Suspected North Korean hackers are using popular chat app KakaoTalk and Facebook to send malicious links to North Korean refugees and journalists, thereby infecting their devices with spyware.
Malicious links sent to North Korean defectors and journalists by suspected hackers allow hackers to control targeted devices and to install malicious trojans as well as spyware.
This phishing operation was first observed by the McAfee Mobile Research Team who obtained malicious APK files that were used by hackers to target those who either defected from North Korea or those who were trying to help such defectors.
The hackers' modus operandi included sending shortened links to targeted individuals by making such links look like they contained information on certain apps or news stories. Once a user clicked on such a link, the dropper APK induces him/her to turn on the accessibility permission and subsequently turns on the required settings to download a Trojan.
According to the researchers, the dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. At the same time, it downloads a file containing commands and other data to control the infected device and collects contact information and SMS from the victim's device. A mechanism used by hackers behind the operation also allows them to extend the Trojan's functionality without needing to update the whole malware.
Even though the researchers aren't sure if the suspected hackers are North Korean, they found several bits of information that suggested that the latter could be North Korean. For example, cloud service accounts used by the hackers featured names from Korean drama and TV shows, and an interesting word, “피형” (“blood type”) used by the hackers is more familiar to North Koreans and is not used in South Korea.
'This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors,' the researchers said.
'McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.'
Over the years, security researchers have observed that state-sponsored North Korean hackers have mostly targeted people and firms in other countries either to damage the latter's digital infrastructure by injecting malware or ransomware or to steal money by hacking into banks.
However, the latest phishing operation involving social media apps seems like the hackers behind it have stronger political motives than financial ones. However, this certainly doesn't mean that they'll stop target foreign banks and cryptocurrency firms, considering how the country was impacted by the latest round of economic sanctions imposed by the West.
'As sanctions bite further and North Korea becomes more desperate for foreign currency, they will get more aggressive and continue to come after the finance sector. They’re after our money,' said Robert Hannigan, who retired in March this year after leading the GCHQ for three years, to The Times.