Korean-speaking threat groups strike close to home
Korean-speaking cyber threat groups seem to be ‘waging war’ on the Korean peninsula and across Southeast Asia, according to a new report from cybersecurity firm Kaspersky.
Kaspersky’s APT Trends Report Q3 2019 indicates that there are plenty of threats targeting the region.
One of those threats includes an Android malware disguised as a mobile messenger or cryptocurrency apps. The Korea Computer Emergency Response Team (CERT) and Kaspersky investigated the malware and linked it to a Windows malware strain called KONNI.
“KONNI is a Windows malware strain that has been used in the past to target a human rights organisation and personalities with an interest in Korean Peninsula affairs,” Kaspersky explains.
“It is also known for targeting cryptocurrencies by implementing full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features.”
One of the most notorious APT threat groups, Lazarus, and its financial arm BlueNoroff, is being watched by Kaspersky. According to the company, researchers have been able to access information about how the threat group moves laterally to access high-value hosts and banks.
Kaspersky says that BlueNoroff uses a sophisticated malicious software that can run as a passive or active backdoor, or even a tunnelling tool, depending on the command line parameters. BlueNoroff is also evading detection by constantly changing its Powershell script.
"Targeted attacks against financial institutions combine sophisticated techniques - that were previously seen only in APT attacks - with typical criminal infrastructures used to launder the stolen goods,” comments Kaspersky global research & analysis team director Costin Raiu.
“In Q3, we've seen advanced threat actors such as Andariel and Lazarus' BlueNoroff arm attempting to breach not only banks, but investment companies and cryptocurrency exchanges, among others. We advise all companies in APAC to be vigilant and take precautions to guard against such attacks.”
Another Lazarus group called Andariel APT Group has also attempted to build a new command and control infrastructure that exploits Weblogic servers through vulnerability CVE-2017-10271.
According to Kaspersky, the group was successful in similar trials. In one case, it used a legitimate signature from a South Korean security software vendor to implant malware. The case was quickly dealt with through the quick actions of the South Korean CERT.
The Q3 APT Trends report summarises the findings of Kaspersky Lab’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware hunting.