Inhee Han is a mobile malware researcher working at McAfee. He has worked in cyber security industry in 9 years. Previously he worked at SK Infosec as digital forensic investigator & Malware analyst.
All Sessions by Inhee Han
OPCDE 2018 (Day 2)
April 7, 2018
DPRK's eyes on mobile: Spying on North Korean Defectors
14:45 - 15:30
Historically North Korean defectors were victims of cyber attacks for many years. In the past, threat actors used Windows as the main platform to deliver malware to defectors using executable files and office documents, especially Hangul (Korean Word Processor). But threat actors went mobile. We have spotted their mobile operations and tracked what they were doing under the surface hidden from the public eye to successfully implant malware to defectors.
We will present our analysis of 2 threat actors that executed mobile malware operations targeting North Korean defectors.
The Lazarus group is the one of most activate cybercrime groups. We found the activity of the actor in the mobile world. We will explain how we found the activity and what made us reallize that the activity is operated by the Lazarus group. For example, overlapped IP addresses that were used by Laszarus as C2 and code similarities.
Previously unknown group named "Sun Team" has used KakaoTalk, and other SNS services to directly approach defectors and send malware download links. We will explain internal working of the malware samples and how they used cloud services as C2 server. Also we will look into what kind of data were extracted from the victim's device and infer who were the victims of this operations.
Furthermore, we will present about the artifacts we found from the mobile operation that gave us insight of how they operated under the surface like information gathering, creation of fake accounts, malware development, test device models, data encryption etc.
OPCDE is founded, curated and organized by Comae Technologies. Comae Technologies is a cybersecurity start-up founded by Matt Suiche.