North Korean state-sponsored hacking group Lazarus has started targeting individuals and organizations directly, instead of focusing exclusively on spying on financial institutions, Proofpoint reports.
Active since at least 2009, the Lazarus Group is considered one of the most disruptive nation-state sponsored actors, accused of being involved in numerous high-profile attacks. Some of these include the 2014 Sony Pictures hack, last year’s theft of $81 million from the Bangladesh Bank, and this year’s WannaCry ransomware attack.
The group was recently observed to be increasingly focused on financially motivated attacks and was named as the most serious threat against banks earlier this year. More recently, the group also started showing high interest in the skyrocketing prices of cryptocurrencies.
The multistage attacks that Proofpoint has uncovered rely on cryptocurrency-related lures to spread sophisticated backdoors and reconnaissance malware. In some cases, the hackers deploy additional malware, including the Gh0st remote access Trojan (RAT), in an attempt to steal credentials for cryptocurrency wallets and exchanges.
What’s more, Proofpoint’s security researchers discovered that the nation-state actor also started targeting a point-of-sale (PoS) related framework to steal credit card data. These PoS attacks can potentially incur high financial losses given their timing near the holiday shopping season.
In a new report (PDF), Proofpoint details a new toolset associated with the Lazarus Group. Dubbed PowerRatankba, the toolset has been targeting individuals, companies, and organizations with interests in cryptocurrency via spear-phishing and phishing campaigns.
The campaigns started on or around June 30, 2017 and included highly targeted spear-phishing attacks focused on at least one executive at a cryptocurrency organization. While a PowerRatankba.A variant was used in these attacks, the rest of the campaigns used PowerRatankba.B, Proofpoint says.
The PowerSpritz downloader hides both its legitimate payload and malicious PowerShell command using the Spritz encryption algorithm. The downloader has been delivered via spear-phishing attacks using the TinyCC link shortener service to hide the malicious link.
Posing as Telegram or Skype updates, PowerSpritz would first launch a legitimate installer to trick the user into believing they downloaded a working application installer or update. In the background, however, a PowerShell command is executed to download the first stage of PowerRatankba.
A malicious LNK file was observed using a known AppLocker bypass to retrieve the payload from a TinyURL shortener link. The CHM files abuse a well-known technique to create a shortcut object capable of executing malicious code and to cause the object to be automatically clicked.
The researchers also associated two VBScript macro-laden Microsoft Office documents with this activity, namely one Word document and one Excel spreadsheet. The former uses an Internal Revenue Service (IRS) theme, while the latter uses a Bithumb lure.
New first-stage implant
Recent attacks involved the use of phishing emails to direct users to fake webpages in an attempt to trick them into downloading or updating cryptocurrency applications. A backdoor in the PyInstaller executables, however, was meant to download PowerRatankba.
The implant, supposedly a successor of Ratankba, which was publicly detailed earlier this year, is a first stage reconnaissance tool used for the deployment of further stage implants. Using HTTP for command and control (C&C) communication, PowerRatankba first sends information about the machine, including computer name, IP address, OS boot time and installation date, language, info on ports 139/3389/445, a process list, and output from two WMIC commands (PowerRatankba.B only).
After initial contact with the C&C, PowerRatankba.A sends a request to receive commands from the server. This malware variant can download a payload and execute it via memory injection; can download the payload, save it to disk, and then execute it; can sleep and send request after sleep; and exit.
For persistence, PowerRatankba.A saves a JS file to the Startup folder. Depending on whether it runs under an admin account or not, PowerRatankba.B either downloads a PowerShell script, saves it to disk, and creates a scheduled task to execute it on system startup, or downloads a VBScript file and saves it to the Startup folder.
PowerRatankba.B was observed delivering a custom variant of the Gh0st RAT to several devices, but only to victims with obvious interest in cryptocurrencies. An attack involving the RAT revealed immediate interest in taking full remote control of the infected device to interact with a password-protected Bitcoin wallet, among other applications.
The North Korean state-sponsored hackers appear to be interested in other financially motivated actions as well, beyond stealing millions in cryptocurrency. Thus, Proofpoint has discovered what appears to be a Lazarus operation focused on targeting PoS terminals of businesses operating in South Korea.
Dubbed RatankbaPOS, this might be “the first publicly documented nation-state sponsored campaign to steal PoS data from a PoS-related framework,” the security researchers note.
Although it’s unclear how the new malware variant is distributed, Proofpoint believes that PowerRatankba is used to deploy later stage implants that would ultimately infect systems with RatankbaPOS. The file was found on a C&C in plaintext, suggesting that it wasn’t deployed using the reconnaissance tool.
Deployment is achieved through a process injection dropper that can also achieve persistence by creating a registry key. The malware first checks with the server for an update and then starts the process injection search.
RatankbaPOS would hook a KSNETADSL.dll module “which appears to be the handling of encrypted and decrypted credit card numbers for a KSNET-related POS framework system.” According to Proofpoint, however, the module (two of them, actually) isn’t the correct target for the malware.
The security researchers believe that the malware might be targeting an encrypted form of the track data, suggesting that the actor is focused on a SoftCamp POS-related software application, framework, or device. The researchers believe “with high confidence” that the attacks are primarily targeting devices in South Korea.
“Attribution is a controversial topic and arguably one of the most difficult tasks threat intelligence analysts face. However, based on our research, we assess with a high level of confidence given the information available to us that the operations and activity discussed in this research are attributed to Lazarus Group and ultimately North Korea,” Proofpoint says.
The security firm notes that the use of a specific implementation of the Spritz encryption cipher to encrypt PowerSpritz’ legitimate installer payload and malicious PowerShell commands is one clear indicator that this hacking group is behind the attacks. Furthermore, obfuscation techniques used in these campaigns overlap with those attributed to the Lazarus Group before.
The fact that PowerRatankba and RatankbaPOS include similar or identical features previously observed in the original Ratankba implants are another indicator of correct attribution, the researchers say. To that, the researchers add the use of a common directory for storing implants and logs, seen across the group’s toolset, as well as the initial POST request to C&C to deliver system information.
The researchers also discovered instances of code overlap between the RatankbaPOS dropper and the spreader implant used in the attack on the Far Eastern International Bank (FEIB) in Taiwan in October. The implants use the same directory and set up persistence in almost precisely the same way.
Additionally, Proofpoint discovered that content found in a PowerRatankba JS downloader decoy PDF file was previously used in Lazarus campaigns focused on espionage rather than for financial gain.
According to the security researchers, the detailed campaigns and tools belong to a financially motivated arm of the state actor, which should be differentiated from the espionage and disruption teams. The group is following the money, stealing directly from individuals and organizations instead of targeting financial institutions for espionage, as “traditional” threat actors do.
“This group now appears to be targeting individuals rather than just organizations: individuals are softer targets, often lacking resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor’s toolkit,” Proofpoint concludes.
Related: North Korea’s New Front: Cyberheists