A newly discovered Android surveillance tool, known as KoSpy, has been linked to the North Korea-linked threat actor ScarCruft, targeting users who speak Korean and English.
According to Lookout, the company that shared details of the malware campaign, the earliest versions of KoSpy date back to March 2022, while the most recent samples were detected in March 2024. The success of these efforts is currently unknown.
Lookout stated that KoSpy has the capability to gather extensive data, including SMS messages, call logs, location, files, audio, and screenshots, via dynamically loaded plugins.
The malicious artifacts disguise themselves as utility applications on the Google Play Store, using names such as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, to trick users into infecting their devices.
These apps provide the promised functionality to avoid raising suspicion while secretly deploying spyware-related components in the background. The identified apps have since been removed from the app marketplace.
ScarCruft, also known as APT27 and Reaper, is a North Korean state-sponsored cyber espionage group that has been active since 2012. The group’s primary method of attack involves leveraging RokRAT to harvest sensitive data from Windows systems, which has since been adapted to target macOS and Android devices.
Once the malicious Android apps are installed, they establish contact with a Firebase Firestore cloud database to retrieve a configuration that contains the actual command-and-control (C2) server address.
By utilizing a legitimate service like Firestore as a dead drop resolver, the two-stage C2 approach offers flexibility and resiliency, allowing the threat actor to modify the C2 address at any time and remain undetected.
Lookout explained that after retrieving the C2 address, KoSpy checks to ensure the device is not an emulator and that the current date is past the hardcoded activation date, preventing the spyware from revealing its malicious intent prematurely.
KoSpy can download additional plugins and configurations to achieve its surveillance objectives. However, the exact nature of the plugin remains unknown due to the C2 servers being inactive or unresponsive to client requests.
KoSpy is designed to collect a wide range of data from the compromised device, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It can also record audio and take photos.
Lookout discovered infrastructure overlaps between the KoSpy campaign and those previously linked to another North Korean hacking group called Kimsuky (aka APT43).
Contagious Interview Manifests as npm Packages
A recent discovery by Socket revealed a set of six npm packages designed to deploy a known information-stealing malware called BeaverTail, linked to an ongoing North Korean campaign tracked as Contagious Interview. The list of now-removed packages includes:
- is-buffer-validator
- yoojae-validator
- event-handle-package
- array-empty-validator
- react-event-dependency
- auth-validator
These packages are designed to collect system environment details and credentials stored in web browsers such as Google Chrome, Brave, and Mozilla Firefox. They also target cryptocurrency wallets, extracting id.json from Solana and exodus.wallet from Exodus.
Socket researcher Kirill Boychenko stated that the six new packages, which have been downloaded over 330 times, closely mimic the names of widely trusted libraries, employing a well-known
Source Link