Search This Blog

Showing posts with label North Korean Hackers. Show all posts

North Korean Hackers Exploit Systems via Deploying PuTTY SSH Tool

An attack using a new spear phishing tactic that makes use of trojanized variants of the PuTTY SSH and Telnet client has been discovered with a North Korea link.

The malicious actors identified by Mandiant as the source of such effort is 'UNC4034', also referred to as Temp.Hermit or Labyrinth Chollima. Mandiant asserted that the UNC4034 technique was currently changing.

UNC4034 made contact with the victim via WhatsApp and tricked them into downloading a malicious ISO package in the form of a bogus job offer. This caused the AIRDRY.V2 backdoor to be installed via a trojanized PuTTY instance. 

As part of a long-running operation called Operation Dream Job, North Korean state-sponsored hackers frequently use fake job lures as a means of spreading malware. One such group is the Lazarus Group. 

The ios file had a bogus amazon job offer which was the entry point for hackers to breach data. After making initial contact via email, the file was exchanged over WhatsApp. 

The archive itself contains a text file with an IP address and login information, as well as a modified version of PuTTY that loads a dropper named DAVESHELL that installs a newer version of a backdoor known as AIRDRY. 

The threat actor probably persuaded the victim to open a PuTTY session and connect to the remote host using the credentials listed in the TXT file, therefore initiating the infection. Once the program has been launched, it makes an effort to persist by adding a new, scheduled task every day at 10:30 a.m. local time.

After a target responds to a fake job lure, the criminals may use a variety of malware delivery methods, according to Mandiant. 

The most recent version of the virus has been found to forego the command-based method in favor of plugins which are downloaded and processed in memory, in contrast to prior versions of the malware that included roughly 30 commands for transferring files, file systems, and command execution.

Several technical indicators are also included in the Mandiant alert to aid businesses in identifying UNC4034-related activities. Days before its publication, US authorities confiscated $30 million in North Korean cryptocurrency that had been stolen.

U.S. Bans Crypto Mixing Service Tornado Cash

A 29-year-old man was detained in Amsterdam on Friday, per the Dutch tax authorities investigative department, who suspects him of working as a developer for Tornado Cash, a cryptocurrency mixing business that the US had earlier in the week sanctioned. 

The Dutch agency's action further demonstrates the increasing interest that governments are showing in so-called crypto mixers. Another cryptocurrency mixing service, Blender, received approval from the Office of Foreign Asset Control earlier this year. 

Sanctions against the service were imposed by the US Treasury Department on Monday. According to reports, North Korean state hackers used Tornado Cash to hide billions of dollars.

The Block identified the Tornado Cash engineer as Alexey Pertsev despite FIOD concealing his name. Tornado Cash, as per FIOD, "has been utilized to mask large-scale criminal money flows, particularly from data thefts of cryptocurrencies so-called crypto hacks and scams," the organization claimed.

The platform works by pooling and scrambling different digital assets from thousands of addresses, including money that might have been obtained illegally as well as money that might have been obtained legally, to hide the trail back to the asset's original source, giving criminals a chance to hide the source of the stolen money.  

After the U.S. sanction, a variety of companies have banned or deleted accounts connected to Tornado Cash, including GitHub, Circle, Alchemy, and Infura.

On the news, the Tornado Cash token TORN fell from $16.5 to $13.7, furthering this month's fall. According to CoinMarketCap, the token's decline during the past seven days has exceeded 50%.

The latest findings point to the greater attention of bitcoin mixing services for what is believed to be a means of paying out illicitly obtained cryptocurrency. 

This includes the indebted North Korean government, which is known to rely on cyberattacks on the cryptocurrency industry to steal virtual money and circumvent trade and economic sanctions placed on the country. 




               

US State Department Offers $10 Million for Information on North Korean Hackers

 

The US government has disclosed it is offering up to $10m as a reward for information on people linked with North Korean state-sponsored hacking groups. 

The US State Department revealed Tuesday it is interested in information on hackers that are part of groups including Lazarus Group, Guardians of Peace, Kimsuky, and APT38 amongst others. 

“If you have information on any individuals associated with North Korean government-linked malicious cyber groups (such as Andariel, APT38, Bluenoroff, Guardians of Peace, Kimsuky, or Lazarus Group) and who are involved in targeting US critical infrastructure in violation of the Computer Fraud and Abuse Act, you may be eligible for a reward,” read a notice posted to Twitter. 

The North Korean hacking group is the only one to be called out by name on the Rewards for Justice site, which otherwise explains the purpose of the program is to generate useful information “that protects Americans and furthers US national security.” It says rewards are also offered for information on “the financial mechanisms of individuals engaged in certain activities to support the North Korean regime.” 

The amount is double the bounty the government offered in March 2022 for information on DPRK-backed hackers targeting crypto exchanges and financial institutions worldwide to support the Kim Jong-un regime's illegal operations. 

Lazarus, for example, has been blamed for various high-profile cyberattacks, including the world’s biggest ever crypto-heist when $618m was stolen from Vietnamese developer Sky Mavis and its Ronin Network. In 2020, the hackers exfiltrated $281m from Singapore-headquartered cryptocurrency exchange KuCoin. 

The North Korean hackers have also infiltrated mobile phones of well-known personalities, including particular South Korean legislators, to obtain their private data, claimed Mun Chong Hyun, head of the EST security response center (ESRC). He said hackers target organizations on North Korea's websites or build counterfeit Facebook accounts for those functioning in the North Korean industry on an ongoing basis. 

Last year, the US Department of Justice unsealed a federal incitement of several suspected members of the infamous Lazarus Group (APT38), said to be linked to military intelligence agency the Reconnaissance General Bureau (RGB). However, North Korea is a notoriously secretive and globally isolated state, making traditional intelligence-gathering efforts challenging. 

In 2019, the U.S. Treasury Department banned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) for funneling financial assets they stole in cyberattacks to the North Korean government.

North Korean Hackers Employ H0lyGh0st Ransomware to Target Businesses

 

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide. 

The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021. 

The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid. 

In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.” 

According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other. 

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says. 

The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea. DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language. 

In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access. 

Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st. 

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.

North Korea: Maui Ransomware Attacks Healthcare Services

 

North Korean state-sponsored hackers are using Maui to encrypt computers and data for vital healthcare services, including electronic health records, diagnostics, imaging, and intranet. A joint advisory from the FBI, the Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) describes a ransomware campaign that Pyongyang has been executing at least since May 2021. 

Traits of threat actors

It is unknown how these threat actors enter organizations through the initial access vector. The less well-known ransomware family stands out, according to cybersecurity firm Stairwell, since it lacks numerous essential characteristics typically found in ransomware-as-a-service (RaaS) groups. Stairwell's findings served as the basis for the alert. 

The lack of an "embedded ransom letter to provide recovery instructions or automated means of transferring encryption keys to attackers" is one analogy of this, according to security expert Silas Cutler in a technical analysis of the ransomware.

Instead, Maui sample analysis indicates that the malware is made to be manually executed by a remote actor using a command-line interface, utilizing it to target particular files on the compromised machine for encryption, as recently seen in the case of Bronze Starlight.

Each of these keys is then encrypted with RSA using a key pair generated for the first time when Maui is launched, in addition to encrypting target files with AES 128-bit encryption with a new key. The RSA keys are encrypted using a hard-coded, particular-to-each-campaign RSA public key as a third-degree of security.

The fact that Maui is not provided as a service to other affiliates for use in exchange for a cut of the money earned is another thing that sets it apart from other conventional ransomware products. 

Why is DPRK targeting healthcare?

Ransomware is highly hazardous in the healthcare industry. Such businesses often don't provide cybersecurity much attention or funds. Hospitals and other similar organizations also own critical medical and health data prone to abuse. Furthermore, such facilities cannot afford to be shut down for an extended period, which increases the possibility that they might pay the ransom to resume services.

Although these North Korean-sponsored ransomware operations targeting healthcare companies have been occurring for a year, iboss claims that they have increased significantly and become more sophisticated since then. It's the most recent example of how North Korean enemies are changing their strategies to shadily produce an ongoing flow of income for the country's struggling economy. 

The ransomware attacks are alleged to have temporarily or permanently affected health services in several cases. It is currently uncertain what infection vector was first used to carry out the incursions. Only 2% of those who paid the ransom in 2021 received their whole data recovered, according to the Sophos' State of Ransomware in Healthcare 2022 report. This compares to the global average of 46%. 

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.

FBI: North Korean Hackers Stole $600M+ Worth Cryptocurrency

 

The FBI accused North Korean government associated hackers of stealing more than $600 million in bitcoin from a video game company last month, the latest in a sequence of sophisticated cyber thefts linked to Pyongyang. 

The FBI said in a statement, "Through our investigation we were able to confirm Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $620 million in Ethereum reported on March 29th." "DPRK" is an abbreviation for North Korea's official name, the Democratic People's Republic of Korea, and Ethereum is a technology platform linked with a type of cryptocurrency. 

The FBI was referring to the recent hack of Axie Infinity's computer network, which allows gamers to win cryptocurrency. Undiscovered hackers stole the equivalent of about $600 million — estimated at the time of the hack's detection — on March 23 from a "bridge," or network that allows users to transmit cryptocurrency from one blockchain to another, according to Sky Mavis, the business that developed Axie Infinity. 

The US Treasury Department sanctioned Lazarus Group, a large group of hackers suspected of working for the North Korean government, on Thursday. The precise "wallet," or bitcoin address, that was utilised to cash out on the Axie Infinity hack was sanctioned by the Treasury Department.

According to a United Nations panel and outside cybersecurity experts, cyberattacks have been a major source of revenue for the North Korean state for years as its leader, Kim Jong Un, pursued nuclear weapons. North Korea is reported to have fired its first intercontinental ballistic missile in more than four years last month. According to Chainalysis, a company that records digital currency transactions, the Lazarus Group has stolen an estimated $1.75 billion in cryptocurrencies in recent years. 

Ari Redbord, head of legal affairs at TRM Labs, a firm that investigates financial crime said,"A hack of a cryptocurrency business, unlike a retailer, for example, is essentially bank robbery at the speed of the internet and funds North Korea's destabilizing activity and weapons proliferation. As long as they are successful and profitable, they will not stop." 

While much of the focus of cybersecurity analysts has been on Russian hacking in the wake of the Ukraine conflict, suspected North Korean hackers have been far from silent. Last month, Google researchers revealed two separate suspected North Korean cyber attempts aimed at US media and IT businesses, as well as the bitcoin and financial technology industries. Users who are targeted by state-sponsored hackers are notified by Google. 

If a Google user has "any link to being active in Bitcoin or cryptocurrencies" and receives a warning from Google about state-backed hacking, it nearly invariably turns out to be North Korean activity, according to Shane Huntley, who leads Google's Threat Analysis Group.

Further, Huntley told CNN, "It seems to be an ongoing strategy for them to supplement and make money through this activity." 

Kimsuky Hackers Employ Commodity RATs with Custom Gold Dragon Backdoor

 

Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, employing commodity open-source remote access tools distributed with their own backdoor, Gold Dragon. Kimsuky, also known as TA406, is a North Korean state-sponsored hacker group that has been actively engaging in cyber-espionage efforts since 2017. The organization has shown amazing operational adaptability and threat activity diversity, participating in malware distribution, phishing, data harvesting, and even cryptocurrency theft. 

Beginning in January 2021, TA406 began delivering malware payloads through phishing emails that led to 7z archives. These archives contained an EXE file with a double extension that made it appear to be a .HTML file. If the file is opened, it will launch a scheduled activity called "Twitter Alarm," which will allow the actors to drop new payloads every 15 minutes. When run, the EXE opens a web browser to a PDF version of a valid NK News item housed on the actor's infrastructure, hoping to fool the victim into thinking they're reading a post on a news site. 

Kimsuky used xRAT in targeted assaults against South Korean entities in the most recent campaign, as discovered by experts at ASEC (AhnLab). The campaign began on January 24, 2022. xRAT is a free and open-source remote access and administration program that may be downloaded from GitHub. Keylogging, remote shell, file manager operations, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the functions provided by the malware. 

A sophisticated threat actor may choose to deploy commodity RATs for basic reconnaissance activities and do not require much configuration. This enables threat actors to concentrate their efforts on designing later-stage malware that necessitates more specialized functionality dependent on the security tools/practices available on the target. 

Kimsuky often deploys Gold Dragon as a second-stage backdoor after a fileless PowerShell-based first-stage assault that employs steganography. This malware has been recorded in a 2020 report by Cybereason and a 2021 analysis by Cisco Talos researchers, therefore it is not new. However, as ASEC describes in its study, the variation found in this latest campaign has additional functions such as the exfiltration of basic system information. 

The malware no longer leverages system processes for this operation, instead installs the xRAT tool to manually steal the required information. The RAT disguises itself as an executable called cp1093.exe, which copies a regular PowerShell process (powershell_ise.exe) to the “C:\ProgramData\” path and executes via process hollowing.

 Lazarus APT Cell Exploits the Windows Update Client

 

According to experts at a cyber security agency, Lazarus, a notable hacking organization with ties to the North Korean government, has been utilizing the Windows Update client to spread malware as part of a new spear-phishing effort.

The North Korean nation-state hacking outfit known as the Lazarus Group, formerly as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year. 

The two macro-embedded messages seem to be enticing the targets about new Lockheed Martin job opportunities: 
  • Lockheed Martin JobOpportunities.docx 
  • Salary Lockheed Martin job opportunities confidential.doc 

Both of these documents were created on April 24, 2020, but enough evidence leads us to believe it was leveraged in a campaign between late December 2021 and early 2022. The threat actor's domains are one of the pieces of evidence that this attack took place recently. The attack begins with the malicious macros hidden in the Word document being executed. 

The malware executes a series of implants in order to gain startup persistence on the target computer and inserts code into the computer's restart system to ensure a restart does not knock down the virus.

Researchers discovered evidence that the threat group used GitHub as a command and control (C2) site for its attacks. Lazarus' use of GitHub as a C2 is unusual, according to the researchers, who claim this is the first time a group is seen to be doing so. The threat group was found to be utilizing GitHub as a command and control (C2) site for its attacks. According to the researchers, Lazarus' usage of GitHub as a C2 is uncommon. 

The campaign's attribution to the Lazarus APT is based on different facts as stated below: 
  • The usage of employment opportunities as a template is something Lazarus has done before.
  • Defense industry targets, particularly Lockheed Martin, are well-known targets for North Korean-linked APT. 
  • The metadata utilized in this campaign connects the documents to various other materials used by Lazarus previously.

North Korean Hackers Attack Russian Diplomats

 

American information security experts from Cluster25 and Black Lotus Labs discovered cyberattacks on employees of the Russian Foreign Ministry before the New Year holidays. They were allegedly carried out by the North Korean hacker group Konni. 

According to Black Lotus Labs, the attackers began a phishing campaign back in October. They sent some diplomats archives with information about vaccination data and sent others links to download a fake program for registering vaccinated people on the federal vaccine registry. As a result, the account of one of the employees of the Foreign Ministry (mshhlystova@mid.ru) was compromised. From this address, hackers sent a phishing email to Deputy Minister Sergei Ryabkov at SRyabkov@mid.ru on December 20. 

In addition, Cluster25 reported that another letter, which contained an infected archive was sent on December 20 to the Russian Embassy in Indonesia, the sender was listed as the diplomatic mission in Serbia. 

The Russian Foreign Ministry confirmed that the attack was real. "However, the attack was timely detected and localized by standard means of active protection of the ministry's information infrastructure and did not spread further," the Foreign Ministry said. The ministry stressed that the phishing attack had no destructive impact on the information infrastructure of the Foreign Ministry. 

As Anastasia Tikhonova, the head of the Group-IB threat research group explained, American experts could take examples of emails from the VirusTotal (VT) service, which analyzes suspicious files. According to her, one of these letters was posted there on the day of the attack, December 20. 

It should be noted that the Konni group (APT37) has been known since 2017. In its attacks, it used, in particular, documents related to Russia-DPRK relations, taking texts from public sources. Kaspersky Lab cybersecurity expert Denis Legezo said that Konni can send a corrupted PDF file. The recipient cannot open it, and attackers under the guise of a reader send him an infected program.

Lazarus, Cobalt, and FIN7 Cyber Groups Allegedly Opened Fire on the Financial Industry

 

A study titled "Follow the Money" by Outpost24's Blueliv that addressed the financial sector, aims to identify and follow groups that are big perpetrators of financial theft and fraud. The Lazarus, Cobalt, and FIN7 threat groups were determined to be the most common threat actors targeting financial institutions. As the Covid-19 pandemic has further aggravated the situation by disrupting training and operations, it's no surprise that cyber attacks on financial institutions are on the rise. 

Attacking banks provide various possibilities for profit for cybercriminals through extortion, theft, and fraud, while nation-states and hacktivists also target the financial industry for political and ideological leverage. The Strategic Technologies Program investigates the evolution of cyber risks to the financial system, as well as legal and regulatory attempts to improve its defenses.

Lazarus is a North Korean state-sponsored advanced persistent threat (APT) group that has been linked to high-profile assaults on Sony Pictures Entertainment, the Bangladesh Bank via SWIFT, and the WannaCry ransomware epidemic in 2017. Banks, casinos, financial investing software producers, and crypto-currency enterprises are among the companies involved. 

The group's virus has lately been discovered in 18 nations around the world. A vulnerability in one of the targeted organization's servers is discovered by the Lazarus team. It infects a website that was accessed by employees of a particular organization, uses malware to access the target's IT infrastructure, and finds a server running SWIFT software. This group tries to drain the company's accounts by downloading new malware that could communicate with SWIFT software. 

Cobalt has been linked to attacks against financial institutions around the world, resulting in the theft of millions of dollars, since at least 2016. It first appeared on the scene with an ATM jackpotting attack on a Taiwanese bank. Despite the arrests, the gang is believed to be still functioning. To break into networks, the Cobalt group uses social engineering—users open infected attachments from phishing emails that are disguised to look like messages from reputable corporations and regulatory agencies. These attachments contain a document file that either downloads or contains a dropper in a password-protected archive from a remote server.

Another important, profit-driven threat group is FIN7, which specializes in Business Email Compromise (BEC) and the deployment of Point-of-Sale (PoS) malware designed to steal large amounts of customer credit card information from businesses. While banking and finance cybersecurity tactics are evolving, there are still numerous improvements that can be addressed, according to Blueliv.

To Target Security Firms, the Zinc Group Disguised as Samsung Recruiters

 

According to Google TAG researchers, a spear-phishing campaign targeting South Korean security organisations that market anti-malware solutions was carried out by a North Korean-linked APT group posing as Samsung recruiters. The state-sponsored hackers, according to the Google Threat Horizons report, issued false job offers to employees at security firms. In previous campaigns, the same gang, known as Zinc, attacked security experts, according to Google TAG researchers. 

“TAG observed a North Korean government-backed attacker group that previously targeted security researchers posing as recruiters at Samsung and sending fake job opportunities to employees at multiple South Korean information security companies that sell anti-malware solutions.” reads the Google Threat Horizons report. 

According to Google, the emails included a PDF that purported to be a job description for a position at Samsung, but the PDFs were malformed and wouldn't open in a conventional PDF reader. If the targets complained that they couldn't open the job offer archive, the hackers promised to assist them by providing a link to a "Secure PDF Reader" app that they could download. 

Google, on the other hand, claims that this file was a modified version of PDFTron, a genuine PDF reader, that was altered to install a backdoor trojan on the victims' machines. 

The Zinc APT group, also known as Lazarus, increased its activities in 2014 and 2015, and its members generally utilised custom-tailored malware in their assaults. This threat actor has been active since at least 2009, and potentially as early as 2007, and has been involved in both cyber espionage and sabotage campaigns aiming at destroying data and disrupting systems. 

The threat actor's methods have baffled the security community, which believes the organisation tried to obtain unreleased vulnerabilities and exploits from some of their naive and negligent members, as tracked by Microsoft under the codename "Zinc." 

 The attacks were ascribed to the same team of North Korean hackers who previously attacked security researchers on Twitter and other social networks in late 2020 and into 2021, according to the Google Threat Analysis Group, the Google security team that discovered the malicious emails. 

 The attack against South Korean antivirus makers could be different since compromising their employees could give the group access to the tools they need to launch a targeted supply chain attack on South Korean enterprises that use their anti-malware software.

North Korean hacker group Kimsuky started attacking Russian political scientists

The American cybersecurity company Proofpoint has discovered that the Kimsuky hacker group, presumably from North Korea, is attacking Russian scientists, foreign policy experts, and non-governmental organizations that deal with various issues of interaction with the DPRK.

It follows from the company's research that hackers send phishing emails to Korean experts on behalf of well-known experts in the Russian Federation.

Alexey Pavlov, Business Development Director of the center for countering cyberattacks Solar JSOC Rostelecom-Solar, explained that the letters contain a link, upon clicking on which the user sees a window for entering a login and password. This is similar to a Windows pop-up window for password-protected network resources. According to the attackers' plan, the victim must enter his credentials. Since the unsecured HTTP protocol is used, hackers get the credentials in cleartext.

The Proofpoint study provides an example of such a letter in Russian, allegedly on behalf of the Executive director of the National Committee for BRICS Research, Georgy Toloraya. “Mass mailings are being sent from fake addresses opened in my name,” he confirmed, adding that the signature was copied from old letters.

"Positive Technologies specialists recorded Kimsuky attacks using Korean themes in August," says Denis Kuvshinov, head of the company's threat research department.

According to Group-IB experts, over the past year, Kimsuky has been quite active in conducting cyber espionage operations not only against South Korea but also countries that support it.

The group has been carrying out thematic attacks since 2018. In 2020, it attacked Russian military and industrial organizations.

Experts believe that Kimsuky will try to purposefully extract valuable documents from specific officials and employees of research organizations. Kimsuky can connect infected computers to a botnet or steal access to crypto wallets.

TA406 APT Group, Which is Tied to North Korea, has Increased its Attacks

 

In 2021, a North Korean-linked threat actor known as TA406 ramped up its attacks, including credential harvesting activities, according to Proofpoint. The adversary, also known as Kimsuky, Thallium, and Konni by security researchers, has been attacking companies in sectors like education, government, media, and research, as well as other businesses. According to Proofpoint, TA406 is the most closely associated with Kimsuky activity, which is tracked by the security firm as three distinct threat actors: TA406, TA408, and TA427.

Kaspersky researchers initially discovered the TA406 cyberespionage group in 2013. The US-CERT published a report on Kimusky's latest operations towards the end of October 2020, detailing their TTPs and infrastructure. The APT group primarily targeted South Korean think tanks and organizations, with victims in the United States, Europe, and Russia. 

“Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor’s campaigns remained low in volume until the beginning of January 2021,” the company said. 

During the first half of the year, Proofpoint noticed weekly attacks against journalists, foreign policy experts, and non-governmental organizations (NGOs), particularly those related to actions that affect the Korean Peninsula. Journalists and academics were also targeted. TA406 targeted high-ranking political figures at numerous governmental institutions, and consultancy firms, defense institutions, law enforcement agencies, and economic and financial organizations, as part of their March 2021 campaign. 

Amadey, Android Moez, BabyShark, CARROTBAT/CARROTBALL, FatBoy, KONNI, SANNY, and YoreKey are among the malware families used. It also appears that NavRAT and QuasarRAT were used. 

“Generally, TA406 phishing campaigns focus on individuals in North America, Russia, and China, with the actors frequently masquerading as Russian diplomats and academics, representatives of the Ministry of Foreign Affairs of the Russian Federation, human rights officials, or Korean individuals. TA406 has also targeted individuals and organizations related to cryptocurrency for the purpose of financial gain.” reads the report. 

According to the security experts, TA406 has been involved in financially motivated assaults, such as sextortion and the targeting of cryptocurrency, just like other North Korean state-sponsored actors. “Proofpoint assesses with high confidence that TA406 operates on behalf of the North Korean government. Proofpoint anticipates this threat actor will continue to conduct corporate credential theft operations frequently, targeting entities of interest to the North Korean government,” the security firm notes.

North Korean Hackers Targeting Security Researchers with Trojanized IDA Pro

 

A North Korea-linked hacking group known as Lazarus is likely behind a compromised version of a popular IDA Pro reverse engineering application, in the second Democratic People's Republic of Korea (DPRK) assault against cybersecurity researchers discovered this year.

IDA Pro is an application that converts an executable file into assembly language, allowing cybersecurity experts and programmers to examine legitimate software for bugs and to determine malicious behavior. 

Due to its high cost, some researchers often download a pirated cracked version; as with any pirated software, there is always the risk of running malicious executables. This is exactly what ESET researcher Anton Cherepanov spotted in a compromised version of IDA Pro 7.5, distributed by the Lazarus hacker group. 

Threat actors inject two malicious DLLs named idahelp.dll and win_fw.dll into the IDA pro installer that will be launched when the program is installed. The win_fw.dll file manufactures a new task in the Windows Task Scheduler that executes the idahelper.dll program. 

The idahelper.dll will then link to the devguardmap[.]org site and install malicious payloads believed to be the NukeSped remote access trojan. The installed RAT will allow the cybercriminals to gain access to the security researcher's device to steal files, take screenshots, log keystrokes, or execute further commands. 

"Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported by Google's Threat Analysis Group and Microsoft," ESET tweeted regarding connection to Lazarus.

A North Korean hacking group, tracked as Zinc by Microsoft, has a long history of targeting security researchers with backdoors and remote access trojans. Earlier this year in January, Google revealed that Lazarus designed a plot to launch a mass-scale social media campaign to create fake personas posing as vulnerability researchers. 

Using these personas, the hackers contact other security researchers regarding potential collaboration in vulnerability research. After establishing contact with a researcher, the hackers sent malicious Visual Studio projects with malware as prebuilt binaries. This includes the Comebacker dynamic link library (DLL) which attempts to perform privilege escalation for processes and the Klackring DLL that registers malicious services on the researcher's device. 

APT groups in North Korea are increasing with each passing day and are directly linked to the regime of Kim Jong Un. Lazarus is the largest and most prolific of those groups and is believed to be responsible for an attack on COVID-19 vaccine makers in December 2020, to steal intellectual property.

Kumsong 121 North Korean Hacker Group Conducts Cyber Attacks via Social Media

 

Kumsong 121 the North Korean Hacker gang has unleashed a cyberattack employing social media in North Korea. The North Korean hacking attempts are a matter of concern for computer users and mobile telephone users likewise. 

Given the frequency of cyber threats from North Korea, smartphone and computer users ought to stay careful, safety experts advise. 

Kumsong 121 is conducting "smishing" cyberattacks against Android mobile phone users, as per EST Security. When victims download an infected Android package that a hacker creates, most of its private information, comprising address books, text messages, telephone records, locations, sound recordings, and images stored on their phones, is disclosed. 

EST Security reported on Tuesday in a news release that Kumsong 121 had discovered a potential "advanced persistent threat" (APT). The attack used a very complicated technique: the assailants used social media instead of e-mail to support the target and deliver a malicious attachment. 

The hackers selected extra aims from their pals in social media upon hacking an individual's social media profile. The hackers then dropped the target's security and became mates by delivering chat messages containing nice welcomes and regular issues or gossip. 

The hackers subsequently delivered the corrupted document file via e-mail to the target, asking for input in a recent piece on North Korean matters. A macro virus is included in the accompanying document file that makes the computer system exploitable when the email recipient acknowledges the file. The hackers effectively grafted social media into conventional attacks against specific persons on "spear phishing." 

Indeed, a hacker gang from North Korea recently tried to disseminate a contaminated record by disabling the social media account of a defector from North Korea and chatting with their friends. 

Kumsong 121 has infiltrated mobile phones of well-known personalities, including particular South Korean legislators, to obtain their personal information, claimed Mun Chong Hyun, head for the EST security response center (ESRC). He said hackers attack organizations in North Korea's websites or build counterfeit Facebook accounts for those functioning in the North Korean industry on an ongoing basis. 

“In particular, they often use mobile phones or email to contact you, pretending to be an acquaintance or industry expert,” he said. “When sent .apk or .doc files, the safest thing is to directly call the sender and confirm whether they are legit.”

Lazarus E-Commerce Attackers Adapt Web Skimming for Stealing Cryptocurrency

 

Cybercriminals with apparent ties to North Korea that hit e-commerce shops in 2019 and 2020 to steal payment card data also tested functionality for stealing cryptocurrency, according to the cybersecurity firm Group-IB. 

Group-IB's latest report builds on findings revealed in July 2020 by Dutch security firm Sansec, which reported that malicious infrastructure and, in many cases, the malware was being used for Magecart-style attack campaigns that had previously been attributed to the Lazarus Group. 

Lazarus - aka Hidden Cobra, Dark Seoul, Guardians of Peace, APT38, Bluenoroff, and a host of other names - refers to a group of hackers with apparent ties to the Pyongyang-based government officially known as the Democratic People's Republic of Korea, led by Kim Jong-Un.

Magecart-style attacks refer to using so-called digital card skimming or scraping tools - aka JavaScript sniffers - that they inject into victim organizations' e-commerce sites. Victims of such attacks have included jewelry and accessories retailer Claire's and Ticketmaster UK, among thousands of others. 

Researchers at Group-IB stated that after reviewing the attack campaign discovered by Sansec, it also found signs suggesting that attackers had been experimenting not just with stealing payment card data but also cryptocurrency.

Group-IB reports that it found the same infrastructure being used, together with a modified version of the same JavaScript sniffer - aka JS-sniffer - that Sansec described in its report. Group-IB has dubbed the cryptocurrency-targeting campaign Lazarus BTC Changer. 

The attackers appear to have stolen relatively little cryptocurrency via the sites' customers: just $9,000 worth of Ethereum and $8,400 worth of bitcoins, Group-IB reports. Group-IB says those stolen funds appeared to have been routed to bitcoin cryptocurrency wallets allegedly owned by CoinPayments.net, "a payment gateway that allows users to conduct transactions involving bitcoin, Ethereum, Litecoin, and other cryptocurrencies." 

Lazarus may have used the site to launder the stolen funds by moving them to other cryptocurrency exchanges or wallets. The cybersecurity firm notes that CoinPayment's "know your customer" policy could help identify the individuals who initiated the transactions. The service's user agreement stipulates that individuals attest that they are not operating in or on behalf of anyone in a prohibited jurisdiction, which includes North Korea.

North Korean Lazarus Group Attacks South African Freight Via New Weapon

 

The North Korean-backed Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics company. ESET researchers first discovered the malware in June 2020, but further evidence suggests Lazarus has been using it in previous attacks going back to at least December 2020. 

The new backdoor malware, dubbed Vyveva is one of the latest tools discovered in the Lazarus armory. Vyveva has the capability of exfiltrating files, gathering data from an exploited machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. It also uses watchdogs to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new sessions or drive events.

While ESET researchers have not gained much success in identifying the initial compromise vector but they have discovered three main components comprising Vyveva – its installer, loader and backdoor. Vyveva also consists a ‘timestomping’ option which allows its operators to manipulate any file’s data using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files. 

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-like execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” security researcher Filip Jurcacko stated.

According to the US government, Lazarus group was formed in 2007 and since then, as per the researchers, the group has been responsible for the $80 million Bangladeshi bank heist and the HaoBao Bitcoin-stealing campaign. The Lazarus Group’s activities were widely reported only after it was blamed for the 2014 cyber-attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware attack on the countries including the US and Britain.

British Drug maker AstraZeneca Working to Deploy the Covid-19 Vaccine Targeted by Suspected North Korean Hackers

 


There is no denying the fact that cyberattacks against health bodies, vaccine scientists and drug makers have risen to an extreme length during the Coronavirus pandemic as state-backed and criminal hacking groups scramble to acquire the most recent research conducted as well as the data about the outbreak.

Yet another example has come across in the recent times, as a British drug maker company races to deploy its vaccine for the Corona virus and a couple of suspected North Korean hackers attempted to break into its systems. 

According to sources, the hacking endeavored to focus on a "broad set of people" including staff working on the COVID research.

The Reuters report that, by posing like recruiters on the networking site LinkedIn and WhatsApp the hackers approached the staff of AstraZeneca with fake job offers and later sent documents which appeared to be job descriptions that were bound with malevolent code intended to access a victim's computer. 

The source, who basically spoke on the condition of anonymity to examine non-public data, said the tools and the methods utilized in the attacks demonstrated that they were important for a continuous hacking campaign that US authorities and cybersecurity researchers have 'attributed' to North Korea. 

The campaign was previously been centered around defence companies and media organizations however pivoted to Coronavirus related targets as of late, as per three people who have investigated the attacks. 

Microsoft said for the current month alone it had observed two North Korean hacking groups target vaccine developers in multiple countries, including by "sending messages with fabricated job descriptions" Microsoft however didn't name any of the targeted organizations.

The North Korean mission to the United Nations in Geneva though didn't react to a request put forth for their comment. Pyongyang has likewise denied carrying out the previously mentioned cyberattacks.

It has no direct line of contact for foreign media. AstraZeneca, which has arisen as one of the top three Coronavirus antibody developers, also declined to comment. 

As North Korea has been accused consistently by the US prosecutors for a portion of the world's 'most audacious and damaging cyberattacks’, including the hack and leak of emails from Sony Pictures in 2014, the 2016 theft of $81 million from the Central Bank of Bangladesh, and releasing the Wannacry ransomware virus in 2017. 

Pyongyang has consequently portrayed the allegations against it as attempts by Washington to malign its image. 

Reuters however has recently reported that hackers from Iran, China and Russia likewise have attempted to break into leading drug makers and even the World Health Organization this year, yet Tehran, Beijing and Moscow have all denied the allegations.



Russian military companies were reportedly attacked by hackers from North Korea

North Korean hacker group Kimsuky has reportedly conducted several attacks on the Russian military-industrial complex in order to obtain military and technological secrets of Russia

According to the cybersecurity company Group-IB, attacks by hackers from the Democratic People's Republic of Korea on the Russian defense industry took place in the spring of 2020. North Korean cyber criminals sought to obtain data from aerospace and defense companies, as well as from enterprises that produce artillery equipment.

Telegram-channel SecAtor reported that Rostec was among the companies that were attacked. RT-Inform, a subsidiary of Rostec that deals with information security, did not confirm or deny these data, but noted that the number of cyber attacks on the resources of the state corporation increased from April to September.

"Most of the attacks were poorly prepared and did not pose a significant threat when they were exposed, but this could only be preparation," said RT-Inform.

Experts believe that in this case, hackers from the DPRK will soon launch new, more well-prepared attacks.

Kimsuky is also known by the names Velvet Chollima and Black Banshee, it is engaged in cyber espionage. According to Group-IB, North Korean hackers previously attacked facilities in South Korea, but then engaged in enterprises in the production of artillery equipment and armored vehicles in Russia, Ukraine, Slovakia and Turkey, using fraudulent mailings.

According to Denis Legezo, a cybersecurity expert at Kaspersky Lab, some fraudulent emails from North Korean groups contain information about vacancies in the aerospace and defense industries. He believes that this indicates the interest of hackers in industrial espionage.

As reported by E Hacking News, in September in Russia there were cases of attacks by the Chinese hacker group Winnti on software developers for banks, as well as on companies in the construction sector. Winnti has previously repeatedly hacked the networks of industrial and high-tech companies from Taiwan and Europe, but the group's activities have not yet been reported in Russia.