- North Korean APT37 (ScarCruft) gang compromised a Yanbian gaming platform to deliver the BirdCall backdoor
- On Windows, it enabled data theft and command execution; on Android it exfiltrated contacts, messages, media and ambient audio
- The malware is actively maintained, with Android versions still hosted, targeting ethnic Koreans and defectors in China
North Korean state-sponsored threat actors are apparently targeting their compatriots living in (or moving through) China with advanced cross-platform Android backdoors.
A report from security researchers ESET claims to have spotted an advanced supply chain attack that likely began in late 2024. The threat actors, most likely ScarCruft (also known as APT37 or Reaper), managed to compromise SQgame, a multi-platform gaming service built specifically for the people of Yanbian.
Yanbian Korean Autonomous Prefecture is an autonomous prefecture in China’s Jilin Province. It is located near the border with North Korea and Russia, and was established to provide administrative autonomy to the large population of ethnic Koreans living there. According to ESET, Yanbian is also an important crossing point for North Korean refugees and defectors, which may be one of the reasons why it is being targeted.
The article continues below
BirdCall malware
“In the attack, likely ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games and trojanized them with a backdoor,” ESET said.
The backdoor is called BirdCall and, depending on the platform it is installed on, can do different things. On Windows, it can take screenshots, log keystrokes, steal the contents of the clipboard, execute shell commands, and exfiltrate data. All the stolen information is then uploaded to legitimate cloud services such as Dropbox or pCloud.
On Android, things are a little different, allowing ScarCruft to also exfiltrate contact lists, SMS messages, call logs, media files, documents, screenshots, and even ambient audio. So far, the malware has been updated seven times, leading researchers to believe that it is being actively maintained.
ESET says the platform still hosts malicious games. However, these seem to be limited to the Android platform.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
