The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).
“The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.”
“Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.”
According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It’s being assessed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.
A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status.
The QR code is engineered to redirect the user to a “tracking.php” script that implements server-side logic to check the User-Agent string of the browser and display a message urging them to install a security module under the guise of verifying their identity due to supposed “international customs security policies.”
Should the victim proceed to install the app, an APK package (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and loads an encrypted APK embedded into its resources to launch the new version of DocSwap, but not before ascertaining that it has obtained the necessary permission to read and manage external storage, access the internet, and install additional packages.
“Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,'” ENKI said. “Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.”
The shipment number is hard-coded within the APK as “742938128549,” and is likely delivered alongside the malicious URL during the initial access phase. Once the user enters the provided delivery number, the application is configured to generate a random six-digit verification code and display it as a notification, following which they are prompted to input the generated code.
As soon as the code is provided, the app opens a WebView with the legitimate URL “www.cjlogistics[.]com/ko/tool/parcel/tracking,” while, in the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and receive as many as 57 commands that allow it to log keystrokes, capture audio, start/stop camera recording perform file operations, run commands, upload/download files, and gather location, SMS messages, contacts, call logs, and a list of installed apps.
ENKI said it also discovered two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN program called BYCOM VPN (“com.bycomsolutions.bycomvpn”) that’s available on the Google Play Store and developed by an Indian IT services company named Bycom Solutions.
“This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added.
Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users.
“The executed malware launches a RAT service, similarly to past cases but demonstrates evolved capabilities, such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said.
Kimsuky Drops KimJongRAT Via Phishing Attack
The disclosure comes as the Kimsuky hacking group has been attributed to a phishing campaign that uses tax-themed lures to distribute a Windows remote access trojan known as KimJongRAT using ZIP file attachments containing a Windows shortcut (LNK).
The LNK file is disguised as a PDF document, which, when opened, uses “mshta.exe” to execute an HTML Application (HTA) payload. The HTA malware acts as a loader to download and display a decoy PDF while simultaneously dropping the RAT payload to periodically collect and transmit user information.
This includes system metadata, as well as information from web browsers, dozens of cryptocurrency wallet extensions, Telegram, Discord, and NPKI/GPKI certificates, a digital signature certificate service used for online banking in South Korea.
According to an organizational assessment released by DTEX, Kimsuky is part of the Reconnaissance General Bureau (RGB), which also houses various threat clusters responsible for conducting cryptocurrency heists and cyber espionage – an umbrella group widely referred to as the Lazarus Group.
Kimsuky and Lazarus Group are known to demonstrate high levels of coordination, sharing infrastructure and attack intelligence despite their disparate roles in North Korea’s cyber apparatus. In at least one incident targeting a South Korean blockchain company, Kimusky is believed to have first gained initial access via a phishing attack and gathered data of interest using tools like KLogEXE and FPSpy.
The next phase commenced when Lazarus Group took over by exploiting CVE-2024-38193, a now-patched privilege escalation flaw in the Windows Ancillary Function Driver (AFD.sys) for WinSock, to deliver additional payloads like FudModule, InvisibleFerret, and BeaverTail to steal private keys and transaction records from blockchain wallets, and ultimately siphon digital assets worth millions of dollars within a span of 48 hours.
“Although Kimsuky and Lazarus have different tactical focuses, they both possess ‘killer weapons’ capable of breaching top-tier defenses, and their technical characteristics are ‘precise and ruthless,'” Purple Team Security Research said, describing the two clusters as a “dual-engine” approach for intelligence gathering and financial gain.
“The two organizations do not operate in isolation. Kimsuky’s stolen corporate network maps and access information are synchronized in real-time to Lazarus’s attack platform.”
(The story was updated after publication to include other related Kimsuky campaigns documented in recent weeks.)
