A North Korean-aligned state-sponsored hacker group known as ScarCruft compromised video gaming platforms with supply chain espionage attacks and trojanized their components with a backdoor called BirdCallto, likely targeting ethnic Koreans living in China.
While previous versions of the backdoor primarily targeted only Windows users, the supply chain attack is credited with allowing attackers to target Android devices as well, making it a multi-platform threat in nature.
According to ESET, sqgame was chosen for the campaign.[.]net is a gaming platform used by ethnic Koreans living in China’s Yanbian region, which borders North Korea and Russia. It is also known as a major, high-risk transit point for North Korean defectors crossing the Tumen River.
The platform’s targeting is said to be a deliberate strategy given ScarCruft’s storied history of targeting North Korean defectors, human rights activists, and university professors.
“In an ongoing attack, likely since late 2024, ScarCruft compromised and backdoored the Windows and Android components of a video game platform dedicated to Yanbian-themed games,” the Slovak cybersecurity firm said in a report shared with The Hacker News ahead of publication.
The Windows version of BirdCall, called the advanced evolution of RokRAT, has been detected in the wild since 2021. Over the years, RokRAT has also been adapted to target macOS (CloudMensis) and Android (RambleOn), indicating that this malware family continues to be actively maintained by threat actors.
BirdCall includes features typically present in backdoors, allowing it to capture screenshots, log keystrokes, steal clipboard contents, execute shell commands, and collect data. Similar to RokRAT, this malware relies on legitimate cloud services such as Dropbox and pCloud for command and control (C2).
“BirdCall typically starts with a Ruby or Python script and is deployed in a multi-stage loading chain that includes components encrypted using a computer-specific key,” ESET said.
Android version of BirdCall. Distributed as part of sqgame.[.]Net supply chain attacks incorporate a subset of their Windows counterparts and collect contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. Analysis of the malware’s lineage revealed seven versions, the first of which dates back to October 2024.
Interestingly, the supply chain attack was found to only infect Android APKs that can be downloaded from the platform, leaving Windows desktop clients and iOS games unharmed. Download pages for two Android games hosted on sqgame[.]net has been modified to serve malicious APKs –
sqgame.com[.]cn/ybht.apk sqgame.com[.]cn/sqybhs.apk
It is currently unknown when the website was compromised and the compromised APK began being distributed. However, this incident is believed to have occurred in late 2024. Additionally, evidence has emerged that Windows Desktop Client update packages have been delivering Trojanized DLLs for an unspecified period of time since at least November 2024. Updated packages are no longer malicious.
Specifically, the modified DLL contained an analysis tool and a downloader that checked the list of running processes in the virtual machine environment before proceeding to download and execute the shellcode containing RokRAT. BirdCall is then retrieved using a backdoor and installed on the infected host.
The Android version of BirdCall also relies on legitimate cloud storage services for C2 communication. This includes pCloud, Yandex Disk, and Zoho WorkDrive. The last type of work drive is becoming increasingly common across multiple campaigns.
“Android backdoors are under active development and offer surveillance capabilities such as collecting personal data and documents, taking screenshots, and recording audio,” ESET said.
Source link
