GREF

Threat Actor updated 3 months ago (2024-11-29T14:07:19.527Z)

Download STIX

Preview STIX

GREF, a China-aligned Advanced Persistent Threat (APT) group, has been identified as the orchestrator of two active Android malware campaigns. The campaigns have been distributing a malicious software called BadBazaar via two applications, Signal Plus Messenger and FlyGram, through the Google Play store, Samsung Galaxy Store, alternative app stores, and dedicated websites. The campaigns have been ongoing since July 2023, with the threat actors exploiting open-source code from popular communication apps Signal and Telegram to create counterfeit versions which host the BadBazaar espionage tool. Significant code similarities have been found between the Signal Plus Messenger and FlyGram samples and the BadBazaar malware family, which Lookout attributes to the GREF cluster of APT15. This aligns with the targeting of other Android trojans previously used by GREF, including BadBazaar, SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle. Furthermore, these campaigns are linked to the Chinese intelligence apparatus, which has operated under various names such as Winnti, PassCV, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The threat posed by the GREF APT group is significant, as evidenced by a recent Distributed Denial of Service (DDoS) attack described by Herman Gref, the CEO and chairman of the executive board of Sberbank, as the most powerful in their history. The cybersecurity company ESET identifies the threat actors behind the malicious tool as the China-aligned APT group GREF. These findings underscore the necessity for robust cybersecurity measures and vigilance against potential threats from sophisticated hacking groups like GREF.

Description last updated: 2024-05-04T16:37:35.249Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT15 is a possible alias for GREF. APT15, also known as Vixen Panda, Nickel, Flea, KE3CHANG, Royal APT, and Playful Dragon, is a threat actor group suspected to be of Chinese origin. The group targets global sectors including trade, economic and financial, energy, and military, aligning with the interests of the Chinese government. I	2
Winnti is a possible alias for GREF. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	2
APT17 is a possible alias for GREF. APT17, also known as Tailgator Team and Deputy Dog, is a threat actor suspected to be affiliated with the Chinese intelligence apparatus. This group has been associated with various aliases including Winnti, PassCV, Axiom, LEAD, BARIUM, Wicked Panda, and GREF. The primary targets of APT17 are the U.	2
Passcv is a possible alias for GREF. PassCV is a threat actor, or hacking team, that has been identified as part of the Chinese intelligence apparatus. This group has operated under various names including Winnti, APT17, Axiom, LEAD, BARIUM, Wicked Panda, and GREF, indicating a broad and complex network of cyber operations. The group i	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Signal

Apt

Android

Eset

Spyware

Google

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Signal Plus Messenger Malware is associated with GREF. Signal Plus Messenger and FlyGram are malware variants of a sophisticated espionage tool named BadBazaar, believed to be orchestrated by a China-linked threat actor known as Gref. These malicious applications were distributed through the Google Play store, Samsung Galaxy Store, and specific websites	Unspecified	2
The Flygram Malware is associated with GREF. FlyGram is a malicious software (malware) that first appeared on Google Play in July 2020 and was removed in January 2021. It was designed to exploit and damage users' devices by stealing sensitive data, including basic device information, contact lists, call logs, and Google Account data. The malwa	has used	2
The Badbazaar Malware is associated with GREF. BadBazaar is a malicious software, or malware, employed by EvilBamboo, a threat actor group. This malware is part of three Android spyware families developed by the group, including BADBAZAAR, BADSIGNAL, and BADSOLAR. These are custom-built to target adversaries of the Chinese Communist Party (CCP).	Unspecified	2

Source Document References

Information about the GREF Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	20 days ago	China-linked APT group Winnti targets Japanese organizations
Securityaffairs	a year ago	The largest Russian bank Sberbank hit by a massive DDoS attack
CERT-EU	a year ago	Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
CERT-EU	2 years ago	Delete these 2-fake messaging apps tied to China-aligned hacking group before your personal information is stolen \| Technology \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	2 years ago	New China-linked "BadBazaar" targets Android users via fake Signal, Telegram apps
Securityaffairs	2 years ago	Security Affairs newsletter Round 435 by Pierluigi Paganini
CERT-EU	2 years ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps \| IT Security News
CERT-EU	2 years ago	Cyber Security Week in Review: September 1, 2023
CERT-EU	2 years ago	BadBazaar Malware Attacking Android Users via Weaponized Telegram & Signal Apps
BankInfoSecurity	2 years ago	Chinese APT Uses Fake Messenger Apps to Spy on Android Users
CERT-EU	2 years ago	BadBazaar: Chinese Spyware Shams Signal, Telegram Apps
CERT-EU	2 years ago	Trojanized Android messaging apps used for BadBazaar spyware distribution
CERT-EU	2 years ago	Chinese Gref APT targets Android users via fake Signal and Telegram apps
CERT-EU	2 years ago	Android-Malware: Badbazaar wurde im Google Play Store und Samsung-Store verteilt
DARKReading	2 years ago	Chinese Group Spreads Android Spyware Via Trojan Signal, Telegram Apps
CERT-EU	2 years ago	Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores \| IT Security News
InfoSecurity-magazine	2 years ago	Chinese APT Group GREF Use BadBazaar in Android Espionage
Securityaffairs	2 years ago	Chinese GREF APT distributes spyware via trojanized Signal and Telegram apps on Google Play and Samsung Galaxy stores
CERT-EU	2 years ago	BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps
CERT-EU	2 years ago	China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users – GIXtools