A journalist in South Korea was targeted by suspected North Korean nation-state actors using a social engineering campaign that involved a malicious Android app. This information was uncovered by Interlab, a non-profit organization based in South Korea, which also named the new malware RambleOn.
Baiting the journalist
- A journalist received a message via WeChat on December 7, 2022, requesting a private conversation regarding a sensitive topic.
- During the discussion, the topic of secure messaging arose, and the sender recommended using an app called Fizzle messenger.
- The sender then sent an APK file with the intention of convincing the journalist to install it.
Infection process
- Fizzle messenger serves as the initial stage of the malware, functioning as a loader that carries out various checks on the Android device to deliver a payload.
- This payload enables malicious methods to be executed from a C2 server, which, in turn, extracts sensitive data to cloud storage and downloads a secondary payload.
- The secondary payload then extracts additional data, creates services for ongoing extraction, and establishes C2 mechanisms using Google's Firebase Cloud Messaging.
RambleOn’s features and capabilities
- The spyware has malicious capabilities such as accessing the victim’s contact list, SMS, voice call, and location from the moment it compromises the target.
- While RambleOn disguises itself as Fizzle messenger, it actually serves as a means to transmit a subsequent payload hosted on pCloud and Yandex.
While analyzing RambleOn, the researchers found minimal data that provides definite and straightforward evidence for this incident's attribution. Nevertheless, there are several noteworthy elements that could enhance future attribution efforts.
Attribution
- The victimology of the campaign matches with the modus operandi of Kimsuky and APT37.
- The use of Yandex and pCloud storage for C2 and payload delivery is something often utilized by APT37.
Besides, a new Android malware associated with Kimsuky was observed using Google's Firebase Cloud Messaging in October 2022. In the analyzed malware, there were numerous similarities in method and class names, suggesting that the creators of the different samples were familiar with each other.
The bottom line
RambleOn is an Android spyware that is capable of accessing a wide range of sensitive data on the victim’s device and establishes C2 via Google’s Firebase Cloud Messaging. Given the nature of journalists' work and the sensitive information they handle, the discovery of RambleOn highlights the continued threat of nation-state actors targeting individuals for cyberespionage purposes.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c38e_shutterstock_480520900.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/07bd_shutterstock_2096551726.jpg)
