North Korean threat group Kimsuky has been linked to a new cyberattack campaign that uses QR codes to distribute a new variant of the DocSwap Android malware. Attackers are using phishing sites that imitate South Korean logistics company CJ Logistics to trick victims.
Distribution and Deception Mechanism
The campaign targets users of Android mobile devices using a sophisticated social engineering method. The attack process develops as follows:
- Launch of the Attack: Cybercriminals send smishing messages (phishing SMS) or emails impersonating package delivery companies to trick recipients into clicking on malicious URLs.
- Redirection with QR Codes: Victims who access the fraudulent URLs from a desktop computer are redirected to a page that asks them to scan a QR code with their Android device. This QR code leads to the download of the malicious application.
- Social Engineering to Outwit Warnings: The phishing site claims that the installation of a supposed tracking application is necessary to verify identity due to “international customs security policies.” This tactic seeks to convince victims to ignore Android security warnings about installing apps from unknown sources.
DocSwap Malware Technical Analysis
Analysis by South Korean cybersecurity company ENKI reveals that the new DocSwap variant features evolved capabilities:
- Download and Installation: The user downloads a malicious APK package, typically called “SecDelivery.apk”.
- Payload: Once installed, the APK downloads and decrypts an encrypted APK embedded in your resources to launch the new version of DocSwap.
- Permissions Request: The application requests critical permissions, such as the ability to read and manage external storage, access the internet, and install additional packages.
- Decoy Activity: To hide its malicious activity, the Trojan registers a malicious service in the background and displays an OTP (one-time password) authentication screen. The application uses an encrypted shipping tracking number (e.g. “742938128549”) and, upon supposed verification, opens the legitimate CJ Logistics URL in a WebView.
Cyberattack Capabilities and Linkage with Kimsuky
While the victim interacts with the legitimate web page, the DocSwap Trojan connects to a command and control (C2) server operated by the attackers. This C2 server can send up to 57 different commands to:
- Record keystrokes (keylogging).
- Capture audio and record video with camera.
- Perform file operations (upload/download).
- Run commands on the device.
- Exfiltrate sensitive data, including location, SMS messages, contacts, call logs and a list of installed applications.
Researchers have also discovered other malicious samples used by Kimsuky, such as a P2B Airdrop application and a trojanized version of the legitimate BYCOM VPN application. This malicious infrastructure also overlaps with previous Kimsuky campaigns targeting Naver and Kakao, popular platforms in South Korea, to steal user credentials.
Conclusion
Kimsuky’s QR code phishing campaign underscores the sophistication of persistent threat actors (PTAs) in adapting their distribution tactics. By using social engineering methods and lures from legitimate apps (such as package tracking apps), Kimsuky manages to bypass the security defenses of Android devices and trick users. The new DocSwap variant, with its ability to decrypt the APK internally and execute extensive RAT functions, represents a significant threat to the privacy and data security of mobile users in the region.
References
- C2 servers: 27.102.137[.]181:50005
- Example APK: SecDelivery.apk
- Impersonated legitimate site: cjlogistics[.]com/ko/tool/parcel/tracking