Executive Summary
Wicked Panda was observed leveraging WyrmSpy and DragonEgg, two spyware families that target Android devices.
Key Takeaways
- Wicked Panda was observed leveraging WyrmSpy and DragonEgg.
- Both families are used as spyware or surveillanceware and target Android devices.
- Both apps request extensive device permissions and rely on downloaded modules to achieve full functionality.
Background
Lookout recently reported on Wicked Panda activity leveraging two Android malware families, WyrmSpy and DragonEgg. Both families are used as spyware or surveillanceware, which falls in line with Wicked Panda’s propensity toward espionage. The use of these malware families indicates Wicked Panda has expanded its targeting to mobile devices. Although Lookout first discovered early samples of these families in 2017 and 2021, they have observed WyrmSpy and DragonEgg being used for activity as recently as April 2023. Lookout linked this activity to Wicked Panda due to the malware’s hardcoded C2, which was a part of known Wicked Panda infrastructure. The apps linked to WyrmSpy and DragonEgg do not appear to be on the official Google Play store and likely came from a third-party app repository. Lookout believes victims were lured to the downloads via social engineering campaigns.
What is WyrmSpy?
WyrmSpy, first detected in 2017, masquerades as a default operating system app used for notifications. Later variants were disguised as adult video content, a food delivery platform, and Adobe Flash. WrymSpy requests extensive device permissions and then leverages modules that are downloaded post-installation. Its capabilities include harvesting and exfiltrating log files and photos and acquiring device location. WyrmSpy can also read and write SMS messages and record audio. Lookout researchers noted that based on the permissions requested, it is highly likely a secondary payload exists for more extensive surveillance capabilities.
What is DragonEgg?
DragonEgg, first detected in 2021, masquerades as a third-party keyboard or messaging app. It also requests extensive device permissions and relies on additional payloads to achieve full functionality. DragonEgg is capable of harvesting and exfiltrating information such as device contacts, SMS messages, external device storage files, device location, audio recordings, and photos.
Who is Wicked Panda?
Wicked Panda, also known as Axiom, Winnti, APT41, and Bronze Atlas, is a sophisticated China nexus threat actor group perpetrating activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form.
Their activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Wicked Panda has been known to attack a wide range of targets, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.
Wicked Panda is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs, including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns.
IOCs
PolySwarm has multiple samples of WyrmSpy and Dragon Egg.
WyrmSpy
b66847d571e471ac78ffa11a82dded5ac6d2f52b25304adbfab90716d22c0905
6caf068e1c0be245083aa6c3b92bd34909cb57d3d989cf509db18a8be4045fc5
43193e32872c589785ae720da875e5e20099a5fa36c8aee838034c91986ed34c
4355b4eb3d73b96577194cbd0ff319e0f4ff02d0cabdde8b15e1abd1840e6481
6b9a540801613a2abd15b5994def2ac4904a896e14e1ab364b032de5b3d1e098
8bf60e625d628e39320015de654933947b56621d8a4538f9be55c27ffc29a99c
8c01132a0c1c7799e44608247f93d4680935f36df3fc94d59c7da83afe375ff2
8d7fd7dcf5f0e144f3e3cc96ebf3ab8789d0d8edaeefa65e0f03dac67c1f046f
7a618ac4a0fb2b68df540554ee99aa48caa148b3dd2800777a084a7322efe22f
36d72fedc17be9936f182b38ca98c40a0f9ba44cac170bd63cbded9568452d25
1d76df42d77080a96f885ed31ab8a83f4f985e071e715fd54297dab398c4be6b
fa4a0aaa6b8f25e8f177ce2e3202c933c2358d4a45d94427dd54df83778a4225
9ba0078a12f7cd515303aefdb151d65a2d3cb1188242e72e3bd9e629dc246582
DragonEgg
79a316353747d11ca0ac00e6cbe1e1ce80061d067d9ff3274be33c40d12ca5de
68494cde4ee344cba80e8651c579418f2ce534018d88745797f030a3115ed19b
You can use the following CLI command to search for all WyrmSpy samples in our portal:
$ polyswarm link list -f WyrmSpy
You can use the following CLI command to search for all DragonEgg samples in our portal:
$ polyswarm link list -f DragonEgg
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports