A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

MITRE Techniques

• [T1584.004 ] Compromise Infrastructure: Server – ScarCruft compromised South Korean websites to host payloads and configurations. (‘ScarCruft compromised South Korean websites to host payloads and configurations.ScarCruft compromised the sqgame website to perform a supply-chain attack.’)
• [T1585.003 ] Establish Accounts: Cloud Accounts – The group created and used Zoho WorkDrive accounts as cloud storage drives for C2. (‘ScarCruft created Zoho WorkDrive accounts and used their cloud storage drives for C&C purposes.’)
• [T1587.001 ] Develop Capabilities: Malware – ScarCruft developed an Android port of the BirdCall backdoor. (‘ScarCruft developed the Android version of the BirdCall backdoor.’)
• [T1608.001 ] Stage Capabilities: Upload Malware – Trojans and malicious updates were uploaded to the compromised sqgame site. (‘ScarCruft uploaded trojanized games to the compromised sqgame website.’)
• [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – The sqgame update server was compromised to distribute malicious updates (trojanized mono.dll). (‘ScarCruft compromised an sqgame update server to distribute malicious updates.’)
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – BirdCall can execute shell commands on Windows. (‘BirdCall can execute shell commands.’)
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – BirdCall and trojanized components use encrypted strings and encrypted loading chain components. (‘BirdCall has encrypted strings and loading chain components.The trojanized mono library contains encrypted shellcode.’)
• [T1070.004 ] Indicator Removal: File Deletion – The trojanized mono library is replaced with the original clean mono library after deployment. (‘The trojanized mono library is replaced with a clean one.’)
• [T1112 ] Modify Registry – BirdCall can modify settings of word processors to enable macros (Windows-specific capability described). (‘BirdCall can modify settings of word processors to enable macros.’)
• [T1140 ] Deobfuscate/Decode Files or Information – BirdCall decrypts strings and loading chain components during execution. (‘BirdCall decrypts strings and loading chain components.’)
• [T1480.001 ] Execution Guardrails: Environmental Keying – Components in the loading chain are encrypted with a computer-specific key to limit execution. (‘BirdCall’s loading chain has components encrypted with a computer-specific key.’)
• [T1497 ] Virtualization/Sandbox Evasion – The downloader checks for analysis tools and virtual machine environments and will not proceed if found. (‘The downloader in the trojanized mono library checks for analysis tools and virtual machine environments.’)
• [T1555 ] Credentials from Password Stores – BirdCall can obtain saved passwords from browsers and other software on Windows. (‘BirdCall can obtain saved passwords from browsers and other software.’)
• [T1046 ] Network Service Discovery – BirdCall can perform HTTP scans of hosts/ports to discover network services. (‘BirdCall can scan a range of IPs and ports with an HTTP GET request.’)
• [T1082 ] System Information Discovery – BirdCall collects system information such as brand, model, OS, kernel, and rooted status on mobile and similar on Windows. (‘BirdCall can obtain various system information.’)
• [T1083 ] File and Directory Discovery – BirdCall obtains directory listings and searches drives for files of interest. (‘BirdCall can obtain information about drives and directories.’)
• [T1005 ] Data from Local System – BirdCall collects user files from local IM apps and other storage. (‘BirdCall can collect user files from IM clients KakaoTalk, WeChat, and Signal.’)
• [T1056.001 ] Input Capture: Keylogging – BirdCall can log keystrokes on Windows. (‘BirdCall can log keystrokes.’)
• [T1113 ] Screen Capture – BirdCall can capture screenshots on both Windows and Android. (‘BirdCall can capture screenshots.’)
• [T1115 ] Clipboard Data – BirdCall can collect clipboard contents. (‘BirdCall can collect clipboard contents.’)
• [T1119 ] Automated Collection – BirdCall periodically collects files with certain extensions from local and removable drives. (‘BirdCall can periodically collect files with certain extensions from local and removable drives.’)
• [T1125 ] Video Capture – BirdCall can capture webcam photos (Windows capability noted). (‘BirdCall can capture a webcam photo.’)
• [T1560 ] Archive Collected Data – Collected data is compressed and encrypted prior to exfiltration. (‘BirdCall compresses and encrypts collected data before exfiltration.’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – BirdCall uses HTTPS/HTTP to communicate with cloud storage APIs for C2. (‘BirdCall uses HTTP to communicate with cloud storage services.’)
• [T1090 ] Proxy – BirdCall has the capability to act as a proxy forwarding traffic. (‘BirdCall can act as a proxy.’)
• [T1102.002 ] Web Service: Bidirectional Communication – BirdCall uses cloud storage services for bidirectional C2 and data exchange. (‘BirdCall communicates with cloud storage services to download commands and exfiltrate data.’)
• [T1020 ] Automated Exfiltration – BirdCall periodically exfiltrates collected data to its C2. (‘BirdCall periodically exfiltrates collected data.’)
• [T1041 ] Exfiltration Over C2 Channel – Data is exfiltrated over the established C2 channel. (‘BirdCall exfiltrates data to its C&C server.’)
• [T1567.002 ] Exfiltration Over Web Service: Exfiltration to Cloud Storage – BirdCall exfiltrates collected data to cloud storage drives (e.g., Zoho WorkDrive). (‘BirdCall exfiltrates data to cloud storage services.’)
• [T1474.003 ] Supply Chain Compromise: Compromise Software Supply Chain (Mobile) – Android games on sqgame were trojanized and delivered via the compromised website. (‘ScarCruft performed a supply-chain attack, compromising the sqgame website, to distribute trojanized games containing the Android BirdCall backdoor.’)
• [T1406 ] Obfuscated Files or Information (Mobile) – Android BirdCall v2.0 is obfuscated. (‘Version 2.0 of the Android BirdCall backdoor is obfuscated.’)
• [T1407 ] Download New Code at Runtime (Mobile) – The Android backdoor can download and load newer versions (APK updates). (‘The Android BirdCall backdoor can download and load newer versions of itself.’)
• [T1541 ] Foreground Persistence (Mobile) – The backdoor uses startForeground and plays silent audio loops to remain active while taking screenshots. (‘Android BirdCall uses the startForeground API to take screenshots while in the background.’ )
• [T1420 ] File and Directory Discovery (Mobile) – Android BirdCall enumerates shared external storage and searches for file extensions of interest. (‘Android BirdCall creates a directory listing and searches for files with specified extensions.’)
• [T1422 ] Local Network Configuration Discovery (Mobile) – The backdoor collects IMEI, IP address, and MAC address. (‘Android BirdCall obtains the device’s IMEI, IP address, and MAC address.’)
• [T1426 ] System Information Discovery (Mobile) – Android BirdCall collects device model, OS, kernel, rooted status, battery, RAM, and storage info. (‘Android BirdCall obtains system information of the compromised device including brand, model, OS version, kernel version, rooted status, battery temperature, RAM, and storage information.’)
• [T1532 ] Archive Collected Data (Mobile) – Android BirdCall compresses and encrypts collected files before exfiltration. (‘Android BirdCall compresses and encrypts collected data.’)
• [T1429 ] Audio Capture (Mobile) – The backdoor can record audio via the microphone and eavesdrop on surroundings. (‘Android BirdCall can record voice using the microphone.’)
• [T1430 ] Location Tracking (Mobile) – Android BirdCall obtains approximate device location using ipinfo.io geolocation. (‘Android BirdCall obtains approximate device location using the ipinfo[.]io service.’)
• [T1513 ] Screen Capture (Mobile) – Android BirdCall can take screenshots on the infected device. (‘Android BirdCall can take screenshots.’)
• [T1533 ] Data from Local System (Mobile) – The mobile backdoor collects specific local files with targeted extensions (.jpg, .docx, .p12, etc.). (‘Android BirdCall collects local files with the following extensions: .jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12.’)
• [T1636.002 ] Protected User Data: Call Log (Mobile) – Android BirdCall collects the device call log. (‘Android BirdCall collects the call log.’)
• [T1636.003 ] Protected User Data: Contact List (Mobile) – The backdoor collects the contact list. (‘Android BirdCall collects the contact list.’)
• [T1636.004 ] Protected User Data: SMS Messages (Mobile) – Android BirdCall collects SMS messages. (‘Android BirdCall collects SMS messages.’)
• [T1437.001 ] Application Layer Protocol: Web Protocols (Mobile) – Android BirdCall communicates with C2 cloud drives via HTTPS. (‘Android BirdCall communicates with the C&C cloud storage drive using HTTPS.’)
• [T1481.002 ] Web Service: Bidirectional Communication (Mobile) – Android BirdCall uses Zoho WorkDrive drives for bidirectional C2. (‘Android BirdCall uses a Zoho WorkDrive service cloud storage drive for C&C purposes.’)
• [T1646 ] Exfiltration Over C2 Channel (Mobile) – Android BirdCall exfiltrates collected data using its C2 channel to cloud storage. (‘Android BirdCall uses the C&C channel for data exfiltration.’)