Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label North Korea. Show all posts
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Windows
Cyber Attacks Mac OS North Korea Remote Work threat mitigation Windows

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers Disguise as IT Employees: FBI Warns to Disable Local Admin Accounts

Hackers use various ways to steal user data, one recent trend, according to the FBI, shows they have started gaining employment with companies. The agency has pushed out public announcement I-012325-PSA, warning organizations in the U.S. to disable local admin accounts, business must pay attention to it.

North Korean Hackers Disguising as IT Workers

The FBI has warned the public, private sector, and the world about the “victimization of US-based businesses”, as cyberattacks involving remote IT workers from North Korea are on the rise. It has noticed North Korean IT workers gaining illegal access to systems to steal confidential data and launch other cyber-crime operations. 

In an FBI announcement reported by Forbes, it was disclosed that “victims have seen proprietary data and code held to ransom,” and “the copying of corporate code repositories to attacker user profiles and personal cloud accounts.” Additionally,  the attackers have also “attempted harvesting of company credentials and session cookies for further compromise opportunities.” 

Understanding the “Principle of Least Privilege”

Law enforcement and intelligence agencies like the FBI and NSA (National Security Agency) have advised the principle of least privilege,  to “only allow designated administrator accounts to be used for administrative purposes.” The aim is to limit the administrative rights available to Mac and Windows users to ensure security. 

The principle of least privilege gives admin account access to only selected people, and nobody else. The method ensures company employees only have access to particular resources needed to get the job done, not admin rights. For instance, the user account completes day-to-day needs, whereas for something critical, like software installation, the systems will ask for admin credentials. 

Wikipedia is one great example of using this technique, it has user accounts for making backups that don’t need to install software and only have rights for running backups and related applications. 

Mitigating Threats- Advice from FBI and Security Experts

The FBI suggests businesses disable local administrator accounts and restrict privileges for installing remote desktop apps, keeping an eye out for any unusual network traffic. It has warned organizations to remember that “North Korean IT workers often have multiple logins into one account in a short period of time,” coming from various IP addresses linked with different countries. 

The agency has also advised HRs, development teams, and hiring managers to focus “on changes in address or payment platforms during the onboarding process.”

Read more »
North Korea
Cyber Crime Lazarus hacking group MFA North Korea

North Korean Hackers Exploit RID Hijacking to Gain Full Control Over Windows Systems

 


A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.

What is RID Hijacking and How Does It Work?

Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:

  • 500 – Default administrator account
  • 501 – Guest account
  • 1000+ – Regular user accounts

Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.

Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacking group that is part of Lazarus, a well-known state-sponsored cybercrime organization. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine.

However, SYSTEM-level access has limitations, such as the inability to log in remotely, lack of persistence after a system restart, and high visibility to security systems. To overcome these, Andariel creates a hidden user account using the Windows "net user" command, adding a "$" symbol at the end of the username to make it invisible in regular user lists. They then modify its RID to that of an administrator, granting it full control over the system while remaining undetected.

How to Defend Against RID Hijacking

To protect against RID hijacking, organizations and IT administrators can take the following steps:

  1. Monitor User Login Activity: Use the Local Security Authority (LSA) Subsystem Service to track unusual logins or permission changes.
  2. Secure Critical System Files: Restrict unauthorized modifications to the SAM registry, where login credentials are stored.
  3. Block Hacking Tools: Prevent tools like PsExec and JuicyPotato from running, as they are commonly used for privilege escalation.
  4. Implement Multi-Factor Authentication (MFA): Require an extra authentication step for all accounts, even low-level ones, to prevent unauthorized access.
  5. Regularly Audit User Accounts: Check for hidden or suspicious accounts, especially those with "$" symbols or unusual RID values.

RID hijacking has been known since 2018, when cybersecurity researchers first demonstrated it as a way to maintain persistent access on Windows systems. However, its recent use by North Korean state-sponsored hackers highlights the growing sophistication of cyberattacks. By making small, undetectable changes to Windows user settings, hackers can silently maintain control over a compromised system, making it much harder for security teams to remove them.

The use of RID hijacking by North Korean hackers underscores the importance of proactive cybersecurity measures. Organizations must monitor user accounts, detect hidden activity, and secure critical system files to defend against such stealthy attacks. By staying vigilant and implementing robust security practices, businesses can better protect their systems from advanced threats like RID hijacking.

