Attacks/Breaches

6/25/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Malware in South Korean Cyberattacks Linked to Bithumb Heist

Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware.

Lazarus Group, a team of cybercriminals reportedly based in North Korea, is believed to be targeting its southern neighbor with malicious documents. The files, recently reviewed by South Korean researchers and experts at AlienVault, pack Manuscrypt malware as the final payload.

Researchers in South Korea first detected the documents. One is disguised as related to the G20 International Financial Architecture Working Group Meeting and appears to target attendees, who met to discuss economic policies among the world's financial superpowers. Another is seemingly related to the $31.5 million theft from the Bithumb cryptocurrency exchange.

All documents were created in Hangul Word Processor (HWP), a South Korean document editor, and contain malicious code to download Manuscrypt malware. Manuscrypt communicates by mimicking South Korean forum software, AlienVault researchers report.

Manuscrypt is referred to as "Bankshot" by McAfee, which uses the term "Hidden Cobra" for the organization known as Lazarus Group. The malware is designed to remain on a target network for continued exploitation and has been seen in attacks on the Turkish financial sector, which was hit with malicious documents written in Korean in March. Threat actors could use the malware to gain full access and wipe content from a target system, McAfee explains.

This isn't the first time researchers have linked Manuscrypt to Lazarus Group, which allegedly also used the malware in advanced persistent threat (APT) attacks targeting financial institutions and the SWIFT banking network. In the earlier campaign, Manuscrypt operated by searching the internal network for specific hosts related to SWIFT. The threat leveraged the NamedPipe file-sharing feature to search for data on the internal segregated network and send it to the command-and-control (C&C) server.

Link to Bithumb Cryptocurrency Theft
Researchers have suggested a connection between the most recent Lazarus Group activity and the theft of $31.5 million in digital currency from South Korean cryptocurrency exchange Bithumb. Reports within the country indicate the heist also began with HWP files this month and last month, and experts link the incident to earlier attacks by Lazarus Group.

South Korean news organization KBS reports an investigation into the Bithumb theft revealed malware samples that had been sent to other cryptocurrency organizations. AlienVault says "it seems likely" the malware used in this recent campaign is responsible for the Bithumb incident.

Earlier this year, researchers detected Lazarus Group sending malicious HWP documents to cryptocurrency users in South Korea. In these cases, multiple phishing domains were registered to the same phone number as a domain used to deliver the malware. It seems attackers could be phishing for credentials in addition to the malware, though experts say this activity is tricky.

"It is unusual to see Lazarus registering domains," AlienVault researchers wrote in a blog post on the discovery. "Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus."

Putting the Pieces Together
If Lazarus Group is behind the Bithumb attack, it ties these actors to a series of thefts, including $7 million previously stolen from Bithumb in 2017, as well as other cryptocurrency exchanges that were hit in 2017. The group is also believed to be responsible for the attempted theft of $1 billion from the Bank of Bangladesh, attacks on ATM networks, and the WannaCry and Sony Pictures incidents.

Earlier this month, reports indicated Lazarus Group was behind a theft of $10 million from a Chilean bank; it allegedly destroyed thousands of machines to try to conceal its activity. AlienVault notes that specifically targeting South Korean organizations doubly benefits North Korean adversaries because it has the "double impact of weakening their closest competitor."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14084
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for MKCB, an Ethereum token. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().
CVE-2018-14085
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for UserWallet 0x0a7bca9FB7AfF26c6ED8029BB6f0F5D291587c42, an Ethereum token. First, suppose that the owner adds the evil contract address to his sweepers. The evil contract looks like this: contract Exploit { uint public start; function swe...
CVE-2018-14086
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell(...
CVE-2018-14087
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for EUC (EUC), an Ethereum token. The contract has an integer overflow. If the owner sets the value of buyPrice to a large number in setPrices() then the "msg.value * buyPrice" will cause an integer overflow in the fallback functio...
CVE-2018-14088
PUBLISHED: 2018-07-16
An issue was discovered in a smart contract implementation for STeX White List (STE(WL)), an Ethereum token. The contract has an integer overflow. If the owner sets the value of amount to a large number then the "amount * 1000000000000000" will cause an integer overflow in withdrawToFounde...