Multiplatform Supply-Chain Attack Exposed by ESET Researchers
Researchers from ESET have identified a sophisticated multiplatform supply-chain attack attributed to the North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China. The attack has likely been ongoing since late 2024 and involves the deployment of a backdoor, named BirdCall, in both Windows and Android components of a video game platform focused on Yanbian-themed games.
The compromised video game platform primarily serves ethnic Koreans and includes a Windows client and various Android games. The Windows client was initially infiltrated through a malicious update that installed the RokRAT backdoor, which subsequently facilitated the deployment of the more advanced BirdCall backdoor. The Android games were also trojanized to include the Android version of BirdCall, representing a new capability in ScarCruft’s toolkit.
BirdCall grants attackers extensive spying capabilities, such as capturing screenshots, logging keystrokes, and collecting personal data. It uses legitimate cloud storage services for command and control (C&C) operations, employing protocols often found in standard applications. ESET’s analysis indicates that this attack aims chiefly at gathering intelligence on individuals from Yanbian, particularly North Korean defectors.
Defensive Context
Enterprises and organizations operating in or analyzing activities in the Yanbian region, especially those connected to the ethnic Korean community, should closely monitor their environments for signs of compromise. The nature of the attack, leveraging compromised software in a community-focused platform, indicates high-risk exposure for users who may inadvertently download trojanized applications.
Why This Matters
The espionage intent behind this campaign poses significant risks, particularly for organizations involved with the North Korean defector community. The sensitive nature of the information gathered could facilitate harmful actions against these individuals by the North Korean regime. Organizations providing support or resources to ethnic Koreans, particularly in border regions, should be especially vigilant.
Defender Considerations
Organizations utilizing software from platforms similar to the compromised gaming website should exercise caution. They should consider reviewing download sources for integrity and employ monitoring measures for unauthorized data access or exfiltration attempts. The recovery of malicious artifacts from the compromised platform could provide insights into ongoing C&C dynamics and assist in refining detection capabilities.
Indicators of Compromise (IOCs)
Concrete IOCs associated with this supply-chain attack include trojanized APK files and relevant network artifacts:
- Malicious APK URLs:
http://sqgame.com.cn/ybht.apkhttp://sqgame.com.cn/sqybhs.apk
- SHA-1 hashes for trojanized files:
03E3ECE9F48CF4104AAF...(BirdCall version 1.3)FC0C691DB7E2D2BD3B0B...(BirdCall version 1.5)
Potentially affected environments should assess their exposure, particularly in sectors related to refugee assistance, diaspora engagement, and Eastern Asian security studies.
