North Korean defectors & journalists targeted by spyware via popular chat apps

North Korean defectors & journalists targeted by spyware via popular chat apps

Despite truce talks, North Korean hackers still targeting South Korean firms

Suspected North Korean hackers are using popular chat app KakaoTalk and Facebook to send malicious links to North Korean refugees and journalists, thereby infecting their devices with spyware.

Malicious links sent to North Korean defectors and journalists by suspected hackers allow hackers to control targeted devices and to install malicious trojans as well as spyware.

This phishing operation was first observed by the McAfee Mobile Research Team who obtained malicious APK files that were used by hackers to target those who either defected from North Korea or those who were trying to help such defectors.

The hackers’ modus operandi included sending shortened links to targeted individuals by making such links look like they contained information on certain apps or news stories. Once a user clicked on such a link, the dropper APK induces him/her to turn on the accessibility permission and subsequently turns on the required settings to download a Trojan.

According to the researchers, the dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. At the same time, it downloads a file containing commands and other data to control the infected device and collects contact information and SMS from the victim’s device. A mechanism used by hackers behind the operation also allows them to extend the Trojan’s functionality without needing to update the whole malware.

Even though the researchers aren’t sure if the suspected hackers are North Korean, they found several bits of information that suggested that the latter could be North Korean. For example, cloud service accounts used by the hackers featured names from Korean drama and TV shows, and an interesting word, “피형” (“blood type”) used by the hackers is more familiar to North Koreans and is not used in South Korea.

‘This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors,’ the researchers said.

‘McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.’

Over the years, security researchers have observed that state-sponsored North Korean hackers have mostly targeted people and firms in other countries either to damage the latter’s digital infrastructure by injecting malware or ransomware or to steal money by hacking into banks.

However, the latest phishing operation involving social media apps seems like the hackers behind it have stronger political motives than financial ones. However, this certainly doesn’t mean that they’ll stop target foreign banks and cryptocurrency firms, considering how the country was impacted by the latest round of economic sanctions imposed by the West.

‘As sanctions bite further and North Korea becomes more desperate for foreign currency, they will get more aggressive and continue to come after the finance sector. They’re after our money,’ said Robert Hannigan, who retired in March this year after leading the GCHQ for three years, to The Times.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]