✅ Report Title:
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
The S2W Threat Intelligence Center has published a report on the analysis of the 'Document Viewing Authentication App' malware, which is suspected to be linked to a North Korean-backed APT group. The malware was hunted and analyzed using VirusTotal.
This is an advanced threat intelligence report that provides insights into identifying malware associated with North Korean-backed attack groups.
✅ Executive Summary:
1. Threat Hunting
On January 21, 2025, S2W Threat Research and Intelligence Center Talon hunted and analyzed a malware sample on VirusTotal, identified as the “문서열람 인증 앱” (Document Viewing Authentication App) which is suspected to be linked to a North Korean-backed APT group.
2. Malware
The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives commands from the C2 server and performs malicious functions related to keylogging and information theft.
3. Key Features
Based on the malicious app's name and the presence of Korean-language strings, it is suspected to target mobile device users in South Korea. This malware represents a previously unidentified type of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.
4. Attribution
When DocSwap malware was first discovered, a phishing page impersonating CoinSwap was identified on the C2 IP address used for socket communication. However, as of February 27, 2025, accessing the C2 address displayed Naver’s favicon and the message “Million OK !!!!”, indicating a possible connection to the Kimsuky group.
📌 What are the details of the malicious app?
- Package Name: com.security.library
- App Name: 문서열람 인증 앱
- MD5: 3ccfe58b8e0b5ca96cac4e9394567515
- SHA256: bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
You can check the malicious app's icon image in the full report published on the S2W Tech blog.
✅ Recommended Threat Detection and Mitigation Actions:
- On January 21, 2025, a malicious app named “문서열람 인증 앱” (Document Viewing Authentication App) was identified. This app, a new type of malware not previously observed, impersonates a Document-viewing authentication app. Additionally, a phishing page masquerading as CoinSwap was found at the C2 address, leading to the app being named DocSwap.
- The malicious app performs keylogging through accessibility services. Via socket communication with the C2 server, it receives malicious commands to carry out information theft functions such as camera recording, microphone recording, file downloading and deletion, among others.
- On February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap was observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string “Million OK !!!!” appeared. Given that a similar characteristic was previously observed in phishing servers targeting Naver accounts of the Kimsuky group.
- S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the DocSwap malware have been designated as puNK-004.
- The DocSwap malware disguises itself as a document viewing authentication app, tricking users into installing and clicking on it. Therefore, it is essential to be cautious and avoid executing links or email attachments that lead to downloading malicious apps with uncertain origins.
🧑💻 Report Author: S2W TALON (Updated. 2025-03-14)
👉 Learn more: https://bit.ly/4ofYIiO
*The full report is available upon request.