RedDawn Espionage Campaign Shows Mobile APTs on the Rise

RedDawn is a new sophisticated and targeted mobile espionage campaign focused on North Korean defectors. Mounted by a relatively new APT threat actor, AKA Sun Team, the offensive threat actor used Google Play and Facebook as attack vectors. Generally, it shows the relevancy of evolving cyber threats to mobile devices, as APTs shift tactics to focus on the mobile world.

The RedDawn campaign, dubbed by researchers that observed it, planted three “unreleased” beta apps in Google Play that target Korean-speaking users. One is called Food Ingredients Info, and the other two claim to be security-related (Fast AppLock and AppLockFree).

Food Ingredients and Fast AppLock secretly steal sensitive data such as contacts, messages, call recordings and photos, and they’re also capable of receiving commands and an additional executable (.dex) files from a C2 server. However AppLockFree appears to be part of a reconnaissance effort, setting the foundation for a future wave of attacks.

As for how the malicious apps made it into the official app-store in the first place – the apps were meant to be an innocuous-looking initial foundation for the attack.

After being installed on Android devices, the malware uses Facebook to infiltrate the victims’ friends’ mobile devices through messages asking them to install the apps and offering feedback via a Facebook account with a fake profile. This proved to be virulent; although the initial infection group totaled around 100 people, the Sun Team was able to scale its campaign far beyond, the research showed.

Based on the fact that Dropbox and Yandex cloud storage sites were used by the malware to upload data and issue/receive commands, it’s clear that this was not the first time for the RedDawn crew. For example, researchers found information logs from the same test Android devices that Sun Team used for the January malware campaign.

As for who’s behind Sun Team, the profile of the targeted victims (North Korean defectors) as well as some of the attributes in the campaign point north. For instance, some of the Korean words found on the malware’s control server are not in South Korean vocabulary; and, an exposed IP address points to North Korea. Yet, Dropbox accounts had names of South Korean celebrities.

Aside from the Sun Team, researchers also recently identified that the Lazarus APT has also shifted its attention to mobile, using more sophisticated attack techniques such as forged signatures to bypass security verifications in the operating system. Also, last week a piece of North Korean spyware was found targeting Apple iOS devices.