Full Report
The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). "The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
Attributed to the North Korean threat actor known as Kimsuky.
## Activity Summary
Kimsuky is engaged in a new campaign distributing a new variant of Android malware named **DocSwap**. The campaign relies on social engineering that mimics Seoul-based logistics firm **CJ Logistics** (formerly CJ Korea Express) to trick victims into downloading and executing the malware on their mobile devices. The initial infection vector involves **QR codes** hosted on phishing sites, often prompted via **smishing texts or phishing emails** impersonating delivery companies. A notable TTP for desktop users directs them to scan a QR code on the landing page to initiate the mobile installation of the supposed shipment tracking app. In this execution, the actor claims the malicious app is required for identity verification due to "international customs security policies." Kimsuky has also been observed repurposing legitimate applications, such as injecting malicious functionality into **BYCOM VPN**, and has been linked to credential harvesting campaigns targeting platforms like Naver and Kakao.
## Tactics, Techniques & Procedures
- **Social Engineering/Delivery:** Leveraged QR codes and notification pop-ups to lure victims into installing and executing malware.
- **Deception:** Masqueraded malicious apps as package delivery service apps. Used PHP scripts on landing pages to check User-Agent strings and display tailored prompts (e.g., installing a "security module" for customs verification if accessing from a desktop).
- **Installation Bypass:** Tricked victims into ignoring default Android security warnings regarding "apps from unknown sources" by claiming the app is a safe, official release.
- **Payload Execution:** The initial APK ("SecDelivery.apk") **decrypts an embedded encrypted APK** (the DocSwap variant) and launches a malicious service providing **RAT capabilities**.
- **User Interaction Lure:** Used a simulated OTP/verification process involving a hard-coded shipment number ("742938128549") and a generated verification code to fully configure the malicious app post-installation.
- **Code Reuse/Repackaging:** Injected malicious functionality into legitimate APKs, such as the **BYCOM VPN** application.
## Targeting
- **Sectors:** Logistics/Delivery services (implied through impersonation).
- **Geography:** South Korea (implied by targeting CJ Logistics and using Naver/Kakao lures).
- **Victims:** Individuals using Android devices targeted through delivery notifications.
## Tools & Infrastructure
- **Malware Families used:** **DocSwap** (new variant), also used trojanized **BYCOM VPN**.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- C2/Download Server: `27.102.137[.]181`
- C2 Command Port: `27.102.137[.]181:50005`
- Phishing Mimicry: CJ Logistics (CJ Korea Express), Naver, Kakao.
- Legitimate URL Redirected to Post-Verification: `www.cjlogistics[.]com/ko/tool/parcel/tracking`
## Implications
Kimsuky continues to demonstrate adaptability in mobile threat delivery, specifically leveraging common trust vectors like package tracking that generate high engagement rates. The use of QR hopping (desktop redirection to mobile scanning) circumvents traditional email gateway defenses focused on mobile links/attachments. The resulting DocSwap variant provides comprehensive remote access capabilities, including keystroke logging, audio/camera capture, and extensive data exfiltration (SMS, contacts, files).
## Mitigations
- Adhere strictly to security configurations that block installations from unknown sources on Android devices.
- Exercise extreme caution with unsolicited SMS or email links, especially those directing users to QR codes for application installation related to package tracking or delivery status.
- Organizations should educate employees on identifying spoofed logistics and national service providers.
- Security solutions must be capable of dynamic file analysis to detect malicious payloads hidden within encrypted resources of an initial application installer.