Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/25/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Malware in South Korean Cyberattacks Linked to Bithumb Heist

Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware.

Lazarus Group, a team of cybercriminals reportedly based in North Korea, is believed to be targeting its southern neighbor with malicious documents. The files, recently reviewed by South Korean researchers and experts at AlienVault, pack Manuscrypt malware as the final payload.

Researchers in South Korea first detected the documents. One is disguised as related to the G20 International Financial Architecture Working Group Meeting and appears to target attendees, who met to discuss economic policies among the world's financial superpowers. Another is seemingly related to the $31.5 million theft from the Bithumb cryptocurrency exchange.

All documents were created in Hangul Word Processor (HWP), a South Korean document editor, and contain malicious code to download Manuscrypt malware. Manuscrypt communicates by mimicking South Korean forum software, AlienVault researchers report.

Manuscrypt is referred to as "Bankshot" by McAfee, which uses the term "Hidden Cobra" for the organization known as Lazarus Group. The malware is designed to remain on a target network for continued exploitation and has been seen in attacks on the Turkish financial sector, which was hit with malicious documents written in Korean in March. Threat actors could use the malware to gain full access and wipe content from a target system, McAfee explains.

This isn't the first time researchers have linked Manuscrypt to Lazarus Group, which allegedly also used the malware in advanced persistent threat (APT) attacks targeting financial institutions and the SWIFT banking network. In the earlier campaign, Manuscrypt operated by searching the internal network for specific hosts related to SWIFT. The threat leveraged the NamedPipe file-sharing feature to search for data on the internal segregated network and send it to the command-and-control (C&C) server.

Link to Bithumb Cryptocurrency Theft
Researchers have suggested a connection between the most recent Lazarus Group activity and the theft of $31.5 million in digital currency from South Korean cryptocurrency exchange Bithumb. Reports within the country indicate the heist also began with HWP files this month and last month, and experts link the incident to earlier attacks by Lazarus Group.

South Korean news organization KBS reports an investigation into the Bithumb theft revealed malware samples that had been sent to other cryptocurrency organizations. AlienVault says "it seems likely" the malware used in this recent campaign is responsible for the Bithumb incident.

Earlier this year, researchers detected Lazarus Group sending malicious HWP documents to cryptocurrency users in South Korea. In these cases, multiple phishing domains were registered to the same phone number as a domain used to deliver the malware. It seems attackers could be phishing for credentials in addition to the malware, though experts say this activity is tricky.

"It is unusual to see Lazarus registering domains," AlienVault researchers wrote in a blog post on the discovery. "Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus."

Putting the Pieces Together
If Lazarus Group is behind the Bithumb attack, it ties these actors to a series of thefts, including $7 million previously stolen from Bithumb in 2017, as well as other cryptocurrency exchanges that were hit in 2017. The group is also believed to be responsible for the attempted theft of $1 billion from the Bank of Bangladesh, attacks on ATM networks, and the WannaCry and Sony Pictures incidents.

Earlier this month, reports indicated Lazarus Group was behind a theft of $10 million from a Chilean bank; it allegedly destroyed thousands of machines to try to conceal its activity. AlienVault notes that specifically targeting South Korean organizations doubly benefits North Korean adversaries because it has the "double impact of weakening their closest competitor."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.