ScarCruft (APT37) Deploying BirdCall Android Backdoor via Compromised Game Platform

The North Korean hacker group APT37, also known as ScarCruft and Ricochet Chollima, is actively distributing an Android version of their BirdCall backdoor through a supply-chain attack affecting the sqgame[.]net video game platform. This platform caters specifically to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees. ESET researchers discovered that APT37 created the Android version of BirdCall around October 2024 and has since developed at least seven different versions. The Android variant is designed as spyware, capable of collecting a wide range of sensitive information from compromised devices. This campaign highlights APT37’s continued efforts to target specific communities with sophisticated malware.

Attack Chain

1. The attacker compromises the sqgame[.]net video game platform, a site hosting games for Android, iOS, and Windows.
2. The attacker trojanizes legitimate Android application packages (APKs) available on the platform, embedding the Android version of BirdCall.
3. Victims download the trojanized APK from the compromised game platform (sqgame[.]net) onto their Android devices.
4. Upon installation, the BirdCall malware extracts IP geolocation information from the device.
5. The malware collects contact lists, call logs, and SMS messages from the compromised device.
6. The malware gathers device information including OS version, kernel version, rooted status, IMEI number, MAC address, IP address, and network information.
7. BirdCall transmits collected data, along with battery temperature, RAM, storage, cloud configuration, backdoor version, and targeted file extensions (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12), to its command-and-control (C2) server.
8. The malware periodically takes screenshots and records audio via the microphone from 7 pm to 10 pm local time, exfiltrating these files to the C2 server.

Impact

This campaign allows APT37 to harvest sensitive information from targeted individuals, including personal communications, location data, and device details. The compromise of the sqgame[.]net platform exposes users in the Korean autonomous Yanbian region in China to significant privacy risks. Successful infection enables the threat actor to conduct surveillance, gather intelligence, and potentially identify and track individuals of interest. The collected data can be used for further espionage activities or to compromise other systems and networks.

Recommendation

• Monitor network traffic for connections to the sqgame[.]net domain, blocking it at the firewall or DNS resolver to prevent further infections (IOC: sqgame[.]net).
• Implement application control policies on Android devices to restrict the installation of applications from untrusted sources.
• Deploy the Sigma rule “Detect Network Connection to sqgame.net” to identify potentially infected devices communicating with the malicious domain.
• Educate users about the risks of downloading applications from unofficial sources and encourage them to only use trusted app stores.
• Enable enhanced security measures like Google Play Protect to detect and remove malicious apps.