A suspected North Korean nation-state actor targeted a South Korean journalist with a malware-laden Android app as part of a social engineering campaign.
The findings come from South Korea-based non-profit Interlab, the company that created the new malware. rumble on.
Ovi Liber, a threat researcher at Interlab, said in a report published this week that malicious features include “a target’s contact list, SMS, voice call content, location, etc., from the moment the target is compromised. It states that it contains the ability to read and leak .
The spyware disguises itself as a secure chat app called Fizzle (ch.seme), but actually acts as a conduit to deliver the next stage payload hosted on pCloud and Yandex.
The chat app was allegedly sent as an Android package (APK) file via WeChat to targeted journalists on December 7, 2022 under the pretext of wanting to talk about sensitive topics.
RambleOn’s main purpose is to act as a loader for another APK file (com.data.WeCoin) while allowing it to collect files, access call logs, intercept SMS messages, record audio, and infiltrate location data. is to require
The secondary payload is designed to provide an alternative channel to access infected Android devices using Firebase Cloud Messaging (FCM) as a command and control (C2) mechanism.
Interlab said it identified an overlap in FCM functionality between RambleOn and FastFire. FastFire is part of Android spyware attributed to his Kimsuky last year by South Korean cybersecurity firm S2W.
“The victims of this event are very similar to the modus operandi of groups such as APT37 and Kimsuky,” said Liber, noting that the former uses pCloud and Yandex storage for payload delivery and command and control. pointed out.
