Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Key Points:

• Kimsuky, a North Korean threat actor, is distributing a new variant of Android malware called DocSwap via QR phishing campaigns that impersonate a legitimate delivery app.
• The malware allows remote access and control over infected devices, enabling keystroke logging, audio capture, and file operations. It targets users through smishing texts and phishing emails, leading them to malicious URLs.
• Security teams should implement measures to block access to known malicious domains, educate users about QR code risks, and monitor for unusual app installations on mobile devices.

Technical Details: The malware is delivered through a deceptive APK ("SecDelivery.apk") that decrypts an embedded APK to launch a RAT service. The attack utilizes QR codes and phishing tactics to bypass Android's security warnings.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)

IOCs Mentioned:

• 27.102.137[.]181 (malicious server)
• SecDelivery.apk (malicious APK)