APT37 BirdCall Android Campaign: Supply Chain Attack Detection and Hardening

Introduction

The North Korean state-sponsored threat actor APT37 (also known as ScarCruft or Reaper) has launched a new campaign delivering an Android variant of its BirdCall malware. Unlike traditional spear-phishing, this operation utilizes a supply-chain attack vector, compromising a legitimate video game platform to distribute malicious payloads.

For defenders, this represents a significant shift in TTPs. The trust users place in legitimate gaming ecosystems is being weaponized to deploy an Advanced Persistent Threat (APT) capability. Once installed, BirdCall provides unauthorized access to device data, microphone, and location, effectively turning the mobile device into a surveillance tool. Immediate action is required to identify compromised devices and block the associated infrastructure.

Technical Analysis

Threat Actor and Malware

• Actor: APT37 (ScarCruft, Reaper)
• Malware: BirdCall (Android)
• Type: Remote Access Trojan (RAT) / Unauthorized Access Mechanism

Attack Chain

1. Initial Access: The threat actors compromised a specific video game platform. While the specific platform is often named in the full intelligence report, the mechanism involves the platform serving a malicious update or installer instead of the legitimate game file.
2. Execution: The user downloads and installs the tainted application.
3. Payload Delivery: The dropper installs the BirdCall malware, which establishes persistence and initiates C2 communications.
4. C2 & Exfiltration: BirdCall connects to actor-controlled servers to await commands and exfiltrate sensitive device data (contacts, SMS, location).

Affected Platform

• Android OS: Various versions (specific version depends on the game's requirements, but typically targets broad compatibility).
• Vector: Compromised third-party game distribution platform.

Exploitation Status

• Status: Confirmed Active Exploitation (In-the-wild).
• Supply Chain: The integrity of the game platform's delivery mechanism has been breached.

Detection & Response

Detecting mobile threats often requires visibility into network traffic (Proxy/DNS) or Mobile Device Management (MDM) logs, as traditional EDR may not be present on all BYOD devices. The following rules focus on network artifacts and known behavioral indicators of the BirdCall malware.

Sigma Rules

---
title: Potential APT37 BirdCall Android Malware C2 Traffic
id: a1b2c3d4-5678-90ef-ghij-klmnopqrstuv
status: experimental
description: Detects potential network connections associated with APT37 BirdCall malware based on known suspicious URI patterns or user-agent strings often spoofed by this actor.
references:
  - https://www.bleepingcomputer.com/news/security/scarcruft-hackers-push-birdcall-android-malware-via-game-platform/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: proxy
  product: null
detection:
  selection:
    c-uri|contains:
      - '/api/upload'
      - '/birdcall'
    cs-method: 'POST'
  filter_legit_games:
    c-uri|contains:
      - 'steam'
      - 'play.google.com'
      - 'itunes.apple.com'
  condition: selection and not filter_legit_games
falsepositives:
  - Legitimate game uploaders
level: high
---
title: Suspicious Android APK Download from Game Platform
id: b2c3d4e5-6789-01af-ghij-klmnopqrstuv
status: experimental
description: Detects downloads of APK files from non-standard markets or specific gaming platforms that may be involved in the supply chain compromise.
references:
  - https://www.bleepingcomputer.com/news/security/scarcruft-hackers-push-birdcall-android-malware-via-game-platform/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.initial_access
  - attack.t1190
  - attack.mobile_application
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 443
    Initiated: 'true'
  selection_uri:
    # Hunt for APK downloads
    DestinationHostname|contains: 
      - '.apk'
      - 'game'
      - 'download'
  condition: selection and selection_uri
falsepositives:
  - Users sideloading legitimate games
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for devices exhibiting network behavior consistent with the BirdCall malware, specifically looking for connections to suspicious infrastructure or high volumes of data exfiltration common in mobile RATs.

// Hunt for APT37 BirdCall Network Indicators
let SuspiciousDomains = dynamic(["malicious-domain-example.com", "c2-server-example.net"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
// Filter for mobile devices if possible (OSPlatform)
| where OSPlatform =~ "Android" 
| where RemoteUrl has any(SuspiciousDomains) 
   or RemoteUrl contains "/upload" 
   or RemoteUrl contains "/config"
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceId, DeviceName, RemoteUrl, RemoteIP
| order by Count desc

Velociraptor VQL

Use this artifact on Android endpoints to hunt for the presence of the malicious package or the specific game platform app installation. This assumes Velociraptor is deployed on the mobile device.

-- Hunt for installed packages matching the threat indicators
SELECT * FROM android_packages()
WHERE PackageName =~ "com.suspicious.game" 
   OR PackageName =~ "com.scarcruft" 
   OR VersionName =~ "1.0.0"  
   OR RequestedPermissions =~ "android.permission.READ_SMS"

-- Hunt for APK files in common download directories
SELECT FullPath, Size, Mtime
FROM glob(globs="/data/app/*.base.apk")
WHERE FullPath =~ "game" 
   OR FullPath =~ "birdcall"

Remediation Script (Bash)

For network defenders managing Linux gateways or analyzing packet captures, this script helps identify and block the IP ranges associated with the campaign. (Note: Replace placeholders with actual IOCs from the full report).

#!/bin/bash
# Remediation script for APT37 BirdCall C2 Infrastructure
# Requires root privileges for iptables modifications

# Indicator List (Replace with actual IOCs from threat feed)
IOCS=("192.0.2.1" "203.0.113.5" "malicious.example.com")

echo "[*] Checking for existing iptables rules..."

for ip in "${IOCS[@]}"; do
  # Check if rule exists
  if ! iptables -C INPUT -s $ip -j DROP 2>/dev/null; then
    echo "[+] Blocking IP: $ip"
    iptables -A INPUT -s $ip -j DROP
    iptables -A OUTPUT -d $ip -j DROP
  else
    echo "[-] Rule for $ip already exists."
  fi
done

echo "[*] Verifying rules..."
iptables -L -n -v | grep DROP

echo "[*] Remediation complete. Ensure you save iptables rules."

Remediation

1. Identify and Block IOCs: Immediately review firewall and proxy logs. Block all domains and IP addresses associated with the APT37 campaign identified in the threat intelligence report.
2. Application Removal: Instruct users (or use MDM) to uninstall the specific compromised game application immediately. Do not simply update it, as the supply chain is compromised.
3. Mobile Policy Update:
   • Enforce "Allow listing" for app stores (restrict to Google Play Store or Apple App Store only). Block the installation of APKs from third-party gaming platforms.
   • Require mobile devices to have a security agent installed (Mobile Threat Defense - MTD) to detect C2 traffic at the endpoint level.
4. Device Re-imaging: For devices confirmed to be infected, a full factory reset (or MDM-initiated wipe) is the only guaranteed method of removal for sophisticated RATs like BirdCall.
5. User Awareness: Notify your user base about the risks of downloading games from unofficial sources, even if the platform appears legitimate.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub