A rigged game: ScarCruft compromises gaming platform in a supply-chain attack

What Happened

Hackers linked to North Korea compromised a popular video game website used by ethnic Koreans living in China. They hid malicious software inside Android game downloads and Windows game updates. If installed, this software allows the attackers to secretly steal personal files, record audio, and take screenshots of the victim's device. This attack is highly targeted at specific individuals, likely refugees or defectors, but anyone downloading these games is at risk. Users of the affected gaming platform should uninstall the games and run a security scan on their devices.

Key Takeaways

• ScarCruft compromised the sqgame video game platform to target ethnic Koreans in the Yanbian region.
• The attack distributed the BirdCall backdoor via trojanized Android games and malicious Windows desktop client updates.
• The Windows attack chain utilized a trojanized mono.dll to deploy RokRAT, which subsequently installed BirdCall.
• The newly discovered Android version of BirdCall collects personal data, records audio, takes screenshots, and exfiltrates files to Zoho WorkDrive.

Affected Systems

• Windows
• Android

Attack Chain

ScarCruft compromised the sqgame platform to distribute malware via two vectors. For Android, they repackaged legitimate game APKs with the BirdCall backdoor, modifying the AndroidManifest.xml to execute malicious code before the game starts. For Windows, they distributed a malicious update package containing a trojanized mono.dll, which downloaded and executed shellcode to deploy the RokRAT backdoor. RokRAT was then used to download and install the Windows version of BirdCall, which utilizes compromised websites and Zoho WorkDrive for command and control and data exfiltration.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but lists file hashes, domains, and IP addresses as indicators of compromise.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can detect the trojanized mono.dll behavior, such as checking for analysis tools, injecting shellcode, and dropping RokRAT/BirdCall. Process ancestry and file modifications in the game directory will be highly visible. Network Visibility: Medium — C2 communication uses legitimate cloud services (Zoho WorkDrive) via HTTPS, which blends in with normal traffic. However, connections to the compromised South Korean domains for payload/config downloads can be detected. Detection Difficulty: Moderate — The use of legitimate cloud services for C2 makes network detection difficult. However, the initial payload delivery via a trojanized DLL and the subsequent dropping of RokRAT provide clear behavioral indicators on the endpoint.

Required Log Sources

• Process Creation (Event ID 4688/Sysmon 1)
• File Creation (Sysmon 11)
• Network Connections (Sysmon 3)
• DNS Queries (Sysmon 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for the game client process (e.g., sqgame client) spawning unexpected child processes or making network connections to unknown or newly observed domains.	Process Creation, Network Connections	Execution	Low
Search for instances of mono.dll being replaced or modified shortly after execution, followed by network connections to South Korean domains.	File Modifications, Network Connections	Defense Evasion	Low
Identify unusual HTTPS traffic to Zoho WorkDrive API endpoints originating from non-browser processes, especially game clients.	Network Connections, DNS Queries	Command and Control	Medium

Control Gaps

• Mobile Application Management (MAM) for unmanaged devices
• Network filtering for legitimate cloud storage services

Key Behavioral Indicators

• Game client process injecting shellcode
• mono.dll replacement during runtime
• Presence of com.example.zhuagou package in Android APKs
• Magic DWORD 0x2A7B4C33 in decrypted payloads

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block access to the identified malicious domains and IPs.
• Search for and isolate devices communicating with the known Zoho WorkDrive C2 email accounts.
• Uninstall the sqgame client and associated Android games from all devices.

Infrastructure Hardening

• Implement application allowlisting to prevent unauthorized executables from running.
• Restrict access to cloud storage services (like Zoho WorkDrive) if not required for business operations.

User Protection

• Deploy Mobile Device Management (MDM) solutions to prevent the installation of apps from untrusted sources (sideloading).
• Ensure EDR agents are deployed and active on all Windows endpoints.

Security Awareness

• Educate users about the risks of downloading software and games from unofficial or regional websites.
• Train employees to recognize the signs of device compromise, such as unexpected battery drain or performance issues.

