The North Korea-aligned state-sponsored hacking group often called ScarCruft has compromised a online game platform in a provide chain espionage assault, trojanizing its elements with a backdoor known as BirdCallto seemingly goal ethnic Koreans residing in China.
Whereas prior variations of the backdoor have primarily focused Home windows customers solely, the availability chain assault is assessed to have enabled the risk actors to additionally goal Android gadgets, basically turning it right into a multi-platform risk.
In keeping with ESET, the marketing campaign has singled out sqgame[.]web, a gaming platform utilized by ethnic Koreans dwelling within the Yanbian area in China bordering North Korea and Russia. It is also identified to behave as a major, high-risk transit level for North Korean defectors crossing the Tumen River.
The concentrating on of this platform is claimed to be a deliberate technique given ScarCruft’s storied historical past of concentrating on North Korean defectors, human rights activists, and college professors.
“Within the assault, most likely ongoing since late 2024, ScarCruft compromised Home windows and Android elements of a online game platform devoted to Yanbian-themed video games, trojanizing them with a backdoor,” the Slovakian cybersecurity firm mentioned in a report shared with The Hacker Information forward of publication.
Home windows variations of BirdCall, dubbed a complicated evolution of RokRAT, have been detected within the wild since 2021. Through the years, RokRAT has additionally been tailored to focus on macOS (CloudMensis) and Android (RambleOn), indicating that the malware household continues to be actively maintained by the risk actors.
BirdCall comes fitted with options sometimes current in a backdoor, enabling screenshot seize, keystroke logging, clipboard content material theft, shell command execution, and information gathering. Like RokRAT, the malware depends on professional cloud providers like Dropbox and pCloud for command-and-control (C2).
“BirdCall is normally deployed in a multistage loading chain, beginning with a Ruby or Python script, and containing elements encrypted utilizing a computer-specific key,” ESET mentioned.
The Android variant of BirdCall, distributed as a part of the sqgame[.]web provide chain assault, incorporates a subset of its Home windows counterpart, whereas accumulating contact lists, SMS messages, name logs, media recordsdata, paperwork, screenshots, and ambient audio. An evaluation of the malware’s lineage has unearthed seven variations, with the primary relationship again to October 2024.
Curiously, the availability chain assault has been discovered to solely poison the Android APKs obtainable for obtain from the platform, leaving the Home windows desktop shopper and the iOS video games intact. The obtain pages for 2 Android video games hosted on sqgame[.]web have been altered to serve the malicious APKs –
- sqgame.com[.]cn/ybht.apk
- sqgame.com[.]cn/sqybhs.apk
It is presently not identified when the web site was breached, and the poisoned APKs started to be distributed. Nonetheless, it is believed that the incident occurred someday in late 2024. What’s extra, proof has emerged that an replace package deal of the Home windows desktop shopper delivered a trojanized DLL since no less than November 2024 and for an unspecified interval. The replace package deal is not malicious.
Particularly, the modified DLL included a downloader that checks the checklist of operating processes for evaluation instruments and digital machine environments, earlier than continuing to obtain and execute shellcode containing RokRAT. The backdoor is then used to fetch and set up BirdCall on the contaminated hosts.
The Android model of BirdCall additionally depends on professional cloud storage providers for C2 communications. This contains pCloud, Yandex Disk, and Zoho WorkDrive, the final of which has turn out to be an more and more frequent presence throughout a number of campaigns.
“The Android backdoor has seen lively growth, and supplies surveillance capabilities, resembling assortment of non-public information and paperwork, taking screenshots, and making voice recordings,” ESET mentioned.
