The Lazarus Group, the North Korean hacking team thought to be behind last year's attacks on the SWIFT financial network and the devastating data breach at Sony in 2014, appears to be expanding its attack surface.
Security vendor McAfee says there are signs that the group has deviated from its usual highly targeted attacks and is now using mobile malware to potentially go after a broader, but still geographically focused, swath of victims.
Researchers at the company recently discovered a malicious Android application in the wild that looks very much like the handiwork of the Lazarus Group. The malware is disguised to appear like The Bible, a legitimate Android APK from a developer called the GodPeople that is available on Google Play for translating the Bible into Korean. Lazarus Group's malware is targeting primarily Android smartphone and tablet users in South Korea.
There's little that's remotely holy about the fake application, however: when a user downloads the APK file, it installs a backdoor on the device and effectively turns it into a remote controlled bot.
The backdoor - in the executable and linkable format (ELF) - is similar to several executable files that have been previously associated with the Lazarus group. So, too, is the command and control infrastructure, and the tactics and procedures associated with the new malware.
Researchers at McAfee haven't seen the malicious application on Google Play itself, and they aren't sure how the malware is being distributed in the wild. It's also not clear if this is the first time that the Lazarus Group has operated on a mobile platform. But based on the code similarities between the Android malware and the group's previous exploits, there's little doubt that the Lazarus Group is now operating in the mobile world, McAfee says.
The evolution is significant because it means that a lot more people could potentially become victims of the group. Market research firm Statista has estimated the number of mobile users in South Korea at around 40 million this year and growing. Around 79% of those users run Android. So far, though, the distribution of the malware has been very low and it is possible that the intended target is GodPeople itself because of its history of supporting religious groups in North Korea, says Raj Samani, chief scientist at McAfee
"GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups banned in the North," Samani says. "Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea."
While this particular Android malware sample appears to be targeted purely at South Korean users, the Lazarus Group has already demonstrated its ability to strike outside of the region. The Sony attacks and the 2016 theft of tens of millions of dollars from multiple banks around the world via the SWIFT network have established Lazarus as a formidable threat actor with deep resources and nation-state backing.
The group's evolution to mobile as an attack vector in South Korea can be easily adapted to other regions of the world, Samani says. All that the attackers need to do is use the core of the backdoor, change the command and control servers where the malware has to report, and insert it into another app. "Malicious actors are adapting their techniques," Samani says. "As we migrate to mobile, it is likely we will see them develop mechanisms to steal the information from these platforms."
From a design standpoint, the Android backdoor is similar to other Lazarus code samples that McAfee and others have previously analyzed. Once installed on an Android device, the malware tries to communicate with one of several command-and-control servers whose addresses it contains. The control servers are located in multiple countries including the US, India, South Korea, Argentina, and Nigeria.
Once a connection has been established, the malware collects and transfers device information to the control server and stands by to execute a series of commands.
"Once the attackers have the backdoor installed, a variety of actions can be taken on the compromised device to keep it active for a longer period of time. Many of the commands in the backdoor are related to uploading downloading and browsing of files," Samani notes.
- US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet
- North Korea's 'Lazarus' Likely Behind New Wave of Cyberattacks
- North Korea Faces Accusations of Hacking Warship Builder Daewoo
- 7 Things to Know About Today's DDoS Attacks
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.