MITRE ATT&CK Mapping

• T1584.004 - Compromise Infrastructure: Server
• T1585.003 - Establish Accounts: Cloud Accounts
• T1587.001 - Develop Capabilities: Malware
• T1608.001 - Stage Capabilities: Upload Malware
• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
• T1070.004 - Indicator Removal: File Deletion
• T1112 - Modify Registry
• T1140 - Deobfuscate/Decode Files or Information
• T1480.001 - Execution Guardrails: Environmental Keying
• T1497 - Virtualization/Sandbox Evasion
• T1555 - Credentials from Password Stores
• T1046 - Network Service Discovery
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery
• T1005 - Data from Local System
• T1056.001 - Input Capture: Keylogging
• T1113 - Screen Capture
• T1115 - Clipboard Data
• T1119 - Automated Collection
• T1125 - Video Capture
• T1560 - Archive Collected Data
• T1071.001 - Application Layer Protocol: Web Protocols
• T1090 - Proxy
• T1102.002 - Web Service: Bidirectional Communication
• T1020 - Automated Exfiltration
• T1041 - Exfiltration Over C2 Channel
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
• T1474.003 - Supply Chain Compromise: Compromise Software Supply Chain
• T1406 - Obfuscated Files or Information
• T1407 - Download New Code at Runtime
• T1541 - Foreground Persistence
• T1420 - File and Directory Discovery
• T1422 - Local Network Configuration Discovery
• T1426 - System Information Discovery
• T1532 - Archive Collected Data
• T1429 - Audio Capture
• T1430 - Location Tracking
• T1513 - Screen Capture
• T1533 - Data from Local System
• T1636.002 - Protected User Data: Call Log
• T1636.003 - Protected User Data: Contact List
• T1636.004 - Protected User Data: SMS Messages
• T1437.001 - Application Layer Protocol: Web Protocols
• T1481.002 - Web Service: Bidirectional Communication
• T1646 - Exfiltration Over C2 Channel

Additional IOCs

• Ips:
  • 39[.]106[.]249[.]68 - IP for compromised sqgame.com.cn site.
  • 211[.]239[.]117[.]117 - IP for compromised 1980food.co.kr site.
  • 114[.]108[.]128[.]157 - IP for compromised inodea.com site.
  • 221[.]143[.]43[.]214 - IP for compromised www.lawwell.co.kr site.
  • 222[.]231[.]2[.]20 - IP for compromised colorncopy.co.kr and swr.co.kr sites.
  • 222[.]231[.]2[.]23 - IP for compromised sejonghaeun.com site.
  • 222[.]231[.]2[.]41 - IP for compromised cndsoft.co.kr site.
• Domains:
  • sqgame[.]net - Official game site compromised in the supply chain attack.
  • inodea[.]com - Compromised South Korean site used to host Android BirdCall configuration.
  • colorncopy[.]co[.]kr - Compromised South Korean site used to host shellcode.
  • swr[.]co[.]kr - Compromised South Korean site used to host shellcode.
  • sejonghaeun[.]com - Compromised South Korean site used to host clean mono library.
  • cndsoft[.]co[.]kr - Compromised South Korean site used to host shellcode.
• Urls:
  • hxxp://sqgame[.]com[.]cn/ybht.apk - Hosting URL for trojanized ybht.apk.
  • hxxp://sqgame[.]com[.]cn/sqybhs.apk - Hosting URL for trojanized sqybhs.apk.
  • hxxps://www[.]sqgame[.]net/games/gamedownload.aspx - Download page leading to trojanized games.
• File Hashes:
  • 01A33066FBC6253304C92760916329ABD50C3191 (SHA1) - Trojanized sqybhs.apk game with Android BirdCall version 2.0.
  • 2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF (SHA1) - Trojanized sqybhs.apk game with Android BirdCall version 1.5.
  • 59A9B9D47AE36411B277544F25AD2CC955D8DD2C (SHA1) - Trojanized ybht.apk game with Android BirdCall version 1.0.
  • 7356D7868C81499FB4E720F7C9530E5763B4C1D0 (SHA1) - Trojanized sqybhs.apk game with Android BirdCall version 1.0.
  • 409C5ACAED587F62F7E23DA47F72C4D9EC3144D9 (SHA1) - Downloader leading to the RokRAT backdoor.
  • B06110E0FEB7592872E380B7E3B8F77D80DD1108 (SHA1) - Publicly available dump of Windows BirdCall backdoor.
• File Paths:
  • mono.dll - Trojanized library in the Windows client update.
  • AndroidManifest.xml - Modified manifest file in trojanized Android APKs.
• Other:
  • com.example.zhuagou.SplashScreen - Modified entry point activity in trojanized Android APK.
  • com.mob.util.MobSs - Modified entry point activity in latest trojanized Android APK.
  • 0x2A7B4C33 - Magic DWORD used to identify decrypted commands in BirdCall.
  • tomasalfred37@zohomail.com - Zoho WorkDrive account email used for C2.
  • kalimaxim279@zohomail.com - Zoho WorkDrive account email used for C2.
  • smithbentley0617@zohomail.com - Zoho WorkDrive account email used for C2.
  • michaellarrow19@zohomail.com - Zoho WorkDrive account email used for C2.
  • amandakurth94@zohomail.com - Zoho WorkDrive account email used for C2.
  • rexmedina89@zohomail.com - Zoho WorkDrive account email used for C2.
  • alishaross751@zohomail.com - Zoho WorkDrive account email used for C2.
  • jamesdeeds385@zohomail.com - Zoho WorkDrive account email used for C2.
  • joyceluke505@zohomail.com - Zoho WorkDrive account email used for C2.
  • marjoriemiller280@zohomail.com - Zoho WorkDrive account email used for C2.
  • teresadaniels200@zohomail.com - Zoho WorkDrive account email used for C2.
  • michaelgiesen62@zohomail.com - Zoho WorkDrive account email used for C2.