Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/25/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Malware in South Korean Cyberattacks Linked to Bithumb Heist

Lazarus Group is likely behind a spearphishing campaign containing malicious code to download Manuscrypt malware.

Lazarus Group, a team of cybercriminals reportedly based in North Korea, is believed to be targeting its southern neighbor with malicious documents. The files, recently reviewed by South Korean researchers and experts at AlienVault, pack Manuscrypt malware as the final payload.

Researchers in South Korea first detected the documents. One is disguised as related to the G20 International Financial Architecture Working Group Meeting and appears to target attendees, who met to discuss economic policies among the world's financial superpowers. Another is seemingly related to the $31.5 million theft from the Bithumb cryptocurrency exchange.

All documents were created in Hangul Word Processor (HWP), a South Korean document editor, and contain malicious code to download Manuscrypt malware. Manuscrypt communicates by mimicking South Korean forum software, AlienVault researchers report.

Manuscrypt is referred to as "Bankshot" by McAfee, which uses the term "Hidden Cobra" for the organization known as Lazarus Group. The malware is designed to remain on a target network for continued exploitation and has been seen in attacks on the Turkish financial sector, which was hit with malicious documents written in Korean in March. Threat actors could use the malware to gain full access and wipe content from a target system, McAfee explains.

This isn't the first time researchers have linked Manuscrypt to Lazarus Group, which allegedly also used the malware in advanced persistent threat (APT) attacks targeting financial institutions and the SWIFT banking network. In the earlier campaign, Manuscrypt operated by searching the internal network for specific hosts related to SWIFT. The threat leveraged the NamedPipe file-sharing feature to search for data on the internal segregated network and send it to the command-and-control (C&C) server.

Link to Bithumb Cryptocurrency Theft
Researchers have suggested a connection between the most recent Lazarus Group activity and the theft of $31.5 million in digital currency from South Korean cryptocurrency exchange Bithumb. Reports within the country indicate the heist also began with HWP files this month and last month, and experts link the incident to earlier attacks by Lazarus Group.

South Korean news organization KBS reports an investigation into the Bithumb theft revealed malware samples that had been sent to other cryptocurrency organizations. AlienVault says "it seems likely" the malware used in this recent campaign is responsible for the Bithumb incident.

Earlier this year, researchers detected Lazarus Group sending malicious HWP documents to cryptocurrency users in South Korea. In these cases, multiple phishing domains were registered to the same phone number as a domain used to deliver the malware. It seems attackers could be phishing for credentials in addition to the malware, though experts say this activity is tricky.

"It is unusual to see Lazarus registering domains," AlienVault researchers wrote in a blog post on the discovery. "Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus."

Putting the Pieces Together
If Lazarus Group is behind the Bithumb attack, it ties these actors to a series of thefts, including $7 million previously stolen from Bithumb in 2017, as well as other cryptocurrency exchanges that were hit in 2017. The group is also believed to be responsible for the attempted theft of $1 billion from the Bank of Bangladesh, attacks on ATM networks, and the WannaCry and Sony Pictures incidents.

Earlier this month, reports indicated Lazarus Group was behind a theft of $10 million from a Chilean bank; it allegedly destroyed thousands of machines to try to conceal its activity. AlienVault notes that specifically targeting South Korean organizations doubly benefits North Korean adversaries because it has the "double impact of weakening their closest competitor."

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28331
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a de...
CVE-2020-28928
PUBLISHED: 2020-11-24
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).
CVE-2020-28994
PUBLISHED: 2020-11-24
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database.
CVE-2020-13620
PUBLISHED: 2020-11-24
Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration.
CVE-2020-13942
PUBLISHED: 2020-11-24
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest ava...