The North Korean threat actor known as Kimsuky is said to be behind a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites imitating Seoul-based logistics company CJ Logistics (formerly CJ Korea Express).
“The attackers used QR codes and notification pop-ups to lure victims into installing and running malware on their mobile devices,” ENKI said. “The malicious app decrypts the embedded encrypted APK and launches a malicious service that provides RAT functionality.”
“Because Android blocks apps from unknown sources and displays security warnings by default, attackers can claim that the app is a safe official release and trick victims into ignoring the warning and installing the malware.”
According to the South Korean cybersecurity firm, some of these artifacts are disguised as packages delivery service apps. Attackers are believed to be using smishing texts and phishing emails that impersonate shipping companies to trick recipients into clicking on booby-trapped URLs that host the app.
A notable aspect of this attack is the QR code-based mobile redirect. This prompts users visiting the URL from a desktop computer to scan a QR code on the page on their Android device to install what appears to be a shipment tracking app and check its status.
Within this page is a tracking PHP script that checks the browser’s user agent string and displays a message prompting the user to install a security module under the guise of identity verification according to the International Customs Security Policy.
If the victim continues to install the app, an APK package (‘Secdelivery.apk’) is downloaded from the server (‘27.102.137’).[.]The APK file then decrypts and loads the encrypted APK embedded in the resource and launches the new version of DocSwap, but before doing so, it ensures that it has the necessary permissions to read and manage external storage, access the internet, and install additional packages.
“Once we check all permissions, we immediately register the newly loaded APK’s MainService as ‘com.delivery.security.MainService’,” ENKI said. “Upon service registration, the base application launches an AuthActivity. This activity disguises as an OTP authentication screen and uses the shipping number to verify the user’s identity.”
The shipping number is hardcoded within the APK as “742938128549” and can be delivered along with a malicious URL during the initial access stage. When a user enters the shipping number provided, the application generates a random six-digit verification code, displays it as a notification, and is prompted to enter the generated code.
As soon as the code is provided, the app opens a WebView for the canonical URL “www.cjlogistics”.[.]com/ko/tool/parcel/tracking” At the same time, the Trojan connects to an attacker-controlled server (“27.102.137) in the background.[.]181:50005”) and can receive up to 57 commands to record keystrokes, capture audio, start/stop camera recording, perform file operations, execute commands, upload/download files, collect location information, SMS messages, contacts, call logs, and list of installed apps.
ENKI said it also discovered two other samples masquerading as P2B Airdrop apps and a trojanized version of a legitimate VPN program called BYCOM VPN (‘com.bycomsolutions.bycomvpn’) developed by Indian IT services company Bycom Solutions. This program is available on Google Play Store and was developed by.
“This indicates that the attackers injected malicious functionality into legitimate APKs and repackaged them for use in attacks,” the security firm added.
Further analysis of the threat actor’s infrastructure revealed phishing sites that mimic Korean platforms such as Naver and Kakao and attempt to capture user credentials. These sites were found to be duplicates of previous Kimsuky credential harvesting campaigns targeting Naver users.
“The executed malware launches RAT services and functionality, as in past cases, but shows evolution, including the use of new native functionality to decrypt internal APKs and the incorporation of a variety of decoy behaviors,” ENKI said.
Source link
