A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
Contents
ESET researchers uncovered a multiplatform supply-chain attack by North Korea-aligned APT group ScarCruft, targeting the Yanbian region in China – home to ethnic Koreans and a crossing point for North Korean refugees and defectors. In the attack, probably ongoing since late 2024, ScarCruft compromised Windows and Android components of a video game platform dedicated to Yanbian-themed games, trojanizing them with a backdoor.
The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.
Key points of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.
- The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated …
The backdoor, named BirdCall by ESET, was originally known to target Windows only; the Android version was discovered as part of this supply-chain attack. In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.
Key points of this blogpost:
- North Korea-aligned APT group ScarCruft compromised a video game platform used by ethnic Koreans living in the Yanbian region in China.
- The gaming platform’s Windows client was compromised through a malicious update leading to the RokRAT backdoor, which deployed the more sophisticated …
IoC
http://ipinfo.io
http://swr.co.kr
http://39.106.249.68
http://222.231.2.23
http://inodea.com
https://www.sqgame.net
http://211.239.117.117
http://sqgame.com.cn
http://zohomail.com
http://222.231.2.20
http://114.108.128.157
http://sqgame.com
https://www.sqgame.net/games/gamedownload.aspx
http://colorncopy.co.kr
http://xiazai.sqgame.com.cn/dating/20240429.zip
http://1980food.co.kr
http://221.143.43.214
http://www.lawwell.co.kr
https://ipinfo.io/json
http://sejonghaeun.com
http://222.231.2.41
http://cndsoft.co.kr
222.231.2.20
221.143.43.214
211.239.117.117
222.231.2.23
114.108.128.157
39.106.249.68
222.231.2.41
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
B06110E0FEB7592872E380B7E3B8F77D80DD1108
A8FE823D451D636D0A0366C0629EF5C3
http://swr.co.kr
http://39.106.249.68
http://222.231.2.23
http://inodea.com
https://www.sqgame.net
http://211.239.117.117
http://sqgame.com.cn
http://zohomail.com
http://222.231.2.20
http://114.108.128.157
http://sqgame.com
https://www.sqgame.net/games/gamedownload.aspx
http://colorncopy.co.kr
http://xiazai.sqgame.com.cn/dating/20240429.zip
http://1980food.co.kr
http://221.143.43.214
http://www.lawwell.co.kr
https://ipinfo.io/json
http://sejonghaeun.com
http://222.231.2.41
http://cndsoft.co.kr
222.231.2.20
221.143.43.214
211.239.117.117
222.231.2.23
114.108.128.157
39.106.249.68
222.231.2.41
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
B06110E0FEB7592872E380B7E3B8F77D80DD1108
A8FE823D451D636D0A0366C0629EF5C3