The North Korean hacker group Lazarus, appears to have upped its game in going after targets. Security experts believe that the state-backed hackers have created an Android malware to hack into their targets' phones. Researchers suspect that this time, the hackers are targeting their rival South Korea.
The Lazarus hackers designed a backdoor malware that poses as a legitimate app – The Bible – which is an app that translates the holy book into Korean. According to researchers at McAfee, who discovered the malware, this is likely the first known instance of the North Korean hackers using an Android malware to target mobile users.
McAfee researchers said the "code, infrastructure and tactics" suggest that the Lazarus group is "responsible" for the attack and that the move to mobile indicates that the hackers are evolving their tactics. The malware likely first appeared in the wild in March and has so far, had a limited distribution – only targeting Koreans. It is still unclear as to the scope of the Lazarus-created backdoor malware's capabilities.
"Once the attackers have the backdoor installed, a variety of actions can be taken on the compromised device to keep it active for a longer period of time. Many of the commands in the backdoor are related to uploading downloading and browsing of files," Raj Samani, chief scientist at McAfee said, Dark Reading reported.
Who are GodPeople and why is Lazarus going after the organisation?
According to McAfee researchers, the hackers may likely be going after the GodPeople organisation because the group has "a history of supporting religious groups in North Korea".
"GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea," McAfee researchers said in a blog.
A report by Forbes last year, Pyongyang has a deep-seated intolerance for any religion and North Korean citizens are found following any religion – be it Buddhism or Christianity – are sent to "political prisons" where they face torture, rape, abuse, enslavement and more. This could explain why Pyongyang's hackers may be going after GodPeople.
Lazarus hackers' move to mobile attacks also indicates that the group keeps itself up to date. According to Samani, the hackers can easily adapt the attack vector to also target global organisations.
Lazarus has previously been blamed for launching numerous campaigns across the globe. The group is believed to have been involved in sophisticated, long-term cyberespionage campaigns as well as attacks against global financial institutions to generate revenue for the impoverished nation. The US government recently issued an alert about the hacker group's recent exploits. Lazarus is considered to a major threat in cyberspace and given its latest move to mobile, the group may be evolving to ramp up its attacks against North Korea's adversaries.