Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/21/2018
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

North Korean Defectors Targeted with Malicious Apps on Google Play

Sun Team hacking group is behind RedDawn, which steals victims' photos and data and passes them to threat actors.

A new form of mobile malware in the Google Play app store was found targeting North Korean defectors and journalists.

McAfee researchers believe the Sun Team hacking group is responsible for the attacks, which McAfee has dubbed RedDawn. This is the second attack McAfee has seen from Sun Team this year. Back in January, McAfee's Mobile Research Team covered another form of Android malware targeting North Korean defectors and journalists, uploaded on Google Play as "unreleased" app versions. Researchers pinged the Korea Internet & Security Agency and Google, which took the malware off its app store.

More than 30,000 people defected from North Korea to South Korea in 2016, Radio Free Asia reports, and McAfee found Sun Team is still trying to plant spyware onto their devices. Because the malware was detected and removed by Google at an early stage, the number of infections on Google Play is still at less than 100. There have been no publicly reported incidents.

Researchers found three apps on Google Play uploaded by Sun Team, an attribution they made based on email accounts and Android devices from the January campaign. The attackers used cloud services to store information logs from the same test Android devices used in the January campaign, and these logs shared formatting and abbreviations with other Sun Team logs. The email address for the new malware author is also identical to other emails linked to the group.

One of the apps used in this campaign is called Food Ingredients Info; the other two are security-related. Fast AppLock steals device data and receives commands and executables from a cloud control server. AppLockFree is part of the reconnaissance stage and sets a foundation for the rest of the attack. All apps are multi-staged with several components, McAfee believes.

The apps were uploaded onto Google Play. Sun Team initially posted them on Facebook groups associated with defectors by using fake profiles, or delivered via Facebook Messenger. The apps spread to victims' friends, who are prompted to install them by a fake user and offer feedback. Once on a device, the malware uses Dropbox and Yandex to upload data and send commands, another characteristic previously seen in earlier Sun Team attacks.

"This was a very targeted attack, with significant work undertaken to identify specific individuals and groups since at least October 2017," says Raj Samani, chief scientist at McAfee. "What is concerning is the type of information gathered could reveal very sensitive information about the victims, with call recordings, photos and contacts stolen from compromised devices."

Intel on the test devices and attempted exploits uncovered more. The phones used were manufactured in different countries and held Korean apps. Exploit codes discovered in the group's cloud storage include sandbox escape, code execution, and privilege escalation exploits, with modifications showing the actors aren't advanced enough to find zero-days and write their own. But it's likely just a matter of time until they are able to do so, according to the researchers.

What experts find most concerning about this attack is the group used photos found on social media, and identities of South Koreans, to create the fake accounts that spread malware. Evidence shows people have had their identities stolen and they expect more could follow.

Who is Sun Team?

Researchers analyzed the hacking group's operations and found different versions of their malware, which started to become active in 2017 and stayed online for about two months after being removed from Google Play, they report in a blog post on their newest finding. All of their malware is spyware, built with the intention of lifting data from victims' devices. Samani suspects this is an espionage campaign.

It seems the Sun Team actors may be poorly trying to disguise themselves as South Korean. A few Korean words lifted from the malware's control server are not in South Korean vocabulary, and Dropbox account names in both campaigns were from South Korean drama or celebrities. The app descriptions in the new campaign also includes awkward Korean writing.

"These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language," researchers say. While they haven't confirmed the actors' nationalities, an exposed IP address points to North Korea.

McAfee believes, based on campaign analysis, that Sun Team is separate from Lazarus Group. They think this group "is just getting started," says Samani, and this second attempt indicated they will likely come back with new tactics and strategies. Further, he notes, this incident is a sign the mobile platform is increasingly targeted and exploited.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.