Date: 08/11/2025
Severity: High
Summary
RedHook is a sophisticated Android banking trojan targeting Vietnamese users via fake government and financial websites. It uses WebSocket to connect to its command server and supports over 30 remote commands for full device control. Developed likely by a Chinese-speaking group, it remains stealthy with low antivirus detection. Distributed through a phishing site impersonating the State Bank of Vietnam, it tricks users into downloading a malicious APK hosted on an AWS S3 bucket.
Indicators of Compromise (IOC) List
Domains\URLs: | adsocket.e13falsz.xyz api9.iosgaxx423.xyz skt9.iosgaxx423.xyz api5.jftxm.xyz dzcdo3hl3vrfl.cloudfront.net/Chinhphu.apk nfe-bucketapk.s3.ap-southeast-1.amazonaws.com/SBV.apk sbvhn.com/ |
Hash : | 0ace439000c8c950330dd1694858f50b2800becc7154e137314ccbc5b1305f07
ebc4bed126c380cb37e7936b9557e96d41a38989616855bb95c9107ab075daa3
f33ebe44521abb954ec6b1c18efc567fe940ae8b7b495a302885ecefceba535b
41d09fb33d7696833c11c739a3b0929cd0bff70c29c1a8d00a9c2041c8d0b863
5427ce8b04fc8a09391c2f6eeed44230d256640e1e74f20a1c1f2fcdabea32df
ac8b2617d487e0d7719d506333c3ad4afbd014aedf75d684f072ae6f3c544dbc
ecc1ccc0f2e1b925834a63f0dc1f514c83329427f308575f417cc4799539398c
8f4d41b11338583959d3d297cdb0c01214f84dfddc5dcdf25f8463f9c2d442d9
8afbbc53e0b69e22ab444ba69718d543469efb4af2c65bcd27a47f12211a0a67
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "adsocket.e13falsz.xyz" or url like "adsocket.e13falsz.xyz" or siteurl like "adsocket.e13falsz.xyz" or domainname like "skt9.iosgaxx423.xyz" or url like "skt9.iosgaxx423.xyz" or siteurl like "skt9.iosgaxx423.xyz" or domainname like "api9.iosgaxx423.xyz" or url like "api9.iosgaxx423.xyz" or siteurl like "api9.iosgaxx423.xyz" or domainname like "api5.jftxm.xyz" or url like "api5.jftxm.xyz" or siteurl like "api5.jftxm.xyz" or domainname like "dzcdo3hl3vrfl.cloudfront.net/Chinhphu.apk" or url like "dzcdo3hl3vrfl.cloudfront.net/Chinhphu.apk" or siteurl like "dzcdo3hl3vrfl.cloudfront.net/Chinhphu.apk" or domainname like "nfe-bucketapk.s3.ap-southeast-1.amazonaws.com/SBV.apk" or url like "nfe-bucketapk.s3.ap-southeast-1.amazonaws.com/SBV.apk" or siteurl like "nfe-bucketapk.s3.ap-southeast-1.amazonaws.com/SBV.apk" |
Hash : | sha256hash IN ("f33ebe44521abb954ec6b1c18efc567fe940ae8b7b495a302885ecefceba535b","5427ce8b04fc8a09391c2f6eeed44230d256640e1e74f20a1c1f2fcdabea32df","ac8b2617d487e0d7719d506333c3ad4afbd014aedf75d684f072ae6f3c544dbc","0ace439000c8c950330dd1694858f50b2800becc7154e137314ccbc5b1305f07","ecc1ccc0f2e1b925834a63f0dc1f514c83329427f308575f417cc4799539398c","41d09fb33d7696833c11c739a3b0929cd0bff70c29c1a8d00a9c2041c8d0b863","ebc4bed126c380cb37e7936b9557e96d41a38989616855bb95c9107ab075daa3","8afbbc53e0b69e22ab444ba69718d543469efb4af2c65bcd27a47f12211a0a67","8f4d41b11338583959d3d297cdb0c01214f84dfddc5dcdf25f8463f9c2d442d9")
|
Reference:
https://cyble.com/blog/redhook-new-android-banking-targeting-in-vietnam/