▶Analysis report on the attack on mobile devices by Oceanlotus (May 24, 2019)
https://mp.weixin.qq.com/s/L-tCvLPOOMhP0ndgdqhkNQ

IOC:

Oceanlotus's APK

5079CB166DF41233A1017D5E0150C17A
F29DFFD9817F7FDA040C9608C14351D3
0E7C2ADDA3BC65242A365EF72B91F3A8
C630AB7B51F0C0FA38A4A0F45C793E24
CE5BAE8714DDFCA9EB3BB24EE60F042D
BF1CA2DAB5DF0546AACC02ABF40C2F19
D1EB52EF6C2445C848157BEABA54044F
45AE1CB1596E538220CA99B29816304F
50BFD62721B4F3813C2D20B59642F022
86c5495b048878ec903e6250600ec308
780a7f9446f62dd23b87b59b67624887
DABF05376C4EF5C1386EA8CECF3ACD5B
86C5495B048878EC903E6250600EC308
F29DFFD9817F7FDA040C9608C14351D3
C83F5589DFDFB07B8B7966202188DEE5
229A39860D1EBEAFC0E1CEF5880605FA
A9C4232B34836337A7168A90261DA410
877138E47A77E20BFFB058E8F94FAF1E
5079CB166DF41233A1017D5E0150C17A
2E780E2FF20A28D4248582F11D245D78
0E7C2ADDA3BC65242A365EF72B91F3A8
315F8E3DA94920248676B095786E26AD
D1EB52EF6C2445C848157BEABA54044F
DABF05376C4EF5C1386EA8CECF3ACD5B
AD32E5198C33AA5A7E4AEF97B7A7C09E
DF2E4CE8CC68C86B92D0D02E44315CC1
C20FA2C10B8C8161AB8FA21A2ED6272D
55E5B710099713F632BFD8E6EB0F496C
CF5774F6CA603A748B4C5CC0F76A2FD5
66983EFC87066CD920C1539AF083D923
69232889A2092B5C0D9A584767AF0333
C6FE1B2D9C2DF19DA0A132B5B9D9A011
CE5BAE8714DDFCA9EB3BB24EE60F042D
50BFD62721B4F3813C2D20B59642F022
C630AB7B51F0C0FA38A4A0F45C793E24
810EF71BB52EA5C3CFE58B8E003520DC
BF1CA2DAB5DF0546AACC02ABF40C2F19
45AE1CB1596E538220CA99B29816304F
5AF0127A5E97FB4F111ECBA2BE1114FA
74646DF14970FF356F33978A6B7FD59D
DF845B9CAE7C396CDE34C5D0C764360A
C20FA2C10B8C8161AB8FA21A2ED6272D
641F0CC057E2AB43F5444C5547E80976

APk's name

com.android.wps
com.tornado.nextlauncher.theme.windows8pro
Google Play services
ChromeUpdate
AdAway
FlashUpdate


Domain:
http://ckoen.dmkatti.com
https://jang.goongnam.com/resource/request.php
mtk.baimind.com
jang.goongnam.com


APP market:
http://download****.mediafire.com/sj*m*p**h1rg/so**lfeh*****rb/TOS_Multi_Backup_V1.1.apk
http://ws.yingyonghui.com/4d*****a197ad8be*****d88d3c*****/5523a87c/apk/******/com.slhapp.khogameandroid.*************.apk