Brother
Professional
- Messages
- 2,590
- Reaction score
- 544
- Points
- 113
North Korea has begun demonstrative demilitarization, but the released resources are being spent on wars of a different format - cyber. It is amazing how, in conditions of information isolation, it manages to carry out successful attacks on the infrastructure of more developed countries. We will analyze the most ambitious of them and shed light on the actions of hacker groups, whose activities are funded by the DPRK government.
Both the number and the skill!
Experts from ClearSky Cyber Security, FireEye, CrowdStrike and NTT Security agree that the potential of the DPRK cyber army is greatly underestimated. At the moment, its number ranges from 7 to 10 thousand - this is an order of magnitude more than serves in USCYBERCOM at the Fort Mead base. It is not yet possible to collect more accurate data, since North Korean hackers conduct their main activities outside their home country.Unlike ordinary citizens who are doomed to spend their entire lives in the northern part of the peninsula, they are issued "internships" and "business" trips abroad. Most of the hackers are recruited from math students who agree to do the dirty work for the government for a variety of reasons.
Traditional indoctrination is bad for young IT professionals, but the prospect of traveling abroad is very appealing to them. Some even muster the courage to ask for political asylum and not return to their homeland.
It is difficult for the students themselves to do this (their families are actually held hostage), but their supervisors sometimes have nothing to lose. For example, this is what Kim Hyun Kwan, a professor of mathematics who fled to South Korea, decided for himself. He still maintains contacts with some students and is aware of how their future fate has developed.
INFO
In preparing this article, we used both open sources and closed technical reports prepared for the US government by various expert groups in 2017-2019. Copies of the latter are only distributed to authorized persons in accordance with provisions B and C of the DoDI 5230.24 directive. These documents were not supposed to get into the public domain (and even more so in the search results). However, I was able to find them using Google dorks in the .mil and .gov domains, as well as by "closed" links in cloud storage. Thanks to everyone who values convenience over privacy!APT37 (aka Reaper, Scarcruft, Group123)
This group became famous for using a wide range of exploits, including zero-day vulnerabilities, now identified as threat IDs CVE-2018-0802 and CVE-2018-4878. The mass use of the latter was first discovered by specialists from the South Korean cybersecurity unit KR-CERT, since the main target of APT37 was precisely the government and financial organizations of its southern neighbor.On February 1, 2018, Adobe acknowledged that Flash Player 28.0.0.137 and earlier contained a critical vulnerability, theoretically allowing full remote control on any operating system: Windows (including 10), Linux, macOS, and Chrome OS. However, real attacks were only seen against Windows users. They received phishing emails containing maliciously modified documents with embedded flash objects in the attachment.
The APT37 group's secondary targets were industrial and healthcare facilities in Japan and Vietnam. Perhaps this was not the result of targeted attacks, but only a side effect of the chosen tactics. Additionally, Phase I malware was distributed via torrents.
Once on the victim's computer, the malware sent requests to a range of IP addresses belonging to the STAR-KP network. It is a joint venture between the Government of North Korea's Postal and Telecommunications Corporation and Thailand-based Loxley Pacific. C&C servers used by APT37 and physically located in Pyongyang were registered on the same network.
The largest attacks are APT37. Infographic: Cisco Talos Intelligence Group
Arsenal
Almost all network attacks were undertaken by APT37 in several stages. A whole ecosystem of different types of malware was gradually formed on the infected computers, using software specific to a given user and its vulnerabilities.Typically, at the first stage of the attack, APT37 slipped the victim GelCapsule either HappyWorkthrough torrents, phishing emails, or compromised websites of a certain subject. It is a Trojan-Downloader class malware that does not perform malicious functions by itself, but is ready to download and install various types of malware on the victim's system at the command of the C&C server.
In the case of APT37, the downloader most often used launchers MilkDrop and launchers SlowDriftthat were prescribed for autorun to download them. Of these, MilkDrop looks like a tryout pen, while SlowDrift is a pretty advanced backdoor that interacts with C&C servers through the cloud infrastructure. It executes a wide range of remote commands, including searching, sending and deleting files, and can also install other malware itself.
