Lately, North Korean threat actors have been extremely visible, attacking several industries and disrupting the operations of many organizations. While attacks from North Korea are not unusual, there has been an uptick in activity from the region. In April 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory highlighting the activity of the North Korean state-sponsored APT group, Lazarus – also known as APT38.
As the rest of the world was focused on the cyber war between Russia and Ukraine, Lazarus was launching their own attacks. At the time, Lazarus was using social engineering to trick victims into downloading Trojanized cryptocurrency applications on Windows or macOS operating systems. According to CISA, Lazarus used the applications to gain access to their victims’ computer, propagate malware across their network, and steal private keys – activities that enabled follow-on activities that initiate fraudulent blockchain transactions.
CISA’s advisory would mark the beginning of a slew of attacks from North Korean threat actors in 2022. So far, we have seen steady activity from NOBELIUM, Kimsuky, H0ly Gh0st, and Lazarus. Let’s take a look at how active North Korea has been, links between threat groups, and why North Korea is a threat.
A lesser-known, North Korean ransomware gang named H0ly Gh0st aka DEV-0530 (or Holy Ghost for this report) began attacking schools, manufacturing organizations, banks, and event management firms in June 2021. Interestingly, the group is not a state-sponsored threat actor, but they do cooperate with the government despite not being on the government’s payroll.
Microsoft analyzed Holy Ghost’s ransomware and found that the group has been in communication with Lazarus – a veteran North Korean threat actor. According to Microsoft,
Holy Ghost has been developing and deploying ransomware since June 2021 and utilizes a ransomware payload with the same name for its campaigns. The ransomware gang also has a dot onion site where they interact with victims.
After encrypting their victim’s files, Holy Ghost uses the file extension .h0lyenc and sends the victim a sample of the encrypted files as proof. They then demand ransom payments in the form of Bitcoin. If the victim refuses to pay the demanded ransom the ransomware gang will threaten to publish sensitive data on social media or send the data to the victim’s customers. This tactic is known as double extortion.
Holy Ghost has been seen abusing flaws such as CVE-2022-26352 – a remote code execution vulnerability found in the ContentResource API in dotCMS 3.0 through 22.02.
According to Microsoft, Holy Ghost has connections with another North Korean-based group called PLUTONIUM. Although Holy Ghost’s ransomware is unique to the group, they have been observed communicating with PLUTONIUM. They’ve also been seen using tools created by PLUTONIUM.
While PLUTONIUM primarily targets the energy and defense industries in India, South Korea, and the United States, both HolyGhost and PLUTONIUM were seen operating from the same infrastructure set and using custom malware controllers with similar names. However, despite communicating with PLUTONIUM and the similarities, Microsoft believes that H0lyGh0st is its own distinct group.
Although Holy Ghost has some communication with North Korea’s government, their main goal is financial gain. Holy Ghost developed and used two new malware families: SiennaBlue and SiennaPurple. Those families have four variants under them: HolyLock.exe, BTLC_C.exe, HolyRS.exe, and BLTC.exe. The threat actors have clustered the variants based on code similarity, ransom note text, and C2 infrastructure (including C2 URL patterns). Because BTLC_C.exe is written in C++, it’s classified as SiennaPurple, while the rest are written in Go (also referred to as GoLang).
Microsoft observed a cluster of new Holy Ghost ransomware variants written in Go between October 2021 and May 2022. The variants were classified as SiennaBlue. SiennaBlue’s Go functions include features like string obfuscation, encryption options, public key management, and support for the internet and intranet.
In November 2021, Holy Ghost successfully compromised several targets in various countries by using HolyRS.ex. The victims were small to midsized businesses in the manufacturing, banking, education, and event and meeting planning industries. Holy Ghost was possibly able to compromise the organizations by exploiting vulnerabilities (such as CVE-2022-26352) on public-facing web applications and content management systems, gaining initial access into networks.
Image 1: H0ly Gh0st Ransomware Analysis
Source: Avertium's Cyber Threat Intelligence Team
Avertium’s Cyber Threat Intelligence team (CTI) analyzed two samples of Holy Ghost ransomware: oih12ek4k[.]dll and ufggul58a[.]dll. As you can see, both samples can be found on vx-underground, and both are ransomware encryptors that are written in Go. One advantage that Go has over other programming languages is that Go function calls are easier to see in Ghidra. Other languages, such as C++, don’t always decompile cleanly in IDAPro or Ghidra – losing function names and other information.
The samples pulled from vx-underground appear to be from a more recent campaign, based on the inclusion of functions that did not exist in the 2021 ransomware samples - including self-delete, encrypt string, and decrypt string functions. Like other North Korean ransomware Avertium’s Cyber Threat Intelligence Team has analyzed, obfuscation does not appear to be the highest priority. While the following function calls do not show up in the strings, it was easily parsed by the decompiler. The name of the function is called HolyLocker.
Image 2: H0ly Gh0st Ransomware
Source: Avertium's Cyber Threat Intelligence Team
There are two possible reasons why the CTI team was not able to find the static strings for where it stores remote IP address or other IOCs:
Also, there is a pair of functions for left and right rotate, which can be used for ROT cyphers. After testing, the CTI team concluded that the only functions we can safely assume are used by the malware are the ones with “HolyLocker”.
Once Holy Ghost gains access to their target’s network, they drop and execute the SiennaBlue malware variants. Once the network is compromised, the threat actor exfiltrates a copy of the victims’ files. After encryption, Holy Ghost replaces all the file names with Base64-encoded versions of the file names and renames the extension .h0lyenc.
Image 3: H0ly Gh0st Ransom Note
At the end of July 2022, researchers observed Kimsuky (also known as Black Banshee and Thallium), a North Korean threat actor, deploying a malicious browser extension for Google Chrome and Microsoft Edge. Using SHARPEXT, Kimsuky was able to steal content from actively logged in email accounts, as well as replace browser preference files. The threat actor targeted workers in Europe, the U.S., and South Korea.
Because the malware script is short and targeted email sessions were logged into by a legitimate user, browser providers had a hard time detecting SHARPEXT. Kimsuky has been active since 2012 and previously attacked South Korean bureaucracies and businesses. Kimsuky is a part of several hacker groups that act on behalf of North Korea, including Lazarus.
In August 2022, Kaspersky published a report detailing how Kimsuky ensures their malicious payloads are solely downloaded by their intended targets and not on the systems of security researchers who can find them. The group’s new techniques filter out invalid download requests, evidenced with their attack against targets in the Korean peninsula.
According to Kaspersky, the new techniques are so effective that researchers couldn’t obtain the final payloads despite being connected to the threat actor’s command and control server.
“We’ve seen that the Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it’s tough to acquire a full-infection chain. As we can see from this research, threat actors have recently adopted victim verification methodology in their command-and-control servers.” – Kaspersky Researchers – SecureList.com
Kimsuky begins their attacks by sending phishing emails to diplomats, politicians, journalists, and professors in North and South Korea. Once the email is opened, the victim clicks on a link that takes them to a first stage C2 server. Next, the server checks and verifies a few parameters (visitors email address, OS, and the file [who].txt] before delivering a malicious document.
Dropped by the first-stage C2, a document containing a malicious macro connects the victim to the second-stage C2, fetches the next-stage payload, and runs it via the following process: mshta.exe. Next an .HTA file creates a scheduled task for auto-execution and profiles the victim – checking ProgramFiles folder paths, AV name, MS Office version, OS version, and more. There is also a payload that takes the victim to a legitimate blog to the next payload-download phase if the victim is a valid target.
Image 4: Kimsuky Infection Process
Source: Secure List
In January 2022, Kimsuky was behind the KONNI Remote Access Trojan (RAT). KONNI is a remote access tool that has been around since 2014 and has been attributed to North Korean threat groups. This malware is known to allow threat actors to steal files, grab screen shots, record key strokes, and execute arbitrary code. KONNI’s initial vector is social engineering and phishing email campaigns.
Kimsuky likely uses KONNI due to its stealth and flexibility. Avertium’s CTI team believes the stealthiness is achieved through string obfuscation and through adding additional processes into the malware to confuse advanced static analysis. The most recent KONNI variant revolves around the download of a malicious cabinet file. The file contains a malicious command script, a .dll file, and an encrypted ini file.
Image 5: KONNI Cabinet Files
Source: Avertium's Cyber Threat Intelligence Team
Active since 2009, the North-Korean threat actor, Lazarus, is one of the most known APTs in cyber space. They are behind large-scale cyber espionage and ransomware campaigns, and they have been seen attacking the cryptocurrency market and the defense industry. With a variety of advanced tools, Lazarus has recently attempted to steal cryptocurrency from deBridge Finance – a cross-chain protocol that enables the decentralized transfer of assets between blockchains.
In August 2022, Lazarus used a phishing email to trick deBridge Finance employees into launching malware that collects information from Windows systems and allows the delivery of additional malicious code. The email is disguised as being from the company’s founder, Alex Smirnov, with information regarding salary changes.
The email included an HTML file that looks like a plain text PDF file containing a password. After clicking on the malicious and fake PDF file, a cloud storage location is opened which claims to provide a password-protected archive containing the PDF. Clicking on the archive launches a fake txt file to obtain the password.
The LNK file then executes the Command Prompt with a command that retrieves a payload from a remote location. If processes for ESET, Tencent, or Bitdefender are not present on their victim’s system, the malicious file is saved in the startup folder for persistence. Once persistence is achieved, the attacker is able to send out requests to their command-and-control server for further instructions. During this stage, Lazarus was able to collect details regarding the system’s operating system, CPU, running processes, and network adapters.
While some employees at deBridge Finance reported the emails as suspicious, others opened the document. Researchers were able to attribute the attack to Lazarus by thorough analysis. As a result, researchers found an overlap in file names and infrastructure used in a previous attack that was attributed to the group.
Lazarus’ current cryptocurrency campaign also targeted cryptocurrency firms in March 2022. During that time, Lazarus targeted Woo Network by sending a malicious document masquerading as a job offer from Coinbase. The file names are different than that of deBridge, but the same fake PDF was used to trick victims.
Lazarus has focused on using social engineering to establish a foothold on their victims’ computer before stealing cryptocurrency funds and assets. The group’s largest cryptocurrency heist was the April 2022 attack on Axie Infinity’s Ronin bridge network, where they stole almost $620 million in Ethereum.
North Korea has been linked to several attack campaigns. In July 2022, CISA and the FBI warned that North Korean state-sponsored attackers were targeting healthcare and public health sector organizations within the U.S.
In March 2022, Avertium issued an emergency Flash Notice regarding CVE-2022-1096 – a Google Chrome Zero-Day leveraged by North Korean attackers. The bug was a type confusion vulnerability and was being exploited by threat actors in the wild – making all Chromium based browsers vulnerable to attacks. Affecting 2 billion users, flaw allowed threat actors to execute arbitrary code on victim devices and allowed the threat actor to trick Chrome into running malicious code.
In July 2022, Avertium published a Threat Intelligence Report regarding North-Korean threat actors deploying Maui ransomware against healthcare organizations. According to CISA, the FBI observed and responded to several cyber security incidents within the healthcare sector due to Maui. The incidents included the encryption of servers responsible for providing healthcare services (diagnostic services, imaging services, intranet services, etc.). Maui has been infecting servers since May 2021 and the attacks have been attributed to Andariel. The group is known for using their attacks to cause discord in South Korea, as well as to generate revenue.
Andariel has been attributed to other ransomware attacks targeting media, construction, network services, and manufacturing in South Korea. Although the group seeks financial gain, they use their revenue for the North Korean government. Andarial has also been linked to cyberespionage attacks that involve data wiping and data theft. In July 2022, the U.S. State
Department announced rewards up to $10 million for information regarding Andarial.
In 2014, North Korea’s cyber attacks drew attention when Pyongyang’s threat actors attacked Sony Pictures in retaliation for a movie about North Korean leader, Kim Jong Un. Since then, threat actors from the country have attacked Bangladesh’s central bank, the U.K. National Health Service, and several cryptocurrency exchanges. Between 2011 and 2020, North Korean threat actors such as Lazarus have stolen more than $1 billion in cryptocurrency. In 2021, North Korean threat actors stole about $400 million in crypto coins. Researchers state that the money stolen is likely spend on North Korea’s weapons and other government priorities.
However, not only is North Korea intent on big pay days, but they also engage in conventional cyber espionage. In January 2022, Lazarus was spotted using two Microsoft Word documents that contained false Lockheed Martin employment information, which delivered payloads to the victims. Lazarus appears to be targeting job seekers in the aerospace and U.S. defense industries via spear-phishing attacks.
Although policymakers and foreign-policy experts have ignored North Korea’s increasingly sophisticated cyberoperations in the past, they are starting to see that North Korea is not a country one should doubt. While the country may be impoverished with a crumbling healthcare system, they have prioritized developing their cyber sector into a sophisticated operation. North Korea’s threat actors have been trained to steal billions of dollars across the globe.
When it comes to cyber attacks, most think of threat actors as their own group. However, North Korea has proven that we can’t analyze Lazarus without analyzing Kimsuky, H0ly Gh0st, and other North Korean threat actors because they have connections to one another in some way.
North Korean threat actors are working under the umbrella of North Korea, and very rarely will you see a threat actor from that county who is not cooperating with the government in some fashion. It’s time for cyber security professionals across the globe to start thinking about North Korea in a more strategic way and to accept that North Korea is a serious threat in cyberspace.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium offers the following services to keep your organization safe:
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.