FOCUS MODE
EXTRACT IOC
Threat Research

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

Securonix
Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer
A newly identified malware named “문서열람 인증 앱” (Document Viewing Authentication App), linked to a North Korean-backed APT group, has been detected. This malicious application poses as a legitimate document viewing tool but is designed to perform keylogging and information theft through various malicious functions. Users in South Korea are the primary targets, and the malware has connections to a phishing page that impersonates CoinSwap. Affected: South Korean mobile device users, CoinSwap

Keypoints :

  • The malware “문서열람 인증 앱” was identified on January 21, 2025, through VirusTotal analysis.
  • It decrypts a file called “security.db” using XOR and dynamically loads a DEX file.
  • The app is believed to target users in South Korea, given the presence of Korean-language strings.
  • The malware is part of a new unidentified threat linked to a North Korean APT group, designated as puNK-004.
  • A phishing page impersonating CoinSwap was found on the app’s C2 server, helping classify the malware as DocSwap.
  • The app performs keylogging, file transfers, camera manipulation, and audio recording via accessibility services.
  • It maintains persistence by triggering certain services upon boot and requesting unauthorized permissions from the user.

MITRE Techniques :

  • Persistence (T1398) – Boot or Logon Initialization Scripts.
  • Persistence (T1541) – Foreground Persistence.
  • Defense Evasion (T1655.001) – Match Legitimate Name or Location.
  • Defense Evasion (T1406) – Obfuscated Files or Information.
  • Discovery (T1420) – File and Directory Discovery.
  • Discovery (T1418) – Software Discovery.
  • Discovery (T1426) – System Information Discovery.
  • Collection (T1532) – Archive Collected Data.
  • Collection (T1429) – Audio Capture.
  • Collection (T1616) – Call Control.
  • Collection (T1417.001) – Keylogging.
  • Collection (T1636.002) – Call Log.
  • Collection (T1636.003) – Contact List.
  • Collection (T1636.004) – SMS Messages.
  • Collection (T1512) – Video Capture.
  • Exfiltration (T1646) – Exfiltration Over C2 Channel.

Indicator of Compromise :

  • [Network] 204.12.253[.]10
  • [URL] hxxp://change.pi-usdt.o-r[.]kr
  • [URL] hxxp://hange.pi-usdt.o-r[.]kr
  • [Hash] Apk: bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e
  • [Hash] DEX: 0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c

Full Story: https://medium.com/s2wblog/detailed-analysis-of-docswap-malware-disguised-as-security-document-viewer-218a728c36ff

Tags: APT, DISCOVERY, TOOL, DEFENSE EVASION, EXFILTRATION, PHISHING, EMAIL, THREAT HUNTING