Another frequently used (and possibly written) backdoor in APT37 is PoorAim. Between 2014 and 2017, it was used in campaigns against South Korean media organizations and sites linked to North Korean defectors. PoorAim collected system data and lists of running processes to search for vulnerable components, sent screenshots and copies of browser bookmarks, and used AIM (AOL Instant Messenger) to mask communications with C&C.
In connection with the closure of AIM, since April 2017, APT37 began to use other backdoors instead of PoorAim, in particular DogCall and Karae. For covert communication with C&C, they already used cloud APIs including Box, Dropbox and Yandex.
Karae is not particularly remarkable, but DogCall is an advanced malware capable of recognizing when launched in a virtual environment and preventing analysis of its code. It was even distributed as an encoded binary file, which was decrypted already on the victim's computer by other malicious components, in particular WineRack.
WineRack is a sophisticated backdoor whose main functions include collecting information about users and hosts, creating and terminating processes, manipulating the file system and registry. WineRack got its name because it generates a reverse shell that uses the statically linked Wine cmd code to emulate the Windows command line.
DogCall also contains keylogger components. It can log keystrokes and take screenshots to intercept passwords typed through the on-screen keyboard.
In the wild, DogCall was discovered during an investigation into attacks on government agencies and military organizations in South Korea in the spring of 2017. Perhaps he would have remained unnoticed if, at the final stage of the attack, APT37 had not decided to use another component - a wiper RUHappy.
Perhaps RUHappy has become the most prominent malware in the APT37 arsenal. It was often found on compromised computers along with DogCall, and in an inactive form. Analysis showed that after receiving a command from C&C, RUHappy would delete part of the Master Boot Record (MBR) and restart the computer. Starting the OS would become impossible, and the screen would display the inscription: "Are You Happy?", Hence the abbreviated name of the wiper.
In reality, this rarely happened. Modern computers are more likely to use EFI loaders and GPT partitioning, and for old computers there have long been means of protecting the MBR from overwriting and methods for quickly recovering it. Therefore, there was no particular harm from RUHappy, but he made a lot of noise.
Speaking of noise, APT37 has used a sniffing utility several times SoundWave. She duplicated all the data from the microphone input into a file %TEMP%\HncDownload\*.log and sent it somewhere in STAR-KP, cutting it into pieces for 100 minutes. The current date and time were used as the file name. Since the Trojan did not perform any destructive actions, it remained unnoticed for a long time. A 2018 investigation found it had been installed on some systems since mid-2015.
In addition to audio data, APT37 searched for and sent files of a certain type from infected computers. These were mainly documents containing one of the keywords. Their search was carried out using a Trojan CoralDeckthat packed copies of the found files into an archive, set a password on it, and sent it to North Korean servers using the HTTP POST method. Interestingly, at first, the ZIP format was used, but then, for greater reliability, APT37 switched to WinRAR, whose password protection is known for its resistance to brute force.
Another APT37 geomarker is the frequent exploitation of vulnerabilities in the Hangul Word Processor (HWP) by the South Korean company Hancom. It got this name in honor of the Korean Hangul alphabet and is practically unknown outside the Korean Peninsula. HWP exploits were used by APT37 for rapid deployment SlowDriftas an alternative to the two-step pre-infection scheme GelCapsule.
In May 2017, APT37 used a bank liquidation letter as phishing bait for a board member of a Middle Eastern financial company. The email contained a modified attachment with an exploit for CVE-2017-0199, a vulnerability in Microsoft Office that was discovered less than a month before the attack began. With the help of it, APT37 implemented ShutterSpeed - a backdoor capable of collecting system information, taking screenshots and sending the received data to North Korean servers, as well as executing arbitrary executable code on a remote command.
In addition to email spam, hacked websites of South Korean companies and educational institutions often became a source of infection. Their pages contained RiceCurry a JS profiler used to identify the victim's OS, web browser and its plugins. This information made it possible to select specific vulnerabilities and use them to deliver other malicious components.
Of particular note ZumKong is a Trojan that steals saved passwords from IE and Chrome browsers. The collected passwords were sent in HTTP POST requests and ended up in the mailbox registered at zmail.ru - the mail service of the Zenon NSP company. Analysts initially perceived this as a "Russian trace", but quickly discovered a discrepancy. The requests of the droppers that delivered ZumKong and the backdoors associated with it went to the already well-known STAR-KP network, to which Russia has nothing to do.
The very fact that exploits and especially 0day vulnerabilities are used indicates a high level of APT37, but this is not the only group of hackers acting in the interests of the DPRK government.
APT38
As I read the reports from this group, my imagination drew to me the director of the National Intelligence Agency, Seo Hoon, calling the leaders of Division 180 and Directorate 121. Together they walk to the Sixth Technical Bureau and Laboratory Building 110. A few minutes later, the delegation walks along the line of hackers from APT37 and translates particularly distinguished in APT38. The chief looks around them with a penetrating glance and is solidly silent, but in the eyes it is clearly read: "With your promotion, fighters of the invisible front!"Seriously though, all these subordinate organizations do exist, but APT38 is just a shorthand for Western analysts. It points to another large group of hackers (or their association), which is not related to APT37, but clearly acts in the interests of the DPRK government. It is not at all necessary that their training takes place on the basis of the same technical bureau.
One thing is certain: APT38's specialty is stealing money. She focuses on the SWIFT interbank network and knows very well its features, using them in complex laundering schemes. APT38 supposedly had connections with Lazarus (common tools and tactics speak of this), but there is no reason to equate them yet.
To date, APT38 has attacked at least sixteen financial institutions in thirteen countries. Among them are the Mexican state banking agency Bancomext (in January 2018) and one of the largest banks in Chile, Banco de Chile (in May 2018). The main feature of the APT38 strategy is long-term support for covert management of infected computers. The average time from deployment to discovery is five months, and the maximum is two years.
Another very characteristic feature is the aggressive destruction of evidence when found. Typically, individual APT38 malware resides in memory and monitors the execution of forensic analysis utilities, blocking their use. Often, malicious components on compromised machines are not simply removed, but overwritten along with the logs, at the same time changing the file attributes (first of all, the creation and last access dates).
To avoid this, forensics experts had to shut down suspicious machines and dig into offline dumps instead of examining active processes. This makes it much more difficult to establish network interactions and recover encryption keys. In addition, anti-debugging and obfuscation methods were used in the code of the detected malware at every step. For example, for executable files, the protectors Enigma, Themida (aka X-Protector), Obsidium and VMProtect were used, plus the encryption of individual modules with the Spritz or AES streaming algorithm.
Instead of several hours, analyzing them took months of hard work, and during this time the APT38 criminal scheme had time to change. In general, the experts have found a worthy opponent.
APT38 attack scheme on SWIFT. Infographics: FireEye
Arsenal
During the reconnaissance phase, APT38 often uses an active network connection scanner MapMaker. It queries the operating system for a table of open TCP IPv4 connections, and then writes it to the log.One of the features of APT38 is the extensive use of passive backdoors. They simply wait for a command from other network nodes of the attacked organization, which signals the successful infection of the latter and the beginning of the next phase. However, some of them are able to switch to active mode.
This is what it does CheeseTray - an advanced backdoor with proxy support. It establishes communication with the C&C server using its own binary protocol, and specifies the TCP port different each time and passes it as a command line parameter. CheeseTray is able to search for specific files according to specified criteria, save lists of active processes, installed drivers and running services. It monitors remote desktop sessions, downloads additional malicious components, unloads "interfering" processes, and creates a reverse shell. In short, it performs deep reconnaissance and provides almost complete remote control.
Apart from CheeseTray, APT38 has made famous a unique disembodied backdoor NestEgg. It exists only in RAM, so it could not be caught during offline analysis. In addition to typical file and process manipulation, it creates Windows Firewall rules to allow inbound traffic to the specified port.
Apart from its own malware, APT38 also uses modifications that are publicly available. For example, DarkComet an advanced remote administration tool (RAT) that performs over sixty different functions. These include collecting system information, searching and changing registry keys, changing and adding startup items, scanning networks, managing processes, downloading arbitrary files, restarting and shutting down the computer. Another third-party program APT38 loved was the JspSpy web shell. Its code is available on GitHub and it is pretty easy to fork it.
APT38 falsifies banking transactions using DyePack a set of malicious programs that replace data in the SWIFT system. This set is secretly delivered to the victim's computer in encrypted form. Its modification DyePack.Foxis known, which can also replace data in PDF files (in this case, automatically generated reports on transactions in the SWIFT system).
INFO
In early 2019, a kind hacker, whose white hat had turned a little gray with age, received DyePack samples, then reversed them using IDA Pro and Ghidra, and then posted the result on GitHub.Learn, improve ... enjoy!To activate the combat load on the victim computer, APT38 most often used a loader BlindToAd. It is a 64-bit dynamic library that loads an encrypted file from disk, decrypts it in RAM and launches it for execution.
In the event of a threat of detection, a program can be launched on the victim computer to cover up the tracks CleanToAd. It removes malicious files using a utility CloseShavethat renames the file before deleting it and fills the space allotted with zeros.
Then CleanToAd clears the Windows event logs and other logs, and overwrites the creation and last access dates in their attributes. CleanToAd also injects shellcode into the process notepad.exe to quickly re-infect the computer. Sometimes, when an alarm is triggered, a wiper is also launched BootWreck. It erases the original MBR, preventing the computer from booting.
In addition to stealing money through SWIFT, APT38 was also involved in extortion. The group used a ransomware Trojan Hermesthat read the disk markup and launched its own stream for each partition. It quickly encrypted all user files using AES with a 256-bit key, then deleted the originals and displayed a ransom message.
Each APT38 attack was unique, but their overall lifecycle looks like this:
- Collecting information about the mechanism of transactions in the SWIFT system from the victim organization. APT38 never hacked SWIFT itself, achieving its goals by attacking third-party software and conducting targeted phishing attacks against personnel with access to SWIFT.
- Injection through vulnerable components (most often the old version of the Apache Struts framework).
- Download malicious software to scan the system in-depth, collect credentials, and study network topology.
- Launching fake servers to carry out MitM attacks. They gave access to segmented internal systems and helped avoid detection.
- The actual transfer of funds. Backdoors and reverse shells were used to send fake transactions to the infected system and alter their history to trick the SWIFT system. Usually, money was transferred in small amounts (below the threshold for triggering protection means) to banks in different countries, from where they moved to others, others, and so on until the loss of the trace. By the time of the investigation, it was often revealed that one of the intermediate banks no longer existed.
- Destruction of evidence (triggered only if there were signs of opposition and the launch of security scanners).
A couple of years ago, rates went up. The main target was SWIFT, as well as cryptocurrency exchanges and large bitcoin investors. Traces of the hacking of the Japanese Coincheck in 2018 and the South Korean Youbit a year earlier lead to Pyongyang, and the total amount of stolen funds exceeds $ 559 million. This is only from two exchangers!
Social engineering remains the main method of carrying out mass attacks. Vulnerabilities get patched, technology changes, but people don't. In the same 2017, the DPRK began to massively register Facebook accounts, which in itself was amazing. Comparison of profiles looked even more interesting. As further investigation showed, they were all made with a carbon copy.
Thousands of imaginary "crypto-investors from the USA and Europe" got acquainted with the real ones through the social network, and then, under various pretexts, sent them an infected document in order to receive it wallet.dat at a standard address and spy on the password to it at the input stage.
By this time, the hackers had already found out in the correspondence with the victim which wallet she uses to store the cryptocurrency. Such a question, asked "head-on", would alert anyone, but a request for a recommendation, on the contrary, encouraged further conversation. Then a simple principle worked: a person is most likely to recommend what he uses himself. The chronology of APT38 development and its techniques can be traced in more detail in the article "Hacking in North Korean Style".
