Key Takeaways:
- The North Korean threat actor Kimsuky has been linked to a new campaign distributing Android malware called DocSwap via QR codes hosted on phishing sites.
- The malware is disguised as a package delivery service app and uses QR code-based mobile redirection to trick victims into installing the app.
- The attack uses smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.
- The malware has the capability to log keystrokes, capture audio, start/stop camera recording, perform file operations, and gather location, SMS messages, contacts, call logs, and a list of installed apps.
- The threat actor has also been found to use phishing sites mimicking South Korean platforms like Naver and Kakao to capture users’ credentials.
Introduction to the Threat
The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. This campaign is a significant development in the world of mobile security, as it highlights the increasing sophistication and creativity of threat actors in distributing malware. According to ENKI, a South Korean cybersecurity company, the threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices. The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities, allowing the threat actor to gain control over the infected device.
The Attack Vector
The attack vector used by Kimsuky is particularly noteworthy, as it uses QR code-based mobile redirection to trick victims into installing the malware. When a user visits a phishing site from a desktop computer, they are prompted to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status. This approach is clever, as it bypasses the usual security warnings that Android devices display when installing apps from unknown sources. The threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware. This tactic is a clear indication of the threat actor’s ability to adapt and evolve their tactics to evade detection.
Malware Capabilities
The malware itself is highly sophisticated, with capabilities that include logging keystrokes, capturing audio, starting and stopping camera recording, performing file operations, and gathering location, SMS messages, contacts, call logs, and a list of installed apps. The malware also has the ability to upload and download files, and to run commands on the infected device. This level of functionality is consistent with the threat actor’s goal of gaining control over the infected device and using it for malicious purposes. The malware’s ability to masquerade as a legitimate app, such as a package delivery service app, makes it even more difficult to detect and remove.
Infrastructure and Tactics
Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users. This suggests that the threat actor is using a combination of tactics to achieve their goals, including phishing, smishing, and malware distribution. The use of phishing sites and smishing texts or phishing emails impersonating delivery companies is a clear indication of the threat actor’s ability to adapt and evolve their tactics to evade detection.
Evolution of the Threat
The executed malware launches a RAT service, with capabilities similar to past cases, but demonstrates evolved tactics, such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors. This suggests that the threat actor is continually updating and improving their tactics, making it even more difficult to detect and remove the malware. The use of legitimate apps, such as the BYCOM VPN app, to distribute malware is also a concerning development, as it highlights the threat actor’s ability to infiltrate and compromise legitimate software.
Conclusion
In conclusion, the Kimsuky threat actor’s new campaign distributing Android malware called DocSwap via QR codes hosted on phishing sites is a significant development in the world of mobile security. The attack vector used by the threat actor is clever and sophisticated, and the malware itself is highly capable and difficult to detect. The threat actor’s use of phishing sites and smishing texts or phishing emails impersonating delivery companies is a clear indication of their ability to adapt and evolve their tactics to evade detection. As the threat landscape continues to evolve, it is essential to stay vigilant and take proactive measures to protect against these types of threats. By understanding the tactics and techniques used by threat actors like Kimsuky, we can better defend against their attacks and protect our mobile devices and personal data.
