Unveiling KoSpy: ScarCruft's New Android Spyware Targeting Korean and English Users

TL;DR

• New Threat: North Korea-linked ScarCruft APT group deploys KoSpy, a new Android spyware targeting Korean and English-speaking users.
• Capabilities: KoSpy collects SMS, calls, location data, files, audio, and screenshots via plugins.
• Distribution: Masquerades as utility apps like “File Manager” and “Kakao Security,” using Google Play Store and Firebase Firestore.

North Korea-Linked APT Group ScarCruft Deploys New Android Spyware KoSpy

The North Korea-linked threat actor ScarCruft, also known as APT37, Reaper, and Group123, has been identified as the group behind a newly discovered Android surveillance tool named KoSpy. This spyware has been used to target Korean and English-speaking users, highlighting the ongoing cyber espionage efforts by North Korean threat actors.

Historical Context of ScarCruft

ScarCruft has been active since at least 2012 and gained significant attention in early February 2018 when it was revealed that the group exploited a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users. Kaspersky first documented the group’s operations in 2016, noting that their primary targets included government, defense, military, and media organizations in South Korea.

KoSpy: A New Threat

Researchers at Lookout have attributed the KoSpy spyware to the ScarCruft group with medium confidence. The malware family, which emerged in March 2022, has seen continuous development, with the most recent samples detected in March 2024. KoSpy has been observed using fake utility application lures, such as “File Manager,” “Software Update Utility,” and “Kakao Security,” to infect devices.

Distribution and Infection Methods

KoSpy leverages the Google Play Store and Firebase Firestore to distribute the app and receive configuration data. The spyware masquerades as five different apps:

• 휴대폰 관리자 (Phone Manager)
• File Manager
• 스마트 관리자 (Smart Manager)
• 카카오 보안 (Kakao Security)
• Software Update Utility

These apps have since been removed from Google Play, and the associated Firebase projects have been deactivated by Google.

Operational Mechanisms

KoSpy disguises itself as utility apps with basic functions, except for Kakao Security, which tricks users with a fake permission request. Before activation, the spyware checks if it is running in a virtualized environment and confirms that the current date is past the hardcoded activation date to avoid analysis and detection.

Upon execution, KoSpy retrieves an encrypted configuration from Firebase Firestore, controlling activation and the C2 server address. This setup allows attackers to enable, disable, or change servers for stealth and resilience.

Communication and Data Exfiltration

KoSpy communicates with its C2 servers through two request types:

1. Downloading Plugins: For additional functionalities.
2. Retrieving Surveillance Configurations: Sent as an encrypted JSON, controlling parameters like C2 ping frequency, plugin URLs, and victim messages.

The spyware uses a unique identifier for each victim, calculated through a hardware fingerprint. While some C2 domains remain online, they do not respond to client requests. The spyware transmits the encrypted data via AES to multiple Firebase projects and C2 servers for further exploitation.

Connections to Other Threat Groups

Lookout researchers found connections between KoSpy and North Korean threat groups APT43 and APT37. One of the C2 domains, st0746[.]net, links to an IP address in South Korea previously associated with malicious Korea-related domains. These include:

• naverfiles[.]com and mailcorp[.]center: Linked to Konni malware used by APT37.
• nidlogon[.]com: Part of APT43’s infrastructure.

The shared infrastructure suggests that KoSpy may be part of broader cyber-espionage operations targeting Korean users.

Conclusion

The deployment of KoSpy by the ScarCruft group highlights the ongoing and evolving threat landscape in cyber espionage. As North Korean threat actors continue to develop and deploy sophisticated malware, it is crucial for organizations and individuals to remain vigilant and implement robust security measures to protect against such threats.

For more details, visit the full article: source

Follow the Author

• Twitter: @securityaffairs
• Facebook: Facebook
• Mastodon: Mastodon
• LinkedIn: Pierluigi Paganini

Additional Resources

For further insights, check:

• Security Affairs
• Kaspersky Report on ScarCruft
• Lookout Research on KoSpy