Openhunting Threat Library

PINEFLOWER

PINEFLOWER, CORRUPT KITTEN
(Type: Backdoor, Info stealer, Exfiltration)

(FireEye) CORRUPT KITTEN was the author’s chosen name for an Android implant that, according to the blog, ‘supports a full range of spying and device management capability’. The blog contained a summary analysis of this CORRUPT KITTEN implant and an MD5 hash for a DEX file allegedly using the same C&C server. Notably, the author also noted that the malware stored files ready for exfiltration in a directory named ‘.data_gsc98647a3’, the string we identified in our PINEFLOWER samples. It seemed likely that CORRUPT KITTEN and PINEFLOWER were one and the same.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year
1
2022


Trend Per Month
1
Sep 2022



[News Analysis] News Mention Another Threat Name:

6 - PINEFLOWER6 - VINETHORN6 - VBREVSHELL6 - BROKEYOLK6 - DOSTEALER6 - GHAMBAR6 - SILENTUPLOADER


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

APT42: Crooked Charms, Cons and Compromises

2022-09-07 by Mandiant Intelligence from Mandiant

Basic Information (Credit @etda.or.th)

Tool: PINEFLOWER

Names: PINEFLOWER, CORRUPT KITTEN

Description: (FireEye) CORRUPT KITTEN was the author’s chosen name for an Android implant that, according to the blog, ‘supports a full range of spying and device management capability’. The blog contained a summary analysis of this CORRUPT KITTEN implant and an MD5 hash for a DEX file allegedly using the same C&C server. Notably, the author also noted that the malware stored files ready for exfiltration in a directory named ‘.data_gsc98647a3’, the string we identified in our PINEFLOWER samples. It seemed likely that CORRUPT KITTEN and PINEFLOWER were one and the same.

Category: Malware

Type: Backdoor, Info stealer, Exfiltration

Information: https://vblocalhost.com/uploads/VB2021-Haeghebaert.pdf

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/apk.pineflower

Last-card-change: 2023-06-22

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact