sqgame downloads delivered BirdCall
ScarCruft compromised sqgame downloads for Yanbian-themed games. Android APKs carried BirdCall, while a Windows update package led to RokRAT and BirdCall.
Story
ESET found sqgame through a suspicious Android APK on VirusTotal. The file was a trojanized Yanbian Red Ten game, and the same APK was available from sqgame's official website. A second Android game, New Drawing, carried the same backdoor.
ScarCruft appears to have compromised the website or web server, not the original source tree. The Android packages were repackaged with a new entry activity and service definitions for BirdCall, then arranged to start the original game after the implant initialized.
The Windows side used the desktop client's update path. ESET found a trojanized mono.dll library from dating/20240429.zip; the added downloader fetched shellcode, which carried RokRAT, and telemetry showed RokRAT later installing BirdCall.
The likely target was the Yanbian Korean community in China, including people of interest to North Korea. BirdCall collected contacts, SMS, call logs, files, screenshots, audio, and device metadata, using cloud services for command and control.
Affected Artifacts
- Observed
- 2024-10-01
- Fixed
- Not listed
- Hashes
-
- sha1:01A33066FBC6253304C92760916329ABD50C3191
- sha1:03E3ECE9F48CF4104AAFC535790CA2FB3C6B26CF
- sha1:2B81F78EC4C3F8D6CF8F677D141C5D13C35333AF
- +1 more
- Observed
- 2024-10-01
- Fixed
- Not listed
- Hashes
-
- sha1:7356D7868C81499FB4E720F7C9530E5763B4C1D0
- sha1:FC0C691DB7E2D2BD3B0B4C1E24D18DF72168B7D9
- Observed
- 2024-10-01
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:95BDB94F6767A3CCE6D92363BBF5BC84B786BDB0
- Evidence
- distribution: xiazai.sqgame.com.cn/dating/20240429.zip, mirror: virustotal.com/gui/file/95bdb94f6767a3cce6d92363bbf5bc84b786bdb0, file: mono.dll, family: RokRAT , +1 more
- ESET described a trojanized Windows update package served from sqgame alongside the Android APKs, but did not publish a precise version identifier.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Website Compromise
- Transitive
- No
- Actor
- ScarCruft
- Actor Country
- North Korea
- User Impact
- 1000
External References
Source record: proprietary/sqgame/meta.yaml