✅ Report Title: BirdCall, ScarCruft Malware Masquerading as Zangi Messenger
✅ Executive Summary:
S2W recently identified and analyzed additional samples of the 'BirdCall' malicious app developed by the North Korea-backed ScarCruft group, also known as APT 37. ESET had previously disclosed that BirdCall targeted China's Yabian region and specific groups.
📌 What is the BirdCall malware?
- Another malicious app identified is the BirdCall malware, which masquerades as the Zangi messenger app.
- It has been confirmed that the attacker repackaged the legitimate app to alter its entry point.
📌 Key Characteristic
- The BirdCall malware app uses dual Zoho WorkDrive accounts (cmdCloud and dataCloud) as C2 channels.
- It steals information about infected devices and collected sensitive data, and supports a total of eight types of remote commands, enabling it to control devices, steal files, and re-collect data.
- The stolen data is structured according to a sophisticated packet format defined within the malware and is encrypted and obfuscated using AES-256-CBC + zlib multi-layer encryption.
- Additionally, when uploaded to Zoho WorkDrive, filenames are obfuscated through Base-26 encoding and packed into an 11-base structure.
🧑💻 Author: S2W TALON
👉 Read the full report: https://bit.ly/4vppNU9
*The full report is available upon request or with a subscription to the S2W platform.