the IPv4 addresses embedded in ELF ARM files detailed in the previous section and previously identified malware.\r\nFor example, 175.100.189.174 is embedded in 800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266\r\nand is also contacted by a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6, a documented\r\nDestover sample.\r\nAnother example of IPv4 address reuse is 119.29.11.203. This IPv4 address is embedded in the ELF file with SHA256 of\r\n153db613853fb42357acb91b393d853e2e5fe98b7af5d44ab25131c04af3b0d6 and is also contacted by\r\n7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd which is a PE payload delivered by the macros\r\nin the following malicious documents:\r\n7576bfd8102371e75526f545630753b52303daf2b41425cd363d6f6f7ce2c0c0\r\nffdc53425ce42cf1d738fe22016492e1cb8e1bc657833ad6e69721b3c28718b2\r\nc98e7241693fbcbfedf254f2edc8173af54fcacebb7047eb7646235736dd5b89\r\nThese macros share the same logic as macros discussed by Unit42 in previous reports.\r\nFinal Thoughts\r\nIt is clear that source code was reused between previously reported samples and the cluster of new samples outlined by Unit\r\n42. Additionally, command and control IPv4 addresses were reused by the malware discussed in this analysis. Technical\r\nindicators as well as soft indicators, such as APK themes and names, provide soft and tenable ties to the actors behind\r\nOperation Blockbuster and the HiddenCobra group.\r\nThe image below summarizes all of the relationships presented in this report:\r\nAttribution is difficult to confidently achieve even with an in-depth technical knowledge and large pool of telemetry to hunt\r\nthrough. Without targeting and delivery information this report offers a partial perspective on this new activity targeting\r\nKorean speaking Samsung users.\r\nPalo Alto Networks customers can review this cluster of newly discovered malware by examining the GoingMobile\r\nAutoFocus tag.\r\nUnit 42, before publication, notified both Samsung and the KrCERT of the activity detailed here. We would like to thank\r\nboth organizations for working so quickly with us.\r\nIndicators of Compromise\r\nSHA256\r\n06cadaac0710ed1ef262e79c5cf12d8cd463b226d45d0014b2085432cdabb4f3\r\n0ff83f3b509c0ec7070d33dceb43cef4c529338487cd7e4c6efccf2a8fd7142d\r\n153db613853fb42357acb91b393d853e2e5fe98b7af5d44ab25131c04af3b0d6\r\n1d195c40169cbdb0f50eca40ebda62321aa05a54137635c7ebb2960690eb1d82\r\n2b15e4289a3eb8e4eb8c2343895002dde7f5b2791e3c799b4f869be0aa85d2e8\r\n410959e9bfd9fb75e51153dd3b04e24a11d3734d8fb1c11608174946e3aab710\r\n4607082448dd745af3261ebed97013060e58c1d3241d21ea050dcdf7794df416\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 6 of 8\n\n4694895d6cc30a336d125d20065de25246cc273ba8f55b5e56746fddaadb4d8a\r\n4cf164497c275ae0f86c28d7847b10f5bd302ba12b995646c32cb53d03b7e6b5\r\n7429a6b6e8518a1ec1d1c37a8786359885f2fd4abde560adaef331ca9deaeefd\r\n7576bfd8102371e75526f545630753b52303daf2b41425cd363d6f6f7ce2c0c0\r\n790662a047047b0470e2f243e2628d8f1b62794c1359b75ed9b856325e9c961a\r\n800f9ffd063dd2526a4a43b7370a8b04fbb9ffeff9c578aa644c44947d367266\r\n941cd0662cae55bc06727f1d658aba67f33442e63b03bebe012dad495e9e37dc\r\na606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6\r\na984a5ac41446db9592345e547afe7fb0a3d85fcbbbdc46e16be1336f7a54041\r\nb183625c006f50f2b64ebe0aebda7b68ae285e53d1b4b00c8f49cde2dfc89348\r\nc98e7241693fbcbfedf254f2edc8173af54fcacebb7047eb7646235736dd5b89\r\ncf3e9baaac7efcaff8a9864da9f12b4115ba3f148ae5cfc21f3c158f6182b792\r\ned9e373a687e42a84252c2c01046824ed699b32add73dcf3569373ac929fd3b9\r\nffdc53425ce42cf1d738fe22016492e1cb8e1bc657833ad6e69721b3c28718b2\r\nMutexes\r\nFwtSqmSession106839323_S-1-5-20\r\n  IPv4s\r\n110.45.145.103\r\n113.10.170.98\r\n114.215.130.173\r\n119.29.11.203\r\n124.248.228.30\r\n139.196.55.146\r\n14.139.200.107\r\n173.0.138.250\r\n175.100.189.174\r\n181.119.19.100\r\n197.211.212.31\r\n199.180.148.134\r\n211.115.205.41\r\n217.117.4.110\r\n61.106.2.96\r\n98.101.211.250\r\nDomains\r\nwww.radioapp[.]co[.]kr\r\nFilenames\r\nJAVAC.EXE\r\njquery50.js\r\njquery52.js\r\njquery99.js\r\nmain.js\r\numc.apk\r\nupdate.js\r\nmboard_ok.css\r\nnode_n.js\r\nnode_e.js\r\nnode_g.js\r\nnode_p.js\r\nnode_ok.js\r\nnode_nc.js\r\nnode_ex.js\r\nobject.apk\r\nInstall.apk\r\nwhile\r\n \r\n \r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 7 of 8\n\nSource: https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nhttps://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/" ], "report_names": [ "unit42-operation-blockbuster-goes-mobile" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06ff9f4885f47aadaf6b5a452fb4854e39ea40e8.pdf", "text": "https://archive.orkl.eu/06ff9f4885f47aadaf6b5a452fb4854e39ea40e8.txt", "img": "https://archive.orkl.eu/06ff9f4885f47aadaf6b5a452fb4854e39ea40e8.jpg" } }