lolloj - Fotolia
Until 2015, the Lazarus Group focused mainly on the South Korean and US governments and financial organisations, but in 2016 researchers discovered a shift towards attacks against financial institutions designed to steal money and generate funds for North Korea.
By 2017, North Korean actors had begun to focus on cryptocurrencies. The first known North Korean cryptocurrency operation was in February 2017, with the theft of $7m in cryptocurrency from South Korean exchange Bithumb.
Researchers at security firm Recorded Future have now linked the Lazarus Group to a spear phishing campaign targeting cryptocurrency users and exchanges in South Korea, as well as South Korean college students interested in foreign affairs.
The malware in this campaign includes Chinese terms, which the researchers said indicates either an attempted false flag or a Chinese exploit supplier.
The exploit in question is the Ghostscript exploit (CVE-2017-8291), which has been tailored to target only users of Hancom’s Hangul Word Processor, a Korean word processor that is widely used in South Korea.
The campaign was launched just weeks before North Korean leader Kim Jong-un’s New Year’s speech and subsequent North-South dialogue, and coincided with the bitcoin cryptocurrency’s sharp rise in value, which security commentators believe will increasingly gain attention from cyber attackers.
“The campaign we discovered showcases a clear use of Lazarus TTPs [tactics, techniques and procedures] to target cryptocurrency exchanges and social institutions in South Korea,” the researchers said.
Beyond Korean-speaking Hangul users, the researchers found that targets of this campaign included users of South Korean cryptocurrency exchanges and a group called “Friends of MOFA” (Ministry of Foreign Affairs), which is a group of college students from around South Korea with “a keen interest in foreign affairs.”
According to the researchers, the Ghostscript exploit can be triggered from within an embedded PostScript in a Hangul Word Processor document.
“The attack chain occurs in multiple stages with the PostScript deobfuscating a first stage shellcode that’s been XORed with a hardcoded four-byte key. The shellcode, in turn, triggers the GhostScript vulnerability to execute an embedded DLL that has also been XORed,” the researchers said in a blog post.
“On deobfuscating the payloads, we found 32-bit DLLs built in part on the Destover malware code. Destover has been used in a number of North Korea-attributed operations: most infamously against Sony Pictures Entertainment in 2014, the Polish banking attacks in January 2017, and the first WannaCry victim in February 2017,” they said.
This campaign, the researchers found, relies on multiple payloads fashioned out of the Destover infostealer code to collect information about the victim system and exfiltrate files.
Researchers believe this late 2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which encompasses a broad range of activities including mining, ransomware and theft.
“Outside of the WannaCry attack, the majority of North Korean cryptocurrency operations have targeted South Korean users and exchanges, but we expect this trend to change in 2018.
“We assess that as South Korea responds to these attempted thefts by increasing security (and possibly banning cryptocurrency trading) they will become harder targets, forcing North Korean actors to look to exchanges and users in other countries as well,” the researchers said.