Threat Research

Lookout Discovers New Spyware by North Korean APT37

Lookout
Lookout Discovers New Spyware by North Korean APT37

Researchers from Lookout Threat Lab have uncovered a new Android surveillance tool called KoSpy, believed to be linked to the North Korean APT group ScarCruft. KoSpy employs fake utility app lures to target predominantly Korean and English-speaking users and utilizes Google Play Store for distribution. The spyware can collect extensive sensitive data from victims’ devices. Affected: Android devices, Google Play Store, users in South Korea, Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, Middle Eastern countries.

Keypoints :

  • KoSpy is a new Android surveillance tool linked to the North Korean APT group ScarCruft.
  • It specifically targets Korean and English-speaking users with fake utility app lures.
  • Sample apps include “File Manager”, “Software Update Utility”, and “Kakao Security”.
  • The spyware uses Google Play Store and Firebase Firestore for distribution and configuration.
  • All malicious apps have been removed from Google Play Store.
  • KoSpy checks if the device is an emulator before activating its spyware functionality.
  • The spyware can collect data such as SMS, call logs, location, and more using plugins.
  • KoSpy uses a two-stage Command and Control (C2) management for flexible operations.
  • Attribution of KoSpy’s activity links it to previous attacks by both APT37 and APT43.
  • The campaign is assessed to target users based on their language preferences.

MITRE Techniques :

  • Command and Control (T1071): Uses Firebase Firestore for configuration and maintains a dynamic C2 server structure.
  • Exploitation of Remote Services (T1210): Utilizes fake utility applications to exploit user trust and gain access to devices.
  • Data Collection (T1005): Collects SMS messages, call logs, device location, and more through loaded plugins.
  • Credential Dumping (T1003): Accesses and retrieves sensitive information like saved credentials and call logs.
  • File and Directory Discovery (T1083): Accesses files and folders through a file browsing functionality.

Indicator of Compromise :

  • [Domain] joinupvts[.]org
  • [Domain] resolveissue[.]org
  • [Domain] crowdon[.]info
  • [Domain] st0746[.]net
  • [Email] mlyqwl@gmail[.]com

Full Story: https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint