Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/12/2017
03:01 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Malware Uses GeoCities, North Korea Interest to Trick Victims

A new threat called Baijiu leverages the GeoCities web service, and heightened interest in North Korea, to deceive victims.

Researchers at Cylance have discovered a new advanced threat, dubbed Baijiu, which uses heightened interest in North Korea and the GeoCities web service to prey on victims.

Baijiu abuses global concern about the humanitarian situation in North Korea, specifically with respect to the flooding related to last year's Typhoon Lionrock. Victims click a malicious file with the expectation they will learn more about how the situation unfolded, which was largely hidden from the world.

The ultimate goal of this attack is to deploy a set of espionage tools through a downloader called Typhoon and set of backdoors called Lionrock. These are likely used to siphon data from victims, explains Kevin Livelli, Cylance director of threat intelligence.

Cylance researchers hunting new and existing threats discovered elements of this attack had been uploaded to VirusTotal and weren't being detected by most solutions, Livelli says. The North Korea reference initially caught their attention, but several other factors set Baijiu apart.

"It was a more complex piece of malware than we typically see," he continues. "It took a rather circuitous route from the phishing attempt, all the way to the backdoor."

Along the way, Baijiu takes several steps to hide itself, which Cylance reports has helped it evade antimalware precautions. Researchers speculate this is also an attempt to throw off researchers and investigators who might be following it.

Livelli was most interested in the appropriation of Geocities to deliver Baijiu malware. The web hosting service, popular in the 1990s, is currently owned by Yahoo and based in Japan. It's free to use, has high bandwidth, and doesn't require user identification beyond a Yahoo email address.

"The same things that make it appealing to ordinary citizens are making it appealing to hackers," he says, noting the anonymity GeoCities grants its users.

Baijiu isn’t the only threat using GeoCities as a launching pad for malware. The service was also used in March 2017 for targeted attacks to deliver "Poison Ivy," which has been associated with Chinese APT groups. GeoCities is increasingly being used by advanced adversaries, says Livelli, and researchers found at least 10 other examples of attacks using it.

Cylance has not conducted an analysis of Baijiu targets. Livelli says it's likely widespread, though the company did not discover specific geographies or organizations are at risk. It also cannot attribute a specific cybercriminal or cybercriminals to the threat.

"Given the technical complexity of this attack and certain features in the way it's coded, we can say it's a sophisticated attacker that's employing this malware," Livelli says.

Cylance cannot definitively attribute a specific actor(s) to Baijiu, he continues. Researchers discovered Baijiu shares code similarities with the Egobot codebase, as described by Symantec, and the broader Darkhotel Operation, as discovered by Kaspersky.

Egobot was used in campaigns targeting Korean interests, and Darkhotel's operators were based in Japan, Taiwan, and China. This could hint at the origin for Baijiu; however, Cylance can't say with certainty because it only analyzed one specific piece of malware and not a broader campaign.

"It's one window into a larger campaign that probably has connections," he says. Given that Baijiu shares commonalities with other previously discovered cyberattacks, there may be other lures that could give a better idea of who the attackers are and what they seek.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
CVE-2021-26294
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...