Lookout Discovers New Spyware by North Korean APT37
Summary:
Lookout has uncovered details of a new Android spyware, dubbed ‘KoSpy,’ that is masquerading as utility apps to target Korean and English speaking users. KoSpy has been active since March 2022 and uses the Google Play store and Firebase Firestore for propagation. Notably, it has been observed impersonating five different apps: File Manager, Smart Manager, Phone Manager, Software Update Utility and Kakao Security. The samples uncovered by researchers feature basic interfaces that direct users to relevant phone settings. For example, the Software Update Utility takes users to the Software Update section under System settings. The File Manager app functions as a simple file browser with added features. In contrast, the Kakao Security app lacks any real functionality, instead showing a fake system window and requesting unnecessary permissions.
Unknowing to the end user, KoSpy activates its spyware functionality by first retrieving a simple configuration from Firebase Firestore. This encrypted configuration includes two parameters: an "on"/"off" switch and the Command and Control (C2) server address. This two-stage C2 management system allows the threat actor to control the spyware's operation and change C2 addresses if needed, offering flexibility and resilience if a C2 server is detected or blocked. Once the C2 address is obtained, KoSpy checks that the device is not an emulator and verifies that the current date is past the hardcoded activation date. This ensures the spyware remains undetected and does not reveal its malicious intent too early.
For its part, KoSpy can gather a wide range of sensitive information from victim devices through dynamically loaded plugins. It can collect SMS messages, call logs, and device location, as well as access local storage files and folders. Additionally, it can record audio, take photos, capture screenshots, and record the screen. KoSpy also monitors keystrokes by exploiting accessibility services, collects Wi-Fi network details, and compiles a list of installed applications.
Security Officer Comments:
KoSpy has been attributed with medium confidence to APT 37, aka ScarCruft, a North Korean state-sponsored cyber espionage group. Active since 2012, APT37 has mainly targeted South Korea but has also conducted operations in countries such as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. This KoSpy campaign is also connected to infrastructure used by APT43, another North Korean hacking group. Due to the overlapping infrastructure, tactics, techniques, and procedures (TTPs) used by North Korean threat actors, researchers note that attributing the the latest campaign with high confidence to a specific group proves challenging. Nevertheless, this development underscores a recurring trend of North Korea conducting cyber espionage against South Korea, as well as other nations of strategic interest. By deploying tools like KoSpy, these actors can collect valuable data that may support the advancement of North Korea's submarine and missile programs.
Suggested Corrections:
Users should avoid downloading apps from unofficial sources and carefully review app permissions before installation, particularly those that request unnecessary access to sensitive data or device features. Keeping the operating system and apps up to date with security patches can help close vulnerabilities that the spyware may exploit. Additionally, using mobile security software that can detect and block malicious apps, along with enabling features like app permission controls can further protect against spyware infections. Users should also regularly monitor their device for unusual activity, such as unexpected behavior or unauthorized access requests.
IOCs can be accessed here.
Link(s):
https://www.lookout.com/threat-inte...t-discovers-new-spyware-by-north-korean-apt37
Lookout has uncovered details of a new Android spyware, dubbed ‘KoSpy,’ that is masquerading as utility apps to target Korean and English speaking users. KoSpy has been active since March 2022 and uses the Google Play store and Firebase Firestore for propagation. Notably, it has been observed impersonating five different apps: File Manager, Smart Manager, Phone Manager, Software Update Utility and Kakao Security. The samples uncovered by researchers feature basic interfaces that direct users to relevant phone settings. For example, the Software Update Utility takes users to the Software Update section under System settings. The File Manager app functions as a simple file browser with added features. In contrast, the Kakao Security app lacks any real functionality, instead showing a fake system window and requesting unnecessary permissions.
Unknowing to the end user, KoSpy activates its spyware functionality by first retrieving a simple configuration from Firebase Firestore. This encrypted configuration includes two parameters: an "on"/"off" switch and the Command and Control (C2) server address. This two-stage C2 management system allows the threat actor to control the spyware's operation and change C2 addresses if needed, offering flexibility and resilience if a C2 server is detected or blocked. Once the C2 address is obtained, KoSpy checks that the device is not an emulator and verifies that the current date is past the hardcoded activation date. This ensures the spyware remains undetected and does not reveal its malicious intent too early.
For its part, KoSpy can gather a wide range of sensitive information from victim devices through dynamically loaded plugins. It can collect SMS messages, call logs, and device location, as well as access local storage files and folders. Additionally, it can record audio, take photos, capture screenshots, and record the screen. KoSpy also monitors keystrokes by exploiting accessibility services, collects Wi-Fi network details, and compiles a list of installed applications.
Security Officer Comments:
KoSpy has been attributed with medium confidence to APT 37, aka ScarCruft, a North Korean state-sponsored cyber espionage group. Active since 2012, APT37 has mainly targeted South Korea but has also conducted operations in countries such as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. This KoSpy campaign is also connected to infrastructure used by APT43, another North Korean hacking group. Due to the overlapping infrastructure, tactics, techniques, and procedures (TTPs) used by North Korean threat actors, researchers note that attributing the the latest campaign with high confidence to a specific group proves challenging. Nevertheless, this development underscores a recurring trend of North Korea conducting cyber espionage against South Korea, as well as other nations of strategic interest. By deploying tools like KoSpy, these actors can collect valuable data that may support the advancement of North Korea's submarine and missile programs.
Suggested Corrections:
Users should avoid downloading apps from unofficial sources and carefully review app permissions before installation, particularly those that request unnecessary access to sensitive data or device features. Keeping the operating system and apps up to date with security patches can help close vulnerabilities that the spyware may exploit. Additionally, using mobile security software that can detect and block malicious apps, along with enabling features like app permission controls can further protect against spyware infections. Users should also regularly monitor their device for unusual activity, such as unexpected behavior or unauthorized access requests.
IOCs can be accessed here.
Link(s):
https://www.lookout.com/threat-inte...t-discovers-new-spyware-by-north-korean-apt37