ScarCruft Exploits Gaming Platform with Backdoor Attacks

A cyber espionage group linked to North Korea, known as ScarCruft, has been identified executing a supply chain attack on a gaming platform catering to ethnic Koreans in China’s Yanbian region. This malicious operation involved embedding backdoors into both Windows and Android versions of the platform’s games, effectively transforming a reliable service into a tool for covert surveillance.

ScarCruft’s Strategic Targeting

The attack, which has likely been ongoing since late 2024, appears to be aimed at gathering sensitive information on individuals of interest to the North Korean government, such as refugees and defectors. The compromised platform, named sqgame, offers card and board games themed around the Yanbian region for Windows, Android, and iOS users. ScarCruft did not penetrate the game’s source code directly; instead, they accessed the platform’s web server and altered the original Android game files with harmful code.

Two Android games from the sqgame website were infected with the BirdCall backdoor, while the Windows client was attacked using a malicious update package. The iOS version seemed unaffected, likely due to Apple’s stringent review process that adds a layer of difficulty in targeting.

Analysis by Security Experts

WeLiveSecurity analysts, attributing the attack to ScarCruft with high confidence, revealed a comprehensive analysis of this multi-platform supply chain threat. Their investigation highlighted the new Android BirdCall tool within ScarCruft’s arsenal, marking the first public review of this variant. ESET telemetry confirmed the malicious Windows update has been active since at least November 2024, initially deploying the RokRAT backdoor before introducing the more sophisticated BirdCall backdoor onto victim systems.

ScarCruft, also known as APT37 or Reaper, has been operational since at least 2012, often identified as a North Korean state-sponsored cyber espionage entity. While their primary targets are in South Korea, they have also attacked other Asian nations, focusing on government, military, and industry sectors linked to North Korean interests. The Yanbian region, bordering North Korea and hosting the largest ethnic Korean community outside the peninsula, aligns closely with the group’s targeting strategy, particularly as a potential crossing point for defectors.

Implications and Precautions

The Android BirdCall backdoor, internally named “zhuagou,” is spread through altered game packages hosted on the sqgame website. Each APK’s AndroidManifest.xml file is modified to reroute the app’s startup to the backdoor’s code. As users engage with the game, the backdoor discreetly operates in the background, making the infection undetectable.

Upon initial execution, the backdoor compiles a directory listing of shared storage and captures user contacts, call logs, and SMS messages. It connects to cloud storage with embedded credentials, uploading data such as RAM, IMEI, IP and MAC addresses, and geolocation information. Communication occurs via HTTPS using Zoho WorkDrive accounts, with researchers discovering 12 distinct drives utilized in the campaign. In some variants, audio recording is enabled between 7 PM and 10 PM local time. The backdoor also takes screenshots and extracts files with extensions like .jpg, .doc, .pdf, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .m4a, and .p12.

On Windows systems, ScarCruft integrated a trojanized mono.dll into an sqgame update package. A downloader within the library checks for analysis tools and virtual environments before retrieving shellcode from a compromised South Korean website containing RokRAT. Following the payload drop, it replaces itself with a clean version to eliminate traces. RokRAT then installs the complete BirdCall backdoor on the compromised machine.

Individuals are advised to install applications solely from trusted sources like Google Play and ensure devices are consistently updated. Security teams should monitor unexpected HTTPS traffic to cloud platforms from gaming applications. A comprehensive list of Indicators of Compromise is available in the ESET GitHub repository for threat hunting.

Stay informed by following us on Google News, LinkedIn, and X. Set us as a preferred source on Google for more immediate updates.