Attacks/Breaches

11/20/2017
01:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

North Korea's Lazarus Group Evolves Tactics, Goes Mobile

The group believed to be behind the Sony breach and attacks on the SWIFT network pivots from targeted to mass attacks.

The Lazarus Group, the North Korean hacking team thought to be behind last year's attacks on the SWIFT financial network and the devastating data breach at Sony in 2014, appears to be expanding its attack surface.

Security vendor McAfee says there are signs that the group has deviated from its usual highly targeted attacks and is now using mobile malware to potentially go after a broader, but still geographically focused, swath of victims.

Researchers at the company recently discovered a malicious Android application in the wild that looks very much like the handiwork of the Lazarus Group. The malware is disguised to appear like The Bible, a legitimate Android APK from a developer called the GodPeople that is available on Google Play for translating the Bible into Korean. Lazarus Group's malware is targeting primarily Android smartphone and tablet users in South Korea.

There's little that's remotely holy about the fake application, however: when a user downloads the APK file, it installs a backdoor on the device and effectively turns it into a remote controlled bot.

The backdoor - in the executable and linkable format (ELF) - is similar to several executable files that have been previously associated with the Lazarus group. So, too, is the command and control infrastructure, and the tactics and procedures associated with the new malware.

Researchers at McAfee haven't seen the malicious application on Google Play itself, and they aren't sure how the malware is being distributed in the wild. It's also not clear if this is the first time that the Lazarus Group has operated on a mobile platform. But based on the code similarities between the Android malware and the group's previous exploits, there's little doubt that the Lazarus Group is now operating in the mobile world, McAfee says.

The evolution is significant because it means that a lot more people could potentially become victims of the group. Market research firm Statista has estimated the number of mobile users in South Korea at around 40 million this year and growing. Around 79% of those users run Android. So far, though, the distribution of the malware has been very low and it is possible that the intended target is GodPeople itself because of its history of supporting religious groups in North Korea, says Raj Samani, chief scientist at McAfee

"GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups banned in the North," Samani says. "Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea."

While this particular Android malware sample appears to be targeted purely at South Korean users, the Lazarus Group has already demonstrated its ability to strike outside of the region. The Sony attacks and the 2016 theft of tens of millions of dollars from multiple banks around the world via the SWIFT network have established Lazarus as a formidable threat actor with deep resources and nation-state backing.

The group's evolution to mobile as an attack vector in South Korea can be easily adapted to other regions of the world, Samani says. All that the attackers need to do is use the core of the backdoor, change the command and control servers where the malware has to report, and insert it into another app. "Malicious actors are adapting their techniques," Samani says. "As we migrate to mobile, it is likely we will see them develop mechanisms to steal the information from these platforms."

From a design standpoint, the Android backdoor is similar to other Lazarus code samples that McAfee and others have previously analyzed. Once installed on an Android device, the malware tries to communicate with one of several command-and-control servers whose addresses it contains. The control servers are located in multiple countries including the US, India, South Korea, Argentina, and Nigeria.

Once a connection has been established, the malware collects and transfers device information to the control server and stands by to execute a series of commands.

"Once the attackers have the backdoor installed, a variety of actions can be taken on the compromised device to keep it active for a longer period of time. Many of the commands in the backdoor are related to uploading downloading and browsing of files," Samani notes.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...