Unveiling KoSpy: ScarCruft's New Android Spyware Targeting Korean and English Users
Discover how the North Korea-linked APT group ScarCruft is utilizing a new Android spyware, KoSpy, to target Korean and English-speaking users. Learn about its capabilities, distribution methods, and connections to other threat groups.
TL;DR
- New Threat: North Korea-linked ScarCruft APT group deploys KoSpy, a new Android spyware targeting Korean and English-speaking users.
- Capabilities: KoSpy collects SMS, calls, location data, files, audio, and screenshots via plugins.
- Distribution: Masquerades as utility apps like “File Manager” and “Kakao Security,” using Google Play Store and Firebase Firestore.
North Korea-Linked APT Group ScarCruft Deploys New Android Spyware KoSpy
The North Korea-linked threat actor ScarCruft, also known as APT37, Reaper, and Group123, has been identified as the group behind a newly discovered Android surveillance tool named KoSpy. This spyware has been used to target Korean and English-speaking users, highlighting the ongoing cyber espionage efforts by North Korean threat actors.
Historical Context of ScarCruft
ScarCruft has been active since at least 2012 and gained significant attention in early February 2018 when it was revealed that the group exploited a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the group’s operations in 2016, noting that their primary targets included government, defense, military, and media organizations in South Korea.
KoSpy: A New Threat
Researchers at Lookout have attributed the KoSpy spyware to the ScarCruft group with medium confidence. The malware family, which emerged in March 2022, has seen continuous development, with the most recent samples detected in March 2024. KoSpy has been observed using fake utility application lures, such as “File Manager,” “Software Update Utility,” and “Kakao Security,” to infect devices.
Distribution and Infection Methods
KoSpy leverages the Google Play Store and Firebase Firestore to distribute the app and receive configuration data. The spyware masquerades as five different apps:
- 휴대폰 관리자 (Phone Manager)
- File Manager
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
- Software Update Utility
These apps have since been removed from Google Play, and the associated Firebase projects have been deactivated by Google.
Operational Mechanisms
KoSpy disguises itself as utility apps with basic functions, except for Kakao Security, which tricks users with a fake permission request. Before activation, the spyware checks if it is running in a virtualized environment and confirms that the current date is past the hardcoded activation date to avoid analysis and detection.
Upon execution, KoSpy retrieves an encrypted configuration from Firebase Firestore, controlling activation and the C2 server address. This setup allows attackers to enable, disable, or change servers for stealth and resilience.
Communication and Data Exfiltration
KoSpy communicates with its C2 servers through two request types:
- Downloading Plugins: For additional functionalities.
- Retrieving Surveillance Configurations: Sent as an encrypted JSON, controlling parameters like C2 ping frequency, plugin URLs, and victim messages.
The spyware uses a unique identifier for each victim, calculated through a hardware fingerprint. While some C2 domains remain online, they do not respond to client requests. The spyware transmits the encrypted data via AES to multiple Firebase projects and C2 servers for further exploitation.
Connections to Other Threat Groups
Lookout researchers found connections between KoSpy and North Korean threat groups APT43 and APT37. One of the C2 domains, st0746[.]net, links to an IP address in South Korea previously associated with malicious Korea-related domains. These include:
- naverfiles[.]com and mailcorp[.]center: Linked to Konni malware used by APT37.
- nidlogon[.]com: Part of APT43’s infrastructure.
The shared infrastructure suggests that KoSpy may be part of broader cyber-espionage operations targeting Korean users.
Conclusion
The deployment of KoSpy by the ScarCruft group highlights the ongoing and evolving threat landscape in cyber espionage. As North Korean threat actors continue to develop and deploy sophisticated malware, it is crucial for organizations and individuals to remain vigilant and implement robust security measures to protect against such threats.
For more details, visit the full article: source
Follow the Author
- Twitter: @securityaffairs
- Facebook: Facebook
- Mastodon: Mastodon
- LinkedIn: Pierluigi Paganini
Additional Resources
For further insights, check: