Cyble-Deep-Dive-Analysis-APT37-Chinotto-Targeting-Korean-Peninsula

APT37 Using a New Android Spyware, Chinotto

Android Spyware is a program that has been used by Threat Actors (TAs) to steal personal data from the device without the user’s knowledge. This report will focus on one such malicious application used by the APT (Advanced Persistent Threat) group APT37.  APT37 is also known by the following names – Reaper, Ricochet Chollima, ScarCruft group. This group performs its malicious activities through an application claiming the Secure Talk application.

APT37 is a North Korean state-sponsored cyberespionage group that has been active since around 2012. This group is known to target victims from countries in Asia such as South Korea, Japan, Vietnam, Russia, Nepal, China, and India. APT37 has also targeted Romania, Kuwait, and various parts of the Middle East.

Cyble Research Labs came across a securelist article where researchers are claiming that a fresh attack was carried out targeting North Korean defectors and human rights activists. The Threat Actor (TA) APT37 used new spyware called “Chinotto” to carry out these attacks. Cyble Research Labs downloaded one of the samples and performed a deep-dive analysis of the Chinotto Android spyware.

APT37 has also been linked to malicious campaigns between 2016-2018. In 2016, they targeted North Korean defectors, human rights activists, and journalists covering news related to North Korea and government organizations associated with the Korean Peninsula. They have been linked to high-profile attacks such as  Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.

The malware is designed for stealthy espionage, as once this application is successfully executed on user devices. It can steal sensitive data like contacts data, SMS data, call logs, device information, and files from the device’s external storage.

Technical Analysis

APK Metadata Information

  • App Name: SecureTalk
  • Package Name: com.private.talk
  • SHA256 Hash: 8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93

Figure 1 shows the metadata information of the application.

Figure 1 – App Metadata Information

The application flow is shown in Figure 2. Upon being launched, the application asks for certain sensitive permissions, after which it displays the login page. During this time, the APK performs its malicious activities behind the scenes.

Figure 2 – App Start Flow

Manifest Description

The application requests thirteen different permissions. Of these thirteen permissions, the attackers could abuse eight to carry out the following activities:

  • Reading SMSs, Call Logs, and Contacts data.
  • Reading current cellular network information, phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
  • Reading or writing files on the device’s external storage.

We have listed these dangerous permissions below.

PermissionsDescription
READ_SMSAccess phone’s messages
READ_CONTACTSAccess phone’s contacts
READ_CALL_LOGAccess phone’s call logs
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
READ_PHONE_NUMBERSAllows the app to read the device’s phone number(s).
Table 1: Permissions’ Description

Figure 3 shows the launcher activity of the application.

Figure 3 – App Launcher Activity

Source Code Description

The code snippets highlighted in Figure 4 show that the application steals the device’s contact data.

Figure 4 – Code to Read Contact Data

The code snippets highlighted in Figure 5 show that the application steals the device’s SMS data.

Figure 5 – Code to Read SMS Data

The code snippets in Figure 6 show that the application steals the device’s call logs data.

Figure 6 – Code to Read Call Logs

The code snippets shown in Figure 7 show that the application steals the victim device’s information, such as:

  • Reading the device’s phone number(s).
  • Reading Android Operating System version Information.
  • Reading device details such as brand name, model, serial number, etc.
  • Checking for the presence of external storage on the device.
Figure 7 – Code to Read Device Information

The code snippets shown in Figure 8 show that the application steals the account details being used on the device.

Figure 8 – Code to Read Accounts Information

The code snippets shown in Figure 9 show that the application also steals image and audio files from the device.

Figure 9 – Code to Access Pictures and Audio

The code snippets in the figure below show that the application collects the data from the device and writes it in a text file.

Figure 10 – Code to Write Collected Data in Text File.png

The snippets below indicate the application’s code flow to upload the data on TA’s Command and Control (C&C) server.

Figure 11 – Code to Upload the Data to TA’s C&C Server

The snippet below shows that the application performs activities with commands defined by the TA(s).

Figure 12 – Commands Defined by the TA(s)

The table below highlights some of the commands defined by the TA.

PermissionsDescription
ref:Sends signal to C&C server
downUploads /.temp-file.dat file
UriPWrites path /.temp-file.dat to /result-file.dat file and upload to C&C
“”Writes results to /result-file.dat and upload to C&C
Table 2 – Commands Description

Traffic Analysis

During traffic analysis of the application, we identified that it continuously communicates with the TA’s C&C server

hxxp://haeundaejugong[.]com/data/jugong/do.php?type=command&direction=receive&id=1295c8887ec39859_hd.

The below figure shows that the application uploads sensitive data such as contacts, call logs, and SMSs from the device to TA’s C&C.

Figure 13 – Uploads Sensitive Data to the TA’s C&C

Threat Actor Infrastructure Analysis

Cyble Research Labs has also identified that the TA’s infrastructure was hosted in South Korea (KR)

Figure 14 – Location of Domain Hosted

We also noticed the TTL value of the MX record of http[:]//haeundaejugong.com is 60, which is generally an indicator of Fast-Flux behavior.

Figure 15 – TTL Value of MX record of TA’s Domain

Conclusion

Chinotto is spyware targeting specific users to steal sensitive information such as contacts, SMSs, call logs and files. It also has the capability to record audio from the device without the victim’s knowledge.

Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.

Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or password for unlocking the mobile device where possible.
  • Be wary of opening any links in SMSs or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data.
  • Perform Factory Reset.
  • Remove the application in case factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476-Deliver Malicious App via Other Means
ExecutionT1575-Native Code
PersistenceT1402 -Broadcast Receivers
CollectionT1412 -Capture SMS Messages
CollectionT1432 -Access Contacts List
CollectionT1433 -Access Call Log
CollectionT1533-Data from Local System

Indicators Of Compromise (IOCs)

IndicatorsIndicator typeDescription
8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93SHA256Malicious APK
hxxp[:]//haeundaejugong.com/data/jugong/do.php?type=file&direction=send&id=1295c8887ec39859_hdURLTA’s C&C

Scroll to Top