Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

// // //
10/19/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

McAfee: Seasalt Malware Raises Its Head Again

Code from the Seasalt malware that was last seen in 2010 has been found in new campaigns in North Korea and North America, according to McAfee.

Some of the code used a decade ago by a threat group that attacked more than 140 US companies over a four-year period has resurfaced in a number of campaigns that primarily target South Korean organizations, but has also expanded to include the US and Canada, according to researchers with McAfee.

The report, "Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group," which was released this week at the MPower 2018 show in Las Vegas, finds that the Oceansalt implant includes code from a campaign called Operation Seasalt, which targeted US organizations between 2006 and 2010. The traces of the source code from Seasalt, which was run by the group APT1 -- also known as Comment Crew -- hadn't been seen since 2010 until this year, when campaigns using some of the code were detected in South Korea.

(Source: iStock)\r\n
(Source: iStock)\r\n

APT1 hadn't been heard from since it was exposed in a report in 2013 outlining attacks in the US.

"This report detailed the inner workings of Comment Crew and its cyber offensive capabilities," according to McAfee's report, written by researches Ryan Sherstobitoff and Asheer Malhortra. "The consequences of releasing this public report forced the group to either make changes to their techniques or cease their activity altogether. Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea."

Cybercriminals reusing code from other campaigns is not unusual -- McAfee and Intezer recently outlined code reuse among an array of North Korea-based malware groups like Lazarus, Hidden Cobra and Group 123 -- but what's different here is that as far as McAfee researchers can tell, the source code from APT1 was never made public. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)

The bad actors behind Oceansalt are unknown.

In their report, the researchers said it's unlikely that the Oceansalt campaigns mean that APT1 has returned, but that somehow those behind the attacks have gained access to it. They suggest it could be a code-sharing arrangement between two actors or that a hacker has gained access to the code from someone involved in the APT1 operations. It also could be a false-flag operation to make it appear that China and North Korea are collaborating on the Oceansalt attacks.

"We have not seen this group prior, and therefore determined this to be a significant finding as a result," Raj Samani, chief scientist at McAfee and a McAfee Fellow, told Security Now in an email. "Certainly code reuse is normal practice; indeed one of our previous publications shows with attacks attributed to [North Korea], for example, this has been done. However, this one is two different threat actor groups, and in particular using code from many years before."

Samani added that there is a "growing trend of threat actors beginning to collaborate more. This is not only between nation-states but in fact we have seen this in the criminal environments. For example, the GandCrab [ransomware] crew are developing relationships with other groups."

McAfee researchers have found five Oceansalt attack waves that have been tailored to their targets. The bad actors initially used spear-phishing attacks that leveraged two infected Microsoft Excel documents written in Korean that acted as downloaders of the malware that included parts of the code from APT1.

The targets were involved with public infrastructure projects in the country.

A malicious file that is part of Operation OceanSalt\r\n(Source: McAfee Labs)\r\n
A malicious file that is part of Operation OceanSalt
\r\n(Source: McAfee Labs)\r\n

There was a second round of malicious documents that included the same metadata and author -- called "Lion" -- as the Excel documents but were housed in Microsoft Word docs. This wave was first aimed at the Inter-Korean Cooperation Fund and initially appeared on May 31 in South Korea. However, organizations in the US and Canada involved in investment, banking and agriculture have since been hit by the attack, the researchers said.

They said it was possible that the attacks in North America are part of a campaign separate from that in South Korea. The threat of Oceansalt is significant.

"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victim," the analysts wrote. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target. Further, the code overlaps with that from a previously reported advanced state-sponsored group. The overlap suggests a close collaboration between members of a state-sponsored group and the current actors in conducting cyber operations."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-25135
PUBLISHED: 2023-02-03
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are...
CVE-2022-4634
PUBLISHED: 2023-02-03
All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-0123
PUBLISHED: 2023-02-03
Delta Electronics DOPSoft versions 4.00.16.22 and prior are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code when a malformed file is introduced to the software.
CVE-2023-0124
PUBLISHED: 2023-02-03
Delta Electronics DOPSoft versions 4.00.16.22 and prior are vulnerable to an out-of-bounds write, which could allow an attacker to remotely execute arbitrary code when a malformed file is introduced to the software.
CVE-2023-24613
PUBLISHED: 2023-02-03
The user interface of Array Networks AG Series and vxAG through 9.4.0.470 could allow a remote attacker to use the gdb tool to overwrite the backend function call stack after accessing the system with administrator privileges. A successful exploit could leverage this vulnerability in the backend bin...