Connect with us

Hi, what are you looking for?



Highly Targeted Attacks Hit North Korean Defectors

A recent set of attacks aimed at North Korean defectors and journalists were associated with a highly targeted campaign conducted by an actor that does not appear to be related to any known cybercrime groups, McAfee says.

A recent set of attacks aimed at North Korean defectors and journalists were associated with a highly targeted campaign conducted by an actor that does not appear to be related to any known cybercrime groups, McAfee says.

The attacks used a range of vectors to infect victims with malware, including email, the KakaoTalk chat application (which is popular in South Korea), and social network services such as Facebook. Some of the attacks also employed Google-shortened URLs to spread malware.

McAfee’s research into the incident revealed the use of two versions of the dropper malware, namely applications called “Pray for North Korea” and “BloodAssistant.” Most of the clicks leading to infection originated from South Korea in both cases, McAfee’s security researchers discovered.

The most frequently observed browser and operating system combination for the clicks was Chrome and Windows, with Android coming in second, McAfee notes in a technical report. Furthermore, the investigation revealed that Facebook was used in 12% of infections to send a malicious link to the targets.

The Trojan used in this campaign, which McAfee detects as Android/HiddenApp.BP, is dropped onto the victim’s device via malicious APK files. Although various malicious apps are used for malware delivery, the dropper mechanism is identical, the researchers say.

The dropper first checks whether the device hasn’t been already infected, then tricks the victim into enabling accessibility permissions. The application then displays an overlay to hide the fact that it turns on required settings and downloads and installs the Trojan. The overlay is removed once the installation has been completed.

The Trojan uses cloud services such as Dropox and Yandex as the command and control (C&C) server. Once installed, it uploads device information to the cloud, then downloads a file containing commands and other data to control the infected device. Malicious behavior such as saving SMS messages and contact information is implemented in a separate DEX file.

Advertisement. Scroll to continue reading.

Variants of the malicious APKs were found on Google Drive, some using different cloud services as C&Cs, while others also dropping a separate call-recording application.

The researchers discovered that the initial malicious APKs were uploaded to Google Drive from a single account, which was also associated with a social network account. The same account is believed to have been used to send shortened URLs to victims.

The group behind the account appears to know the South Korean culture well, yet the account also revealed the use of the North Korean word for “blood type,” instead of the South Korean word. A North Korean IP address was also found in test log files on some Android devices connected to accounts used to spread the malware.

The researchers also discovered a deleted folder named Sun Team, supposedly revealing the name of the actor behind the campaign, which has been supposedly active since 2016.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors,” McAfee concludes.

Related: North Korean Hackers Target Android Users in South

Related: North Korea’s New Front: Cyberheists

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...