SYMBOLCOMMON_NAMEaka. SYNONYMS

Yanbian Gang  (Back to overview)


RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.


Associated Families
apk.funkybot apk.moqhao

References
2023-03-31TelekomTR4xx
@online{tr4xx:20230331:moqhao:f4ea395, author = {TR4xx}, title = {{Moqhao masters new tricks}}, date = {2023-03-31}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484}, language = {English}, urldate = {2023-04-02} } Moqhao masters new tricks
MoqHao
2023-03-16Team CymruS2 Research Team
@online{team:20230316:moqhao:b249827, author = {S2 Research Team}, title = {{MoqHao Part 3: Recent Global Targeting Trends}}, date = {2023-03-16}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends}, language = {English}, urldate = {2023-03-20} } MoqHao Part 3: Recent Global Targeting Trends
MoqHao
2023-01-19Kaspersky LabsGReAT
@online{great:20230119:roaming:46b7adb, author = {GReAT}, title = {{Roaming Mantis implements new DNS changer in its malicious mobile app in 2022}}, date = {2023-01-19}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/}, language = {English}, urldate = {2023-01-19} } Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
MoqHao
2022-08-11xanhacks' infosec blogxanhacks
@online{xanhacks:20220811:moqhao:a27e664, author = {xanhacks}, title = {{MoqHao Android malware analysis and phishing campaign}}, date = {2022-08-11}, organization = {xanhacks' infosec blog}, url = {https://www.xanhacks.xyz/p/moqhao-malware-analysis}, language = {English}, urldate = {2022-08-22} } MoqHao Android malware analysis and phishing campaign
MoqHao
2022-07-18SekoiaThreat & Detection Research Team
@online{team:20220718:ongoing:e5bd178, author = {Threat & Detection Research Team}, title = {{Ongoing Roaming Mantis smishing campaign targeting France}}, date = {2022-07-18}, organization = {Sekoia}, url = {https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/}, language = {English}, urldate = {2022-07-18} } Ongoing Roaming Mantis smishing campaign targeting France
MoqHao
2022-04-07Team CymruJosh Hopkins
@online{hopkins:20220407:moqhao:459286e, author = {Josh Hopkins}, title = {{MoqHao Part 2: Continued European Expansion}}, date = {2022-04-07}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/}, language = {English}, urldate = {2022-04-12} } MoqHao Part 2: Continued European Expansion
MoqHao
2021-08-11Team CymruJosh Hopkins
@online{hopkins:20210811:moqhao:91b7e4c, author = {Josh Hopkins}, title = {{MoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan}}, date = {2021-08-11}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/}, language = {English}, urldate = {2022-03-28} } MoqHao Part 1.5: High-Level Trends of Recent Campaigns Targeting Japan
MoqHao
2021-05-18Medium (Cryptax)Axelle Apvrille
@online{apvrille:20210518:native:350d98f, author = {Axelle Apvrille}, title = {{A native packer for Android/MoqHao}}, date = {2021-05-18}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1}, language = {English}, urldate = {2021-05-19} } A native packer for Android/MoqHao
MoqHao
2021-05-05Kashif Ali Surfeit and Blasé SecurityKashif Ali
@online{ali:20210505:roaming:b3131fd, author = {Kashif Ali}, title = {{Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware}}, date = {2021-05-05}, organization = {Kashif Ali Surfeit and Blasé Security}, url = {https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/}, language = {English}, urldate = {2021-05-08} } Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware
MoqHao Roaming Mantis
2021-04-07RiskIQTeam RiskIQ
@online{riskiq:20210407:yanbian:43530e8, author = {Team RiskIQ}, title = {{Yanbian Gang Malware Continues with Wide-Scale Distribution and C2}}, date = {2021-04-07}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/}, language = {English}, urldate = {2021-04-19} } Yanbian Gang Malware Continues with Wide-Scale Distribution and C2
Yanbian Gang
2021-01-20Team CymruAndy Kraus
@online{kraus:20210120:moqhao:e1742ce, author = {Andy Kraus}, title = {{MoqHao Part 1: Identifying Phishing Infrastructure}}, date = {2021-01-20}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/}, language = {English}, urldate = {2022-04-12} } MoqHao Part 1: Identifying Phishing Infrastructure
MoqHao
2020-06-25Medium CSIS TechblogAleksejs Kuprins
@online{kuprins:20200625:roamingmantis:256a9f9, author = {Aleksejs Kuprins}, title = {{The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices}}, date = {2020-06-25}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681}, language = {English}, urldate = {2020-06-25} } The RoamingMantis Group’s Expansion to European Apple Accounts and Android Devices
FakeSpy FunkyBot MoqHao
2020-02-27Kaspersky LabsSuguru Ishimaru
@online{ishimaru:20200227:roaming:3e14d12, author = {Suguru Ishimaru}, title = {{Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques}}, date = {2020-02-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/roaming-mantis-part-v/96250/}, language = {English}, urldate = {2022-07-13} } Roaming Mantis, part V: Distributed in 2019 using SMiShing and enhanced anti-researcher techniques
FunkyBot MoqHao Roaming Mantis
2020-01-17Hiroaki Ogawa, Manabu Niseki
@techreport{ogawa:20200117:100:035a7dd, author = {Hiroaki Ogawa and Manabu Niseki}, title = {{100 more behind cockroaches?}}, date = {2020-01-17}, institution = {}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf}, language = {English}, urldate = {2020-01-17} } 100 more behind cockroaches?
MoqHao Emotet Predator The Thief
2019-09-04FortinetDario Durando
@online{durando:20190904:funkybot:625b9ba, author = {Dario Durando}, title = {{FunkyBot: A New Android Malware Family Targeting Japan}}, date = {2019-09-04}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html}, language = {English}, urldate = {2020-01-13} } FunkyBot: A New Android Malware Family Targeting Japan
FunkyBot
2019Kaspersky LabsSuguru Ishimaru, Manabu Niseki, Hiroaki Ogawa
@techreport{ishimaru:2019:roaming:23097da, author = {Suguru Ishimaru and Manabu Niseki and Hiroaki Ogawa}, title = {{Roaming Mantis: an Anatomy of a DNS Hijacking Campaign}}, date = {2019}, institution = {Kaspersky Labs}, url = {https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf}, language = {English}, urldate = {2022-07-13} } Roaming Mantis: an Anatomy of a DNS Hijacking Campaign
MoqHao Roaming Mantis
2018-11-26Trend MicroLorin Wu, Ecular Xu
@online{wu:20181126:look:89e0f68, author = {Lorin Wu and Ecular Xu}, title = {{A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang}}, date = {2018-11-26}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/}, language = {English}, urldate = {2021-07-07} } A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang
FakeSpy MoqHao
2018-11-26Trend MicroLorin Wu, Ecular Xu
@online{wu:20181126:examining:7a7ccc0, author = {Lorin Wu and Ecular Xu}, title = {{Examining XLoader, FakeSpy, and the Yanbian Gang}}, date = {2018-11-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html}, language = {English}, urldate = {2021-07-07} } Examining XLoader, FakeSpy, and the Yanbian Gang
FakeSpy MoqHao Yanbian Gang
2018-06-19Trend MicroEcular Xu
@online{xu:20180619:fakespy:cd211fc, author = {Ecular Xu}, title = {{FakeSpy Targets Japanese and Korean-Speaking Users}}, date = {2018-06-19}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html}, language = {English}, urldate = {2021-04-19} } FakeSpy Targets Japanese and Korean-Speaking Users
FakeSpy Yanbian Gang
2018-04-20Trend MicroTrend Micro
@online{micro:20180420:xloader:e46474f, author = {Trend Micro}, title = {{XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing}}, date = {2018-04-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html}, language = {English}, urldate = {2021-07-07} } XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
MoqHao Yanbian Gang
2015-02-12Trend MicroSimon Huang
@online{huang:20150212:mobile:057aef0, author = {Simon Huang}, title = {{Mobile Malware Gang Steals Millions from South Korean Users}}, date = {2015-02-12}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/}, language = {English}, urldate = {2021-04-19} } Mobile Malware Gang Steals Millions from South Korean Users
Yanbian Gang

Credits: MISP Project