North Koreas Lazarus Group Evolves Tactics, Goes Mobile

The group believed to be behind the Sony breach and attacks on the SWIFT network pivots from targeted to mass attacks.

The Lazarus Group, the North Korean hacking team thought to be behind last years attacks on the SWIFT financial network and the devastating data breach at Sony in 2014, appears to be expanding its attack surface.
Security vendor McAfee says there are signs that the group has deviated from its usual highly targeted attacks and is now using mobile malware to potentially go after a broader, but still geographically focused, swath of victims.
Researchers at the company
recently discovered
a malicious Android application in the wild that looks very much like the handiwork of the Lazarus Group. The malware is disguised to appear like The Bible, a legitimate Android APK from a developer called the GodPeople that is available on Google Play for translating the Bible into Korean. Lazarus Groups malware is targeting primarily Android smartphone and tablet users in South Korea.
Theres little thats remotely holy about the fake application, however: when a user downloads the APK file, it installs a backdoor on the device and effectively turns it into a remote controlled bot.
The backdoor - in the executable and linkable format (ELF) - is similar to several executable files that have been previously associated with the Lazarus group. So, too, is the command and control infrastructure, and the tactics and procedures associated with the new malware.
Researchers at McAfee havent seen the
malicious application
on Google Play itself, and they arent sure how the malware is being distributed in the wild. Its also not clear if this is the first time that the Lazarus Group has operated on a mobile platform. But based on the code similarities between the Android malware and the groups previous exploits, theres little doubt that the Lazarus Group is now operating in the mobile world, McAfee says.
The evolution is significant because it means that a lot more people could potentially become victims of the group. Market research firm Statista has
estimated
the number of mobile users in South Korea at around 40 million this year and growing. Around 79% of those users
run Android
. So far, though, the distribution of the malware has been very low and it is possible that the intended target is GodPeople itself because of its history of supporting religious groups in North Korea, says Raj Samani, chief scientist at McAfee
GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups banned in the North, Samani says. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea.
While this particular Android malware sample appears to be targeted purely at South Korean users, the Lazarus Group has already demonstrated its ability to strike outside of the region. The Sony attacks and the 2016 theft of tens of millions of dollars from multiple banks around the world via the SWIFT network have established Lazarus as a formidable threat actor with deep resources and nation-state backing.
The groups evolution to mobile as an attack vector in South Korea can be easily adapted to other regions of the world, Samani says. All that the attackers need to do is use the core of the backdoor, change the command and control servers where the malware has to report, and insert it into another app. Malicious actors are adapting their techniques, Samani says. As we migrate to mobile, it is likely we will see them develop mechanisms to steal the information from these platforms.
From a design standpoint, the Android backdoor is similar to other Lazarus code samples that McAfee and others have previously analyzed. Once installed on an Android device, the malware tries to communicate with one of several command-and-control servers whose addresses it contains. The control servers are located in multiple countries including the US, India, South Korea, Argentina, and Nigeria.
Once a connection has been established, the malware collects and transfers device information to the control server and stands by to execute a series of commands.
Once the attackers have the backdoor installed, a variety of actions can be taken on the compromised device to keep it active for a longer period of time. Many of the commands in the backdoor are related to uploading downloading and browsing of files, Samani notes.
Related Content:
US Warns of North Koreas Not-So-Secret Hidden Cobra DDoS Botnet
North Koreas Lazarus Likely Behind New Wave of Cyberattacks
North Korea Faces Accusations of Hacking Warship Builder Daewoo
7 Things to Know About Todays DDoS Attacks

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Koreas Lazarus Group Evolves Tactics, Goes Mobile