Winter Olympics: Let the Games - and malware attacks - beginNorth Korean defectors, along with those who help them, are being targeted by a hacking op
Winter Olympics: Let the Games – and malware attacks – begin
North Korean defectors, along with those who help them, are being targeted by a hacking operation which aims to infect their devices with trojan malware for the purposes of spying.
The campaign apparently selects victims carefully and uses social networks and chat applications to directly interact with selected victims in South Korea and plant spyware onto their smartphones.
Researchers at McAfee have attributed the attacks to an operation they’ve dubbed Sun Team, named after deleted files used to help carry out the attacks. The group isn’t currently thought to have any links to any previously known cybercrime outfits.
Sun Team attacks used applications including KakaoTalk – a popular chat app in South Korea – and popular social media services including Facebook to aid efforts of distributing trojan malware to the Android devices of victims.
Analysis of the malicious APK files used in the attacks reveals that shortened URLs are used in an effort to distribute the malware. Two different lures were used in the campaign: one posed as ‘BloodAssistant’, a health care app, while another was titled ‘Pray for North Korea’ when translated to English. In some cases, the attackers used Facebook to attempt to deliver BloodAssistant.
If successful in being dropped onto a device, the malware first checks to see if it’s already infected. If it isn’t, the attackers use a phishing attack to trick the victim into turning on the accessibility settings they require to gain full control of the infected device.
In an attempt to hide the how the accessibility settings are being tampered with, the malware opens an overlay – often displaying a video – on top of the display to act as a distraction, which is immediately removed once the malicious payload has been dropped.
Once successfully installed on the target device, the trojan uses cloud services including Dropbox, Google and Yandex as a control server, as well as a hub for uploading stolen data and receiving commands.
Data stolen from the device is saved into a temporary folder before being uploaded to the cloud, which also directs instructions to carry out malicious activities including saving messages and information about contacts. The references to ‘Sun Team’ within this folder led researchers to christen the hacking operation with its name.
Not much is known about the mysterious group behind the attacks, but researchers at McAfee have speculated that they must be very familiar with the Korean language and South Korean culture, because names of the account names associated with their cloud accounts are from Korean television – including the name of soap characters and reality show contestants.
Researchers also note that one word found associated with the attackers – ‘blood type’ – is used in a way associated with North Korean spelling, rather than in the South Korean equivalent. North Korean IP test log files were also discovered on some Android accounts used to spread the malware.
However, McAfee notes that this isn’t enough to draw any conclusions about the location of the attackers because “Wi-Fi was on so we cannot exclude the possibility that the IP address is private”
As a result, researchers say they can’t confirm who is behind the campaign, other than that they’re “familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors”.
While the Sun Team operation is highly targeted with North Korean defectors and their associates in mind, McAfee researcher Jaewon Min recommends all Android users follow best practice in order to avoid falling victim to attacks.
“Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware,” he said.
READ MORE ON CYBERCRIME