DPRK's eyes on mobile: Spying on North Korean Defectors
2018-04-07 • Mcafee •
Attachments
OPCDE 2018 researchers Jaewon Min and Inhee Han analyzed Lazarus-linked Android backdoors and a separate mobile-focused cluster they named Sun Team targeting North Korean defectors and related support groups. The Lazarus section described repackaged Korean Bible APKs with an added ELF backdoor, encoded C2 lists, disguised ClientHello-style communications, and commands for file transfer, shell execution, C2 switching, device-information theft, and self-termination. The Sun Team section documented social-engineering through Facebook and KakaoTalk, hacked web servers, Google Drive, and Google Play apps such as NKPrayer, Fortune Telling, Food Info, Marketing, and FastAppLock that exfiltrated calls, SMS, contacts, external-storage files, GPS/location data, and device information to Yandex or Dropbox. The presentation also exposed OPSEC mistakes including cloud test data, actor device logs, TextNow usage, and Android exploit use including CVE-2015-6764 and CVE-2016-5195.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 217.117.4.110 | 2017-11-20 | 2020-02-25 |
| HASH | 24f61120946ddac5e1d15cd64c48b7e6 | 2017-11-20 | 2018-04-07 |
| HASH | 9ce9a0b3876aacbf0e8023c97fd0a21d | 2017-11-20 | 2018-04-07 |
| IPv4 | 181.119.19.100 | 2017-11-20 | 2018-04-07 |
| IPv4 | 197.211.212.31 | 2017-11-20 | 2018-04-07 |
| IPv4 | 114.215.130.173 | 2017-11-20 | 2018-04-07 |
| IPv4 | 61.106.2.96 | 2017-11-20 | 2018-04-07 |
| IPv4 | 110.45.145.103 | 2017-11-20 | 2018-04-07 |
| IPv4 | 139.196.55.146 | 2017-11-20 | 2018-04-07 |
| IPv4 | 199.180.148.134 | 2017-11-20 | 2018-04-07 |
| IPv4 | 119.29.11.203 | 2017-11-20 | 2018-04-07 |
| IPv4 | 124.248.228.30 | 2017-11-20 | 2018-04-07 |
| IPv4 | 14.139.200.107 | 2017-11-20 | 2018-04-07 |
| IPv4 | 175.100.189.174 | 2017-11-20 | 2018-04-07 |