Full Report
The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "
Analysis Summary
# Threat Actor: ScarCruft (APT27/Reaper)
## Attribution & Identity
North Korea-linked state-sponsored cyber espionage group.
**Known Aliases:** APT27, Reaper.
**Associated Groups:** Infrastructure overlaps identified between the KoSpy campaign and activities linked to Kimsuky (APT43).
## Activity Summary
ScarCruft has been active since 2012. Recent activities detailed in the article include:
1. **KoSpy Android Spyware Campaign (March 2022 - March 2024):** Deployed a never-before-seen Android surveillance tool named KoSpy. Malicious artifacts masqueraded as legitimate utility applications (e.g., File Manager, Phone Manager) on the Google Play Store.
2. **Historical Windows Activity:** Orchestrated attack chains primarily leveraging the RokRAT malware to harvest sensitive data from Windows systems. RokRAT has since been adapted to target macOS and Android.
3. **Contagious Interview Campaign (Inferred Association):** While socket attributes some npm package malware (BeaverTail stealer) to Lazarus-linked actors, the context includes this activity alongside other North Korean TTPs.
4. **Targeting Crypto Sector (Inferred Association):** Targeted the cryptocurrency sector using the Rust-based macOS malware **RustDoor** (ThiefBucket) and a macOS variant of **Koi Stealer** through fake job interview social engineering lures executed via Microsoft Visual Studio.
## Tactics, Techniques & Procedures
- **Masquerading/Defense Evasion:** Malicious Android apps masqueraded as utility applications on the Google Play Store.
- **C2 Obfuscation/Resiliency:** Used a Firebase Firestore cloud database as a dead drop resolver to retrieve the actual Command-and-Control (C2) server address, offering flexibility and resiliency.
- **Time-Based Activation:** KoSpy checked if the current date was past a hardcoded activation date to prevent premature detection.
- **Dynamic Loading:** KoSpy used dynamically loaded plugins to expand surveillance capabilities.
- **Social Engineering (Fake Lures):** Used fake job interview projects on macOS as an initial delivery mechanism for RustDoor.
- **Credential Theft:** Stole credentials from web browsers (Chrome, Brave, Firefox) and cryptocurrency wallets (Solana, Exodus).
- **Supply Chain Attack (Developers):** Deployed malware via six malicious npm packages designed to mimic trusted libraries (typosquatting) and maintained associated GitHub repositories to appear legitimate.
- **Lateral Movement/Persistence:** RustDoor downloaded and executed bash scripts to establish a reverse shell.
- **Privilege Escalation (macOS):** Koi Stealer payload tricked victims into entering their system password to aid in data gathering.
## Targeting
- **Sectors:** Cryptocurrency sector, general users/developers (via npm supply chain).
- **Geography:** Targeting Korean and English-speaking users (implied global scope for supply chain attacks).
- **Victims:** Unsuspecting mobile users installing apps from the Google Play Store; Developers integrating malicious npm packages; macOS users targeted via job interview lures.
## Tools & Infrastructure
- **Malware Families:**
- **KoSpy:** New Android surveillance tool (collects SMS, calls, location, files, audio, screenshots).
- **RokRAT:** Primary malware used against Windows, adapted for macOS/Android.
- **BeaverTail:** Information-stealing malware deployed via npm packages.
- **RustDoor (ThiefBucket):** Rust-based macOS backdoor.
- **Koi Stealer:** Undocumented macOS variant used in the final stage of infection.
- **Infrastructure:**
- **Firebase Firestore:** Used as a dead drop resolver for C2 retrieval in the KoSpy campaign.
- **Npm Packages:** `is-buffer-validator`, `yoojae-validator`, `event-handle-package`, `array-empty-validator`, `react-event-dependency`, `auth-validator`.
## Implications
ScarCruft demonstrates continued investment in diverse platforms, notably targeting the Android ecosystem with the sophisticated KoSpy spyware utilizing cloud services for resilient C2 communication. Furthermore, the actor is engaging in supply chain attacks (npm) and highly targeted social engineering (fake job interviews on macOS) to breach sensitive environments like the cryptocurrency sector, indicating an advanced, evolving espionage and data theft mission profile.
## Mitigations
- Harden application security controls and closely vet all software installed from third-party marketplaces (e.g., Google Play Store), especially those masquerading as utility tools.
- For developers, thoroughly scrutinize npm package sources, be wary of new libraries without established reputations, and monitor GitHub activity related to dependencies.
- Implement robust Endpoint Detection and Response (EDR) solutions capable of monitoring for dynamic plugin loading and abnormal filesystem/telephony access on mobile devices.
- For macOS protection, enforce strict application notarization rules and monitor for password prompts related to non-standard software execution (e.g., post-Visual Studio execution).