North Korean Defectors Targeted in Mobile Espionage Campaign

Written by

Malicious APK files are being used to attack North Korean defectors and journalists with the KakaoTalk chat app, a popular mobile communication method in South Korea.

According to the McAfee Mobile Research team, threat actors are sending malicious links via KakaoTalk and other social network services, such as Facebook, in a targeted campaign. The links claim to connect to either something called Pray for North Korea or BloodAssistant, which is a fake health care app. In both cases, they redirect to a dropper mechanism.

The dropper phishes the victim to turn on the accessibility permissions, and then installs an espionage Trojan with a range of malicious functions, including saving SMS messages, contact information, GPS location, phone call logs, installed apps and contacts; it can also record phone calls. Further, the attackers can easily extend the Trojan’s malicious functionality without needing to update the whole malware.

As for who’s behind the attacks, the targets themselves indicate that the bad actors are sympathetic to North Korea. But there are other indications that the group is homegrown in the Korean peninsula.

“The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama and the language because the account names associated with the cloud services are from Korean drama and TV shows," including Korean drama character names, and competition and reality series participants, said researcher Jaewon Min, in a blog.

Narrowing it down further, McAfee found the use of the North Korean word for "blood type," which is not used in South Korea (South Korea uses a different word). There were also North Korean IP addresses in the test log files of some Android devices that are connected to the accounts used to spread the malware.

One folder is listed as the “Sun Team Folder,” possibly indicating the name of the threat actor group. If so, it has been active since 2016, according to the cloud storage creation date.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware,” said Min. “We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors and on groups and individuals who help defectors.”

What’s hot on Infosecurity Magazine?