Full Report
The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform. [...]
Analysis Summary
# Threat Actor: APT37
## Attribution & Identity
* **Name:** APT37
* **Aliases:** ScarCruft, Ricochet Chollima, RedEyes
* **Known Associations:** North Korean (DPRK) state-sponsored threat actor, likely operating under the General Bureau of Reconnaissance (RGB).
## Activity Summary
Recent operations (primarily identified around October 2024) involve a supply-chain attack leveraging a video game platform (`sqgame[.]net`) to distribute malware. The actor developed at least seven versions of a previously undocumented Android variant of the **BirdCall** backdoor/spyware. This campaign demonstrates the actor's shift toward mobile exploitation alongside their traditional Windows-based espionage.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Trojanizing legitimate software installers on a gaming platform.
* **DLL Sideloading/Injection:** Use of trojanized DLLs (e.g., `mono.dll`) to trigger initial infection chains on Windows.
* **Mobile Espionage:** Development of specialized Android malware with persistent background processes.
* **Persistence Mechanisms:** Playing a silent MP3 file in a loop on Android devices to prevent the OS from suspending the malware's process.
* **Scheduled Surveillance:** Specifically configured to record audio via the microphone during a set window (7 PM to 10 PM local time).
* **Data Exfiltration:** Targeted theft of sensitive file types, including document formats (.doc, .docx, .hwp) and security certificates (.p12).
## Targeting
* **Sectors:** Gaming, Video Game Platforms, Individual Defectors/Refugees.
* **Geography:** East Asia, specifically focused on the Yanbian autonomous region in China (bordering North Korea) and the Korean Peninsula.
* **Victims:** North Korean defectors, refugees, and individuals using Korean-language gaming platforms in China.
## Tools & Infrastructure
* **Malware Families:**
* **BirdCall:** (Windows and Android variants) Backdoor and spyware.
* **RokRAT:** Remote Access Trojan used in the Windows infection chain.
* **Related Toolset:** THUMBSBD (air-gap targeting), KoSpy, M2RAT, and Dolphin.
* **Infrastructure:**
* `sqgame[.]net` (Trojanized gaming site)
* `mono[.]dll` (Trojanized DLL)
## Implications
APT37 continues to refine its mobile capabilities, transitioning its established Windows malware families into sophisticated Android spyware. The focus on the Yanbian region suggests a strategic objective of monitoring North Korean defectors and those assisting them. The use of supply-chain attacks via niche platforms indicates a highly targeted approach to bypass standard perimeter defenses by compromising trusted software sources for specific populations.
## Mitigations
* **Application Sourcing:** Restrict Android device installations to official marketplaces (Google Play) and disable "Install from Unknown Sources."
* **Mobile Threat Defense (MTD):** Implement MTD solutions to detect anomalous background activities (like persistent audio recording or silent media loops).
* **File Integrity Monitoring:** Monitor for unexpected modifications to common library files (e.g., `mono.dll`) within application directories.
* **User Training:** Educate high-risk individuals (defectors, activists) about the dangers of downloading software from third-party regional gaming sites.
* **Network Filtering:** Block known malicious domains and monitor for outbound exfiltration of `.hwp` (Hancom Office) files, which are frequently targeted by North Korean actors.