The North Korean-linked cyber espionage group, ScarCruft, has executed a supply chain attack on a video game platform, embedding the BirdCall malware to potentially target ethnic Koreans in China. This operation extends the malware’s reach from Windows to Android devices, creating a significant multi-platform threat. The attack centers on sqgame[.]net, a gaming hub popular among Koreans residing in the Yanbian area, a critical transit region for North Korean defectors.
ScarCruft’s Strategic Targeting
ScarCruft’s attack strategy appears intentional, leveraging their history of targeting North Korean defectors, human rights activists, and academics. The group has reportedly been compromising the gaming platform’s components since late 2024, according to ESET’s report shared with The Hacker News. The Windows version of BirdCall, a sophisticated variant of the RokRAT malware, has been active since 2021. This malware family has adapted over time to target various operating systems, including macOS and Android.
BirdCall is equipped with backdoor functionalities that allow it to capture screenshots, log keystrokes, steal clipboard content, execute shell commands, and gather data. It operates using legitimate cloud services such as Dropbox and pCloud for command-and-control purposes. Typically, BirdCall is deployed through a multi-stage loading process, initiated with a Ruby or Python script and encrypted with a machine-specific key.
Impact on Android and Windows Devices
The Android iteration of BirdCall, distributed via the sqgame[.]net supply chain breach, mirrors some functionalities of its Windows counterpart. It collects contact lists, SMS messages, call logs, media files, documents, screenshots, and ambient audio. Analysis has identified seven versions of this malware since October 2024. Notably, the Android APKs available on the platform were compromised, while the Windows desktop client and iOS applications remained unaffected.
The breach occurred sometime in late 2024, though precise timing remains elusive. An update package for the Windows client was found to contain a trojanized DLL from November 2024, which was later cleaned. This DLL included a downloader to detect analysis tools and virtual environments before downloading and executing RokRAT shellcode. The backdoor then facilitated the installation of BirdCall on compromised hosts.
Ongoing Threat and Surveillance Capabilities
The Android version of BirdCall, like its Windows variant, uses legitimate cloud services such as pCloud, Yandex Disk, and Zoho WorkDrive for communication. The backdoor continues to evolve, enhancing its surveillance features like personal data collection, document theft, screenshot capturing, and voice recording capabilities. ESET’s findings underscore the persistent threat posed by ScarCruft’s cyber operations, which leverage advanced malware to infiltrate and compromise multiple devices.
While the immediate threat from the compromised update package has been neutralized, the ongoing development of BirdCall poses a continuous risk. It highlights the need for robust cybersecurity measures and vigilance among users to protect against such sophisticated cyber threats.
