Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new malware called DocSwap, disguised as a document viewing authentication app, was discovered targeting South Korean mobile users. The malware, linked to a North Korean APT group, performs keylogging and information theft through accessibility services. It decrypts an obfuscated APK file, executes code from a DEX file, and communicates with a C2 server to receive malicious commands. The malware requests extensive permissions, maintains persistence, and performs various malicious activities including camera manipulation and audio recording. The C2 infrastructure initially displayed a phishing page impersonating CoinSwap, later showing characteristics associated with the Kimsuky group. The threat actor has been designated as puNK-004 by S2W TALON.
OPENCTI LABELS :
apt,north korea,south korea,dpkr,docswap,accessibility services
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer