Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

10/19/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

McAfee: Seasalt Malware Raises Its Head Again

Code from the Seasalt malware that was last seen in 2010 has been found in new campaigns in North Korea and North America, according to McAfee.

Some of the code used a decade ago by a threat group that attacked more than 140 US companies over a four-year period has resurfaced in a number of campaigns that primarily target South Korean organizations, but has also expanded to include the US and Canada, according to researchers with McAfee.

The report, "Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group," which was released this week at the MPower 2018 show in Las Vegas, finds that the Oceansalt implant includes code from a campaign called Operation Seasalt, which targeted US organizations between 2006 and 2010. The traces of the source code from Seasalt, which was run by the group APT1 -- also known as Comment Crew -- hadn't been seen since 2010 until this year, when campaigns using some of the code were detected in South Korea.

APT1 hadn't been heard from since it was exposed in a report in 2013 outlining attacks in the US.

"This report detailed the inner workings of Comment Crew and its cyber offensive capabilities," according to McAfee's report, written by researches Ryan Sherstobitoff and Asheer Malhortra. "The consequences of releasing this public report forced the group to either make changes to their techniques or cease their activity altogether. Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea."

Cybercriminals reusing code from other campaigns is not unusual -- McAfee and Intezer recently outlined code reuse among an array of North Korea-based malware groups like Lazarus, Hidden Cobra and Group 123 -- but what's different here is that as far as McAfee researchers can tell, the source code from APT1 was never made public. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)

The bad actors behind Oceansalt are unknown.

In their report, the researchers said it's unlikely that the Oceansalt campaigns mean that APT1 has returned, but that somehow those behind the attacks have gained access to it. They suggest it could be a code-sharing arrangement between two actors or that a hacker has gained access to the code from someone involved in the APT1 operations. It also could be a false-flag operation to make it appear that China and North Korea are collaborating on the Oceansalt attacks.

"We have not seen this group prior, and therefore determined this to be a significant finding as a result," Raj Samani, chief scientist at McAfee and a McAfee Fellow, told Security Now in an email. "Certainly code reuse is normal practice; indeed one of our previous publications shows with attacks attributed to [North Korea], for example, this has been done. However, this one is two different threat actor groups, and in particular using code from many years before."

Samani added that there is a "growing trend of threat actors beginning to collaborate more. This is not only between nation-states but in fact we have seen this in the criminal environments. For example, the GandCrab [ransomware] crew are developing relationships with other groups."

McAfee researchers have found five Oceansalt attack waves that have been tailored to their targets. The bad actors initially used spear-phishing attacks that leveraged two infected Microsoft Excel documents written in Korean that acted as downloaders of the malware that included parts of the code from APT1.

The targets were involved with public infrastructure projects in the country.

There was a second round of malicious documents that included the same metadata and author -- called "Lion" -- as the Excel documents but were housed in Microsoft Word docs. This wave was first aimed at the Inter-Korean Cooperation Fund and initially appeared on May 31 in South Korea. However, organizations in the US and Canada involved in investment, banking and agriculture have since been hit by the attack, the researchers said.

They said it was possible that the attacks in North America are part of a campaign separate from that in South Korea. The threat of Oceansalt is significant.

"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victim," the analysts wrote. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target. Further, the code overlaps with that from a previously reported advanced state-sponsored group. The overlap suggests a close collaboration between members of a state-sponsored group and the current actors in conducting cyber operations."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.