Attacks/Breaches

11/20/2017
01:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

North Korea's Lazarus Group Evolves Tactics, Goes Mobile

The group believed to be behind the Sony breach and attacks on the SWIFT network pivots from targeted to mass attacks.

The Lazarus Group, the North Korean hacking team thought to be behind last year's attacks on the SWIFT financial network and the devastating data breach at Sony in 2014, appears to be expanding its attack surface.

Security vendor McAfee says there are signs that the group has deviated from its usual highly targeted attacks and is now using mobile malware to potentially go after a broader, but still geographically focused, swath of victims.

Researchers at the company recently discovered a malicious Android application in the wild that looks very much like the handiwork of the Lazarus Group. The malware is disguised to appear like The Bible, a legitimate Android APK from a developer called the GodPeople that is available on Google Play for translating the Bible into Korean. Lazarus Group's malware is targeting primarily Android smartphone and tablet users in South Korea.

There's little that's remotely holy about the fake application, however: when a user downloads the APK file, it installs a backdoor on the device and effectively turns it into a remote controlled bot.

The backdoor - in the executable and linkable format (ELF) - is similar to several executable files that have been previously associated with the Lazarus group. So, too, is the command and control infrastructure, and the tactics and procedures associated with the new malware.

Researchers at McAfee haven't seen the malicious application on Google Play itself, and they aren't sure how the malware is being distributed in the wild. It's also not clear if this is the first time that the Lazarus Group has operated on a mobile platform. But based on the code similarities between the Android malware and the group's previous exploits, there's little doubt that the Lazarus Group is now operating in the mobile world, McAfee says.

The evolution is significant because it means that a lot more people could potentially become victims of the group. Market research firm Statista has estimated the number of mobile users in South Korea at around 40 million this year and growing. Around 79% of those users run Android. So far, though, the distribution of the malware has been very low and it is possible that the intended target is GodPeople itself because of its history of supporting religious groups in North Korea, says Raj Samani, chief scientist at McAfee

"GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups banned in the North," Samani says. "Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea."

While this particular Android malware sample appears to be targeted purely at South Korean users, the Lazarus Group has already demonstrated its ability to strike outside of the region. The Sony attacks and the 2016 theft of tens of millions of dollars from multiple banks around the world via the SWIFT network have established Lazarus as a formidable threat actor with deep resources and nation-state backing.

The group's evolution to mobile as an attack vector in South Korea can be easily adapted to other regions of the world, Samani says. All that the attackers need to do is use the core of the backdoor, change the command and control servers where the malware has to report, and insert it into another app. "Malicious actors are adapting their techniques," Samani says. "As we migrate to mobile, it is likely we will see them develop mechanisms to steal the information from these platforms."

From a design standpoint, the Android backdoor is similar to other Lazarus code samples that McAfee and others have previously analyzed. Once installed on an Android device, the malware tries to communicate with one of several command-and-control servers whose addresses it contains. The control servers are located in multiple countries including the US, India, South Korea, Argentina, and Nigeria.

Once a connection has been established, the malware collects and transfers device information to the control server and stands by to execute a series of commands.

"Once the attackers have the backdoor installed, a variety of actions can be taken on the compromised device to keep it active for a longer period of time. Many of the commands in the backdoor are related to uploading downloading and browsing of files," Samani notes.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CISOs' No. 1 Concern in 2018: The Talent Gap
Dawn Kawamoto, Associate Editor, Dark Reading,  1/10/2018
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
AI in Cybersecurity: Where We Stand & Where We Need to Go
Raffael Marty, VP Security Analytics, Sophos,  1/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.