The North Korean risk actor often known as Kimsuky has been linked to a brand new marketing campaign that distributes a brand new variant of Android malware referred to as DocSwap by way of QR codes hosted on phishing websites mimicking Seoul-based logistics agency CJ Logistics (previously CJ Korea Specific).
“The risk actor leveraged QR codes and notification pop-ups to lure victims into putting in and executing the malware on their cell units,” ENKI stated. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that gives RAT capabilities.”
“Since Android blocks apps from unknown sources and shows safety warnings by default, the risk actor claims the app is a secure, official launch to trick victims into ignoring the warning and putting in the malware.”
In keeping with the South Korean cybersecurity firm, a few of these artifacts masquerade as bundle supply service apps. It is being assessed that the risk actors are utilizing smishing texts or phishing emails impersonating supply firms to deceive recipients into clicking on booby-trapped URLs internet hosting the apps.
A noteworthy side of the assault is its QR code-based cell redirection, which prompts customers visiting the URLs from a desktop laptop to scan a QR code displayed on the web page on their Android machine to put in the supposed cargo monitoring app and lookup the standing.
Current inside the web page is a monitoring PHP script that checks the Person-Agent string of the browser after which shows a message urging them to put in a safety module beneath the guise of verifying their id on account of supposed “worldwide customs safety insurance policies.”
Ought to the sufferer proceed to put in the app, an APK bundle (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and hundreds an encrypted APK embedded into its assets to launch the brand new model of DocSwap, however not earlier than ascertaining that it has obtained the required permission to learn and handle exterior storage, entry the web, and set up further packages.
“As soon as it confirms all permissions, it instantly registers the MainService of the newly loaded APK as ‘com.supply.safety.MainService,'” ENKI stated. “Concurrently with service registration, the bottom utility launches AuthActivity. This exercise masquerades as an OTP authentication display screen and verifies the consumer’s id utilizing a supply quantity.”
The cargo quantity is hard-coded inside the APK as “742938128549,” and is probably going delivered alongside the malicious URL through the preliminary entry part. As soon as the consumer enters the offered supply quantity, the applying is configured to generate a random six-digit verification code and show it as a notification, following which they’re prompted to enter the generated code.
As quickly because the code is offered, the app opens a WebView with the reliable URL “www.cjlogistics[.]com/ko/software/parcel/monitoring,” whereas, within the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and obtain as many as 57 instructions that permit it to log keystrokes, seize audio, begin/cease digicam recording carry out file operations, run instructions, add/obtain recordsdata, and collect location, SMS messages, contacts, name logs, and an inventory of put in apps.
ENKI stated it additionally found two different samples disguised as a P2B Airdrop app and a trojanized model of a reliable VPN program referred to as BYCOM VPN (“com.bycomsolutions.bycomvpn”) that is obtainable on the Google Play Retailer and developed by an Indian IT providers firm named Bycom Options.
“This means that the risk actor injected malicious performance into the reliable APK and repackaged it to be used within the assault,” the safety firm added.
Additional evaluation of the risk actor infrastructure has uncovered phishing websites mimicking South Korean platforms like Naver and Kakao that search to seize customers’ credentials. These websites, in flip, have been discovered to share overlaps with a prior Kimsuky credential harvesting marketing campaign focusing on Naver customers.
“The executed malware launches a RAT service, equally to previous circumstances however demonstrates advanced capabilities, similar to utilizing a brand new native perform to decrypt the interior APK and incorporating numerous decoy behaviors,” ENKI stated.
