The North Korean-related threat actor known as Scarcruft is said to have been behind an unprecedented Android surveillance tool named Kospy, which targets Korean and English-speaking users.
Lookingout, who shared details about the Malware campaign, said the earliest version dates back to March 2022. The latest sample was flagged in March 2024. It is not clear how successful these efforts have been.
“Kospy can collect a wide range of data, including SMS messages, call logs, locations, files, audio, and screenshots via dynamically loaded plugins,” the company said in its analysis.
Malicious artifacts use Name File Manager, Phone Manager, Smart Manager, Software Update Utility, and Cacao Security to infect unsuspecting users with their devices using official applications in the Utility Store.
All identified apps provide promised features to avoid raising doubt while secretly deploying spyware-related components against the background. The app was then removed from the app market.
Scarcruft, also known as APT27 and Reaper, has been active in a cyberspy group sponsored by North Korean provinces since 2012. The group mainly uses Rokrat as a way to assemble attack chains and harvest sensitive data from Windows systems. Rokrat has since adopted MacOS and Android.
Once installed, the malicious Android app is designed to contact the Firebase Firestore cloud database and will get a configuration that includes the actual command and control (C2) server address.
By using legitimate services like Firestore as a Dead Drop Resolver, the two-stage C2 approach offers both flexibility and resilience, allowing threat actors to change C2 addresses at any time and to have undetected behavior.
“After obtaining the C2 address, Kospy will make sure that the device is not an emulator and that the current date is past the hardcoded activation date,” Lookout said. “This activation date check ensures that spyware does not prematurely reveal malicious intent.”
Kospy can download additional plugins and configurations to achieve monitoring goals. The exact nature of the plugin remains unknown as the C2 server is not active or does not respond to client requests.
Malware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device locations, local storage, screenshots, keystrokes, Wi-Fi network information, and list of installed applications. It is also equipped to record audio and take photos.
Lookout said it has identified a duplicate infrastructure that previously linked to the Kospy campaign with Kimsuky (aka APT43).
Infectious interviews appear as NPM packages
This disclosure comes when Socket discovers a set of 6 npm packages designed to deploy known information-stolen malware linked to an ongoing North Korea campaign tracked as contagious interviews. Here is the list of currently deleted packages –
IS-Buffer-Validator Yoojae-Validator Event Handle Package Array-Validator React-Ievent Dependent Authentication Validator
This package is designed to collect details about your system environment and has credentials stored in web browsers such as Google Chrome, Brave, and Mozilla Firefox. It also targets the Cryptocurrency wallet and extracts Id.json from Solana and Exodus.wallet.
“The six new packages, downloaded over 330 times, closely mimic the names of widely trusted libraries, employing famous type-skating tactics used by threat actors associated with Lazarus to deceive developers,” said Socket researcher Kiril Boychenko.
“In addition, the APT Group will create and maintain a GitHub repository for five malicious packages, lending the open source legitimacy appearance, increasing the likelihood that harmful code will be integrated into the developer workflow.”
The North Korean campaign uses Rustdoor and Koi Stealer
The findings continue to discover new campaigns targeting the cryptocurrency sector with Rust-based MacOS malware called Rustdoor (aka Thiefbucket) and a previously undocumented MacOS variant of the malware family known as Koi Stealer.
Palo Alto Networks Unit 42 said the attackers’ characteristics were similar to infectious interviews, and that they were moderately confident that the activity was carried out on behalf of the North Korean regime.
Specifically, the attack chain involves the use of fake job interview projects that attempt to download and run Rustdoor when run through Microsoft Visual Studio. The malware steals passwords from the LastPass Google Chrome extension, removes data to an external server, and downloads two additional BASH scripts to open a reverse shell.
The final stage of infection involves searching and running another payload. This is the MacOS version of KOI Stealer, who is impersonating Visual Studio, to allow them to collect and exclude data from the machine, as they can trick the victim into entering a system password.
“The campaign has highlighted risks by organisations around the world from sophisticated social engineering attacks designed to permeate networks and steal sensitive data and cryptocurrency,” says Adva Gabay and Daniel Frank. “These risks are magnified when the perpetrator is a nation-state threat actor compared to purely financially motivated cybercriminals.”
Source link
