By Chris Doman, Fernando Martinez and Jaime Blasco
We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.
This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.
We looked at three similar malicious documents:
국제금융체제 실무그룹 회의결과.hwp ("Results of the international financial system working group meeting") - cf09201f02f2edb9c555942a2d6b01d4
- 금융안정 컨퍼런스 개최결과.hwp ("Financial Stability Conference held") - 69ad5bd4b881d6d1fdb7b19939903e0b
- 신재영 전산담당 경력.hwp (“[Name] Computer Experience”) - 06cfc6cda57fb5b67ee3eb0400dd5b97
The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting
The decoy document of a resume
These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from:
- https://tpddata[.]com/skins/skin-8.thm - eb6275a24d047e3be05c2b4e5f50703d - 32 bit
- https://tpddata[.]com/skins/skin-6.thm - a6d1424e1c33ac7a95eb5b92b923c511 - 64 bit
These samples communicate with:
Is this related to the recent Bithumb heist?
If you follow cryptocurrency, you may have heard about some thefts reported this month for South Korean cryptocurrency exchanges:
Report from the Guardian
Reports within South Korea have suggested the the thefts from Bithumb started with malicious HWP files earlier in May and June. They also mentioned they are linked to previous attacks by Lazarus, and involved faked resumes.
A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations:
Screen-stills from a KBS news report
Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect.
There were earlier reports of related malicious HWP documents from Lazarus targeting crypto-currency users in South Korea earlier this month. In that case, we noticed there are a number of crypto-currency phishing domains that are registered to the same phone number as a domain (itaddnet[.]com) used to deliver some of the malware.
It may be that the attackers are phishing for credentials, in addition to delivering malware:
A forum discussion by South Korean crypto-currency users discussing a phishing attack from the domain coinoen[.]org
It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus.
If the attackers behind the Bithumb heist are indeed Lazarus - they were likely aided by knowledge from a previous hack. They were linked to a theft of $7 million from Bithumb, and other cryptocurrency exchanges, back in 2017:
Some selected attacks by different sub-groups of Lazarus, from "APT Attacks Targeting Financial Institutions" by Ashley Shen, Kyoung-ju Kwak and Min-Chang Jang
These attacks are part of a a large number of attacks against banks, including the attempted theft of $1 billion dollars from the Bank of Bangladesh, attacks against ATM networks. They are also well known for the WannaCry and Sony Pictures attacks.
It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.
Just earlier this month, there were reports that Lazarus stole $10 million dollars from a Chilean bank - and destroyed thousands of computers in the process of covering their tracks.
Additional indicators are available in our OTX Pulse.
Potentially related phishing domains:
ETPRO TROJAN Win32/Agent.WTE HTTP CnC Beacon
ETPRO TROJAN Win32/Agent.WTE/Manuscrypt HTTP CnC Beacon