New hacking campaign targets North Korean defectors in South Korea
A group of hackers is targeting defectors and journalists in South Korea with malware sent via popular chat apps and social networks, according to the cybersecurity firm McAfee.
The “highly targeted” campaign beginning in 2017 used Facebook and KakaoTalk, one of South Korea’s most popular chat apps, to spread malware-laced phishing links to targets. The attacks show that “attackers are always looking for different ways to deliver malware,” McAfee’s Jaewon Min wrote. This particular group does not appear to have links to any existing cybercrime groups, the post says.
Although McAfee offered no definitive answers on who is behind the campaign, the firm’s report did show links to North Korea in the form of an IP address in test log files on some Android devices connected to accounts used to spread the malware. Additionally, some words used in the code are almost exclusively used in North Korea, and the targets are all of great interest to the North.
North Korea has spent the last decade jumpstarting its cyber capabilities. As its closest and most important rival, South Korea is a frequent target. Likewise, the North appears to be a regular target of cyber campaigns by South Korea and its allies. In just the last few months, North Korea stands accused of a rash of profit-driven hacking campaigns around the world.
The malware is hidden in two droppers, or installers, titled “북한기도” (Pray for North Korea) and “BloodAssistant” (a health care app), according to McAfee. Journalists were targeted with fake news stories directing to infected websites.
McAfee researchers found a deleted folder with the title “sun Team Folder,” a possible hint at the name of the threat actors.
“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware,” McAfee’s Jaewon Min wrote in a report on the campaign.
“We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors.”