Read more »
North Korea Hackers
Crypto Attack Cryptocurrency exchange Cyber Attacks DMM Hacker attack North Korea North Korea Hackers

North Korean Hackers Suspected in $70M Phemex Crypto Exchange Exploit

 

A significant cyberattack on the Singapore-based cryptocurrency exchange Phemex has resulted in the loss of over $70 million in digital assets. Blockchain security experts believe the incident may be linked to North Korean hackers. The breach was detected on Thursday, prompting Phemex to suspend withdrawals after receiving alerts from security firms about unusual activity. 

Initially, approximately $30 million was reported stolen, but the attack persisted, leading to further asset depletion. The company’s CEO, Federico Variola, confirmed that the exchange’s cold wallets remained intact and unaffected. According to cybersecurity analysts, the tactics used in this attack resemble previous high-profile exploits targeting crypto exchanges.

The perpetrators swiftly transferred various tokens across multiple blockchain networks, beginning with high-value assets such as Bitcoin (BTC), Ethereum (ETH), and Solana (SOL), along with stablecoins like USDC and USDT. Since stablecoins can be frozen, the attackers quickly converted them into Ethereum before moving on to smaller, less liquid tokens. 

Researchers tracking the breach noted that hundreds of different cryptocurrencies were stolen, with attackers draining even minor altcoins. The process was reportedly carried out manually rather than through automated scripts, with assets transferred to fresh addresses before being laundered through additional layers of transactions. Experts believe the scale and coordination suggest the involvement of an experienced hacking group.  

A pseudonymous investigator known as SomaXBT.eth pointed to a North Korean-affiliated group as the likely culprit, noting similarities between this incident and previous attacks attributed to state-backed hackers. Another security analyst compared the breach to the attack on Japan’s DMM platform, which resulted in the theft of $308 million and was linked to the North Korean hacking group TraderTraitor. Data from blockchain explorers shows that the attackers utilized at least 275 transactions across Ethereum-based chains, using multiple addresses to siphon funds from networks such as Arbitrum, Base, Polygon, Optimism, and zkSync. 

Additionally, transactions were tracked across Avalanche, Binance Smart Chain, Polkadot, Solana, and Tron. A primary wallet connected to the breach handled at least $44 million in stolen funds, while notable amounts included $16 million in SOL, $12 million in XRP, and $5 million in BTC. Despite the losses, Phemex still holds roughly $1.8 billion in assets, the majority of which are in its native PT token, followed by significant holdings in Bitcoin and USDT. 

The exchange has announced that it is developing a compensation plan for affected users. As of the latest reports, activity from the attacker’s addresses appears to have ceased, with the final recorded transactions occurring around 10:00 AM ET.
Read more »
South Korea
cryptocurrency cryptocurrency theft cyber espionage Cyber Security IT Industry North Korea North Korea Hackers South Korea

Sanctions Imposed on North Korean Cyber Activities Supporting Nuclear Ambitions

 

South Korea has announced sanctions against 15 North Korean nationals and the Chosun Geumjeong Economic Information Technology Exchange Corporation for orchestrating schemes that finance North Korea’s nuclear weapons and missile programs. These measures target a global network involved in IT job fraud, cryptocurrency theft, and cyberattacks. 

The sanctioned individuals are linked to the 313th General Bureau, a division of North Korea’s Ministry of Munitions Industry. This bureau oversees the production and development of weapons and ballistic missiles. According to South Korea’s Peninsula Policy Bureau, these operatives are dispatched to countries such as China, Russia, Southeast Asia, and Africa. Using fake identities, they secure positions in international IT companies, generating revenue funneled back to the regime. 

Central to this operation is the Chosun Geumjeong Economic Information Technology Exchange Corporation. This organization plays a critical role by deploying IT professionals abroad and channeling significant financial resources to North Korea’s military projects. In recent years, North Korean operatives have increasingly infiltrated Western companies by posing as IT workers. This tactic not only generates revenue for the regime but also enables cyber espionage and theft. These workers have been found installing malware, stealing sensitive company data, and misappropriating funds. Some have even attempted to infiltrate secure software development environments. 

Despite the gravity of these actions, the stigma associated with hiring fraudulent workers has led many companies to keep such breaches private, leaving the true scope of the issue largely unknown. Additionally, South Korea accuses North Korea of being a major player in global cryptocurrency theft. A 2024 United Nations report found that North Korean hackers carried out 58 cyberattacks against cryptocurrency firms between 2017 and 2023, amassing approximately $3 billion in stolen funds. North Korean nationals have also reportedly violated international sanctions by earning income through employment in various industries, including construction and hospitality. 

These activities pose significant risks to the global cybersecurity landscape and international stability. South Korea asserts that the funds generated through these operations directly support North Korea’s nuclear and missile programs, emphasizing the need for a unified international response. By imposing these sanctions, South Korea aims to disrupt North Korea’s illicit financial networks and mitigate the broader risks posed by its cyber activities. 

This marks a crucial step in the global effort to counter the threats associated with Pyongyang’s nuclear ambitions and its exploitation of cyberspace for financial gain.
Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
North Korea Hackers
ATM Hacking Cyber Attacks Hidden Cobra Linux Malware Malware Attack North Korea North Korea Hackers

North Korean Hackers Develop Linux Variant of FASTCash Malware Targeting Financial Systems

 

A new Linux variant of FASTCash malware has surfaced, targeting the payment switch systems of financial institutions. North Korean hackers, linked to the Hidden Cobra group, have expanded their cyber arsenal to now include Ubuntu 22.04 LTS distributions. Previously, the malware targeted Windows and IBM AIX systems. These payment switches route transactions between ATMs and banks, and the malware intercepts ISO8583 messages, modifying transaction responses from “decline” to “approve.” This manipulation authorizes fraudulent cash withdrawals through money mules. The discovery, made by security researcher HaxRob, revealed the Linux variant’s ability to bypass security tools, as it was first submitted to VirusTotal in June 2023 with no detection. 

It operates by injecting a shared library into a running process on the payment switch server using the ‘ptrace’ system call. FASTCash’s history of ATM cash-out attacks dates back to 2016, with incidents stealing tens of millions of dollars across multiple countries. The U.S. Cyber Command in 2020 attributed these schemes to APT38, part of the Lazarus Group. North Korea’s involvement in global financial theft is well-documented, with the theft of over $1.3 billion linked to this malware and other campaigns. The Linux variant’s ability to evade standard defenses puts financial institutions at heightened risk. Its discovery emphasizes the evolving tactics of North Korean cyber actors, who are continually refining malware to expand their reach. 

HaxRob also noted a new Windows version of FASTCash, submitted in September 2024, demonstrating the ongoing development of this malware. To mitigate this growing threat, financial institutions must strengthen security around payment switch systems, implement real-time monitoring of unusual transaction patterns, and upgrade defenses to detect advanced attack techniques like FASTCash. 

As North Korean hackers continue to develop sophisticated malware variants, financial organizations must prioritize protecting against this persistent threat to prevent unauthorized cash withdrawals and financial losses.
Read more »
VPN
crypto industry Cyber Crime Cypto North Korea VPN

How North Korea is Exploiting the Crypto Industry

How North Korea is Exploiting the Crypto Industry

North Korean operatives have penetrated the blockchain world, and the covert operation has significant implications for global cybersecurity and the integrity of the crypto market.

Recent warnings from U.S. authorities highlight that North Korean IT workers are infiltrating tech and crypto companies, channeling their earnings to support the state's nuclear weapons program. A 2024 UN report states these workers generate up to $600 million annually for Kim Jong Un's regime. 

Hiring these workers, even unintentionally, violates U.N. sanctions and is illegal in the U.S. and many other countries. It also poses a significant security risk, as North Korean hackers often use covert workers to target companies.

North Korea's Cyber Arsenal

North Korea's cyber operations are nothing new, but their infiltration into the crypto industry represents a new frontier. Using fake identities and fabricated work histories, North Korean IT workers managed to secure positions in over a dozen blockchain firms. These operatives, often disguised as freelancers from countries like South Korea, Japan, or China, have leveraged the decentralized nature of the crypto industry to mask their origins and intentions.

The Crypto Industry's Blind Spot

The crypto industry's decentralized and often anonymous nature makes it an attractive target for cybercriminals. The article reveals how North Korean operatives exploited this blind spot, slipping through the cracks of standard vetting procedures. They infiltrated companies by providing fake credentials and using VPNs to obfuscate their actual locations. This tactic allowed them to access sensitive information and potentially manipulate blockchain networks.

Economic Warfare

North Korea's entry into the crypto industry is part of a broader strategy to circumvent international sanctions. By infiltrating blockchain firms, North Korean operatives can siphon off funds, conduct illicit transactions, and launder money. The stolen assets are then funneled back to the regime, bolstering its finances and supporting its nuclear ambitions.

Consequences and Countermeasures

The infiltration severely affects the targeted firms, exposing them to legal risks and undermining their credibility. It also raises broader concerns about the security of the crypto industry. To combat this threat, companies must adopt more stringent vetting processes, enhance cybersecurity measures, and collaborate with international agencies to identify and neutralize such threats.

Read more »
Subscribe to: Posts (Atom)