perm_phone_msgConsider your business risks? Chat With US

New malware strain indicates North Korean cyber groups share malicious tools | NK News

Ransomware BCyber todaySeptember 7, 2020 40

share close

In a malware report that shows how North Korean hackers increasingly collaborate across specialized units, the U.S. government warned on Wednesday that the DPRK is trying to steal key military and energy technologies using a malware variant spread via social engineering campaigns. 

The malware variant — dubbed “Blindingcan” — appears similar to tools used in other recent phishing campaigns reported by security firms. ClearSky Security reported on “” last week, while ESET reported on “” in June and McAfee detailed “” in July. 

U.S. government agencies published their Malware Analysis Report “to enable network defense and reduce exposure to North Korean government malicious cyber activity,” according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Senior analyst Fred Plan at Mandiant Threat Intelligence told NK News via email that his team has been tracking the malware described in the CISA report since November last year, but that overlapping code between variants link it to much older North Korean operations targeting cryptocurrency assets as early as 2018.

“We don’t think these were necessarily the same group, but at the very least there was a kind of ‘malware lineage’ from those cryptocurrency campaigns,” Plan explained. “These connections highlight how North Korean groups share tools with each other, even if they will be used in very different kinds of campaigns and towards different goals.”

The most visible connection between CISA’s reported use of the “Blindingcan” variant and previous campaigns is that malware variants are spread via social engineering on Linkedin, using bogus job offers to trick key personnel with access to sensitive data into opening weaponized Microsoft Word files. 

“The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim’s system,” CISA experts wrote in the report. 

To gain the trust of targeted individuals, hackers may spend weeks, months or even years collecting information about potential victims, according to an unpublished by the United Nations Panel of Experts on North Korea, which was analyzed by NK News earlier this month.

When a victim opens a “docx” file infected with the malware described by CISA, the document connects to external domains pointing to compromised servers in multiple countries in order to download additional code. The chain of commands ultimately installs a variant of the Remote Access Trojan (RAT) “Hidden Cobra” that provides the attackers with full access to the computer. 

According to ClearSky’s Lead Cyber Intelligence Researcher Ohad Zaidenberg, the malware seems to be to “DRATzarus,” a RAT discovered as part of ClearSky’s into a similar, sophisticated social engineering campaign on Linkedin last week. 

The company had called the series of attacks against the global defense and aerospace industry “this year’s main offensive campaign” by the Lazarus group — part of what the U.S. government broadly refers to as “Hidden Cobra”. 

Edited by Kelly Kasulis

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat