Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

10/19/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

McAfee: Seasalt Malware Raises Its Head Again

Code from the Seasalt malware that was last seen in 2010 has been found in new campaigns in North Korea and North America, according to McAfee.

Some of the code used a decade ago by a threat group that attacked more than 140 US companies over a four-year period has resurfaced in a number of campaigns that primarily target South Korean organizations, but has also expanded to include the US and Canada, according to researchers with McAfee.

The report, "Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group," which was released this week at the MPower 2018 show in Las Vegas, finds that the Oceansalt implant includes code from a campaign called Operation Seasalt, which targeted US organizations between 2006 and 2010. The traces of the source code from Seasalt, which was run by the group APT1 -- also known as Comment Crew -- hadn't been seen since 2010 until this year, when campaigns using some of the code were detected in South Korea.

APT1 hadn't been heard from since it was exposed in a report in 2013 outlining attacks in the US.

"This report detailed the inner workings of Comment Crew and its cyber offensive capabilities," according to McAfee's report, written by researches Ryan Sherstobitoff and Asheer Malhortra. "The consequences of releasing this public report forced the group to either make changes to their techniques or cease their activity altogether. Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea."

Cybercriminals reusing code from other campaigns is not unusual -- McAfee and Intezer recently outlined code reuse among an array of North Korea-based malware groups like Lazarus, Hidden Cobra and Group 123 -- but what's different here is that as far as McAfee researchers can tell, the source code from APT1 was never made public. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)

The bad actors behind Oceansalt are unknown.

In their report, the researchers said it's unlikely that the Oceansalt campaigns mean that APT1 has returned, but that somehow those behind the attacks have gained access to it. They suggest it could be a code-sharing arrangement between two actors or that a hacker has gained access to the code from someone involved in the APT1 operations. It also could be a false-flag operation to make it appear that China and North Korea are collaborating on the Oceansalt attacks.

"We have not seen this group prior, and therefore determined this to be a significant finding as a result," Raj Samani, chief scientist at McAfee and a McAfee Fellow, told Security Now in an email. "Certainly code reuse is normal practice; indeed one of our previous publications shows with attacks attributed to [North Korea], for example, this has been done. However, this one is two different threat actor groups, and in particular using code from many years before."

Samani added that there is a "growing trend of threat actors beginning to collaborate more. This is not only between nation-states but in fact we have seen this in the criminal environments. For example, the GandCrab [ransomware] crew are developing relationships with other groups."

McAfee researchers have found five Oceansalt attack waves that have been tailored to their targets. The bad actors initially used spear-phishing attacks that leveraged two infected Microsoft Excel documents written in Korean that acted as downloaders of the malware that included parts of the code from APT1.

The targets were involved with public infrastructure projects in the country.

There was a second round of malicious documents that included the same metadata and author -- called "Lion" -- as the Excel documents but were housed in Microsoft Word docs. This wave was first aimed at the Inter-Korean Cooperation Fund and initially appeared on May 31 in South Korea. However, organizations in the US and Canada involved in investment, banking and agriculture have since been hit by the attack, the researchers said.

They said it was possible that the attacks in North America are part of a campaign separate from that in South Korea. The threat of Oceansalt is significant.

"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victim," the analysts wrote. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target. Further, the code overlaps with that from a previously reported advanced state-sponsored group. The overlap suggests a close collaboration between members of a state-sponsored group and the current actors in conducting cyber operations."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...