Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
Contents
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
Author: HyeongJun Kim | S2W TALON
Last Modified : Mar 13, 2025
Executive Summary
- (Threat Hunting) On January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication App) was identified through VirusTotal and analyzed.
- (Malware) The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives commands from the C2 server and performs malicious functions related to keylogging and information theft.
- (Key Features) Based on the malicious app's name and the presence of Korean-language strings, it is suspected to target mobile device users in South Korea. This malware represents a previously unidentified type of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.
- (Attribution) When DocSwap …
Author: HyeongJun Kim | S2W TALON
Last Modified : Mar 13, 2025
Executive Summary
- (Threat Hunting) On January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication App) was identified through VirusTotal and analyzed.
- (Malware) The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives commands from the C2 server and performs malicious functions related to keylogging and information theft.
- (Key Features) Based on the malicious app's name and the presence of Korean-language strings, it is suspected to target mobile device users in South Korea. This malware represents a previously unidentified type of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.
- (Attribution) When DocSwap …
IoC
http://change.pi-usdt.o-r.kr
http://hange.pi-usdt.o-r.kr
http://204.12.253.10:6834
http://204.12.253.10
204.12.253.10
bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
18e92e57568ad5aad4635c932782ee1c44add6c0718e5c794f6e66a70f78a984
28e2221b90e9ef4c8e38593efd383dc218686fc38398bcf0a55c673420a63119
0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c
ae1721ce930929dfb060371cd0012aa38f29d2aac1dac761ec1d6302a46fa2fe
http://hange.pi-usdt.o-r.kr
http://204.12.253.10:6834
http://204.12.253.10
204.12.253.10
bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
18e92e57568ad5aad4635c932782ee1c44add6c0718e5c794f6e66a70f78a984
28e2221b90e9ef4c8e38593efd383dc218686fc38398bcf0a55c673420a63119
0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c
ae1721ce930929dfb060371cd0012aa38f29d2aac1dac761ec1d6302a46fa2fe