Refugees, defectors and journalists who have escaped from North Korea are being targeted by mobile malware via Facebook and regional apps, a cybersecurity firm has warned.
Experts from McAfee, an anti-virus company, said in a report today (11 January) that it recently analysed files obtained from "highly targeted" attacks in South Korea using Google-shortened URLs. Two apps were studied: "Pray for North Korea" and "BloodAssistant".
The firm did not speculate on who was behind the scheme but said links to North Korea had been found.
Evidence discovered in cloud folders indicated that the name of the mysterious group was "SunTeam".
"This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware," wrote threat researcher Jaewon Min in the report.
"The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama, and the language because the account names associated with the cloud services are from Korean drama and TV shows," Min added.
He noted that some words only used in the North were uncovered deep in the code.
SunTeam is not related to any known cybercrime groups but it was clear that the intention was to "spy on North Korean defectors and on groups and individuals who help defectors," McAfee said.
In one instance, researchers found that a journalist had been targeted by the malware, with the hackers using a shortened link displaying an image from a story authored by the victim as a lure.
The analysis showed the Trojan relied on popular cloud services Dropbox and Yandex to operate. Ultimately, it could covertly steal chat logs, contact information, texts and phone calls.
"Always keep your mobile security application updated to the latest version, and never install applications from unverified sources," McAfee said. "We recommend installing KakaoTalk [the chat app] only from Google Play. These habits will reduce the risk of infection by malware."
North Korea is known to have active cyber-espionage capabilities, with its most notorious hacking unit widely known under the codename "Lazarus Group". It has been accused of breaking into the computer networks of Hollywood studios, cryptocurrency exchanges and cash machines.