Website Popular in Korean Ethnic Enclave in China Hosts Apps Laced With a Backdoor
A recent investigation has unveiled a clandestine operation by a North Korean hacking group infiltrating the digital landscape of a Korean ethnic enclave in China. This group has been utilizing Android applications from a local gaming platform to spy on users, particularly targeting refugees who escape from North Korea’s oppressive regime. The situation has raised significant concerns regarding the intersection of technology and security, particularly for vulnerable populations.
The Yanbian region of northern China serves as a critical transit point for individuals fleeing the authoritarian government of Pyongyang. Security researchers from Eset have concluded that the hackers are likely conducting surveillance on defectors in this area, given the demographics and circumstances surrounding the inhabitants. This discovery sheds light on the alarming tactics employed by malicious actors in the realm of cybersecurity, particularly as they exploit local platforms and social dynamics.
Eset’s researchers discovered this espionage effort after examining a suspicious Android app file on VirusTotal, a popular multi-engine scanning service. They found the Android Package Kit (APK) file embedded with a backdoor, specifically an adaptation of a previously known North Korean backdoor designated as BirdCall. This astonishing revelation indicates that the malware is not merely a vague threat but a crucial piece of a larger surveillance apparatus aimed at monitoring North Korean defectors.
The researchers noted that the APK available for download from the platform’s official website, identified as www.sqgame.net, matches the version they initially detected on VirusTotal. This link points to a systematic infiltration of the gaming portal, revealing the extent of the hackers’ capabilities. In addition, another Android app hosted on this site was also found to harbor the same BirdCall backdoor, further highlighting the breadth of the group’s ambitions.
The Eset team has attributed this supply-chain attack to a well-known threat actor tracked under the alias ScarCruft, also referred to as APT37 or Reaper. This group has previously demonstrated its cyber infiltration skills primarily in Asia, though its activities have extended into Europe and the Middle East. By maintaining a low profile while exploiting local platforms, ScarCruft has positioned itself as a formidable adversary in the realm of cyber espionage.
While it is probable that the hackers did not gain access to the original source code of the games hosted on Sqgame, they reportedly infiltrated the associated web server. This allowed them to recompile authentic APKs incorporated with the backdoor features. Notably, the Android version of BirdCall can execute a myriad of invasive functions, including the collection of contacts, SMS messages, call logs, documents, and media files. Perhaps most concerning is the malware’s ability to take screenshots and capture surrounding audio, thereby invading the privacy of its targets with alarming effectiveness.
In a world where digital communication is commonplace, the malware’s capacity to blend command-and-control traffic with regular internet traffic complicates detection efforts. The hackers have options for utilizing popular cloud services, such as pCloud, Yandex Disk, and Zoho WorkDrive, as their command-and-control servers. However, for reasons that remain unclear, they seem to prefer relying solely on Zoho WorkDrive for their operations.
The implications of such a surveillance effort are profound, especially for individuals attempting to escape a repressive regime. As technology continues to evolve, so too do the methods employed by those who seek to exploit it for nefarious purposes. This incident serves as a stark reminder of the ongoing battle between cybercriminals and cybersecurity experts, with the stakes being the safety and privacy of innocent lives caught in the crossfire.
The phenomenon of cyber espionage against vulnerable populations, especially those fleeing oppressive governments, calls for urgent attention and action. As security researchers work to uncover and counteract such threats, it becomes increasingly vital for developers, policymakers, and individuals to prioritize cybersecurity measures and remain vigilant against the sophisticated tactics employed by malicious actors like ScarCruft. The integration of robust security protocols in every aspect of application development is crucial for protecting against the insidious threats that lurk in the digital shadows.