Proprietary 2024-10-01 ·Backdoor, Data Theft, Remote Access

sqgame downloads delivered BirdCall

ScarCruft compromised sqgame downloads for Yanbian-themed games. Android APKs carried BirdCall, while a Windows update package led to RokRAT and BirdCall.

Story

ESET found sqgame through a suspicious Android APK on VirusTotal. The file was a trojanized Yanbian Red Ten game, and the same APK was available from sqgame's official website. A second Android game, New Drawing, carried the same backdoor.

ScarCruft appears to have compromised the website or web server, not the original source tree. The Android packages were repackaged with a new entry activity and service definitions for BirdCall, then arranged to start the original game after the implant initialized.

The Windows side used the desktop client's update path. ESET found a trojanized mono.dll library from dating/20240429.zip; the added downloader fetched shellcode, which carried RokRAT, and telemetry showed RokRAT later installing BirdCall.

The likely target was the Yanbian Korean community in China, including people of interest to North Korea. BirdCall collected contacts, SMS, call logs, files, screenshots, audio, and device metadata, using cloud services for command and control.

Affected Artifacts

sqybhs.apk

android · sqgame.com · Binary Archive

Observed: 2024-10-01
Compromised Versions: 1.0

1.5
Fixed: Not listed
Hashes: sha1:01A33066FBC6253304C92760916329ABD50C3191

sha1:03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF

sha1:2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF

+1 more
Evidence: distribution: sqgame.com/down/sqybhs.apk, mirror: virustotal.com/gui/file/01a33066fbc6253304c92760916329abd50c3191, mirror: virustotal.com/gui/file/03e3ece9f48cf4104aafc535790ca2fb3c6b26cf, mirror: virustotal.com/gui/file/2b81f78ec4c3f8d6cf8f677d141c5d13c35333af , +3 more

ybht.apk

android · sqgame.com · Binary Archive

Observed: 2024-10-01
Compromised Versions: 1.3

2.0
Fixed: Not listed
Hashes: sha1:7356D7868C81499FB4E720F7C9530E5763B4C1D0

sha1:FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9
Evidence: distribution: sqgame.com/down/ybht.apk, mirror: virustotal.com/gui/file/7356d7868c81499fb4e720f7c9530e5763b4c1d0, mirror: virustotal.com/gui/file/fc0c691db7e2d2bd3b0b4c1e24d18df72168b7d9, family: BirdCall , +1 more

dating/20240429.zip

sqgame windows updater · sqgame.com · Binary Archive

Observed: 2024-10-01
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha1:95BDB94F6767A3CCE6D92363BBF5BC84B786BDB0
Evidence: distribution: xiazai.sqgame.com.cn/dating/20240429.zip, mirror: virustotal.com/gui/file/95bdb94f6767a3cce6d92363bbf5bc84b786bdb0, file: mono.dll, family: RokRAT , +1 more

ESET described a trojanized Windows update package served from sqgame alongside the Android APKs, but did not publish a precise version identifier.

Incident Context

Motive: Espionage
Attribution: State
Cause: Website Compromise
Transitive: No
Actor: ScarCruft
Actor Country: North Korea
User Impact: 1000

External References

Rigged game: ScarCruft compromises gaming platform in supply-chain attackwelivesecurity.com

Source record: proprietary/sqgame/meta.yaml