Malicious Documents from Lazarus Group Targeting South Korea

June 22, 2018 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

By Chris Doman, Fernando Martinez and Jaime Blasco

We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the economic policies between the wealthiest countries. Another is reportedly related to the recent theft of $30 million from the Bithumb crypto-currency exchange in South Korea.

This article stands very much on the shoulders of other work by researchers in South Korea. Credit for initially identifying these documents goes to @issuemakerslab, @_jsoo_ and others.

Malicious Documents

We looked at three similar malicious documents:

The decoy document, mentioning the G20 International Financial Architecture Working Group Meeting

The decoy document of a resume

These are Hangul Word Processor (“HWP”) files - a South Korean document editor. The HWP files contain malicious postscript code to download either a 32 or 64 bit version of the next stage from:

The malware is Manuscrypt (previously described by McAfee and others), and communicates by impersonating South Korean forum software:

These samples communicate with:

  • https://www.anlway[.]com/include/arc.search.class.php
  • https://www.apshenyihl[.]com/include/arc.speclist.class.php
  • https://www.ap8898[.]com/include/arc.search.class.php

Is this related to the recent Bithumb heist?

If you follow cryptocurrency, you may have heard about some thefts reported this month for South Korean cryptocurrency exchanges:

Report from the Guardian

Reports within South Korea have suggested the the thefts from Bithumb started with malicious HWP files earlier in May and June. They also mentioned they are linked to previous attacks by Lazarus, and involved faked resumes.

A report by a South Korean news organisation into the investigation by a South Korean security company into the thefts shows some very familiar looking malware samples that were sent to cryptocurrency organisations:

Screen-stills from a KBS news report

Whilst we can’t be certain this malware is responsible for the thefts from Bithumb, it seems a likely suspect.

Other Campaigns

There were earlier reports of related malicious HWP documents from Lazarus targeting crypto-currency users in South Korea earlier this month. In that case, we noticed there are a number of crypto-currency phishing domains that are registered to the same phone number as a domain (itaddnet[.]com) used to deliver some of the malware.

It may be that the attackers are phishing for credentials, in addition to delivering malware:

A forum discussion by South Korean crypto-currency users discussing a phishing attack from the domain coinoen[.]org

It is unusual to see Lazarus registering domains - normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus.

Historical Attacks

If the attackers behind the Bithumb heist are indeed Lazarus - they were likely aided by knowledge from a previous hack. They were linked to a theft of $7 million from Bithumb, and other cryptocurrency exchanges, back in 2017:

Some selected attacks by different sub-groups of Lazarus, from "APT Attacks Targeting Financial Institutions" by Ashley Shen, Kyoung-ju Kwak and Min-Chang Jang

These attacks are part of a a large number of attacks against banks, including the attempted theft of $1 billion dollars from the Bank of Bangladesh, attacks against ATM networks. They are also well known for the WannaCry and Sony Pictures attacks.

It’s clear that the thefts from Lazarus won’t stop anytime soon given the gains available - the (partially successful) attempt to steal $1 billion dollars from the Bank of Bangladesh represents 3% of North Korea’s reported GDP. Thefts from South Korean organisations have the double impact of weakening their closest competitor.

Just earlier this month, there were reports that Lazarus stole $10 million dollars from a Chilean bank - and destroyed thousands of computers in the process of covering their tracks.

Appendix

Additional indicators are available in our OTX Pulse.

File-Hashes

596fbdf01557c3ec89b345c57ae5d9a0b7251dd8d5a707f7353dd733274c6eb6                                 

58a97c2c731cdf045f26ccc7cba370bd2dfee277a9c43c0421c53593e493f7bc                               

485f77e5d32de5dc05510743025a75af5b6f714e930e22098490b7afb71b737f

e498630abe9a91485ba42698a35c2a0d8e13fe5cccde65479bf3033c45e7d431                                

4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324

2813c0ebcacdcf9052f71d51c81e9c52a16b9a69f8981b2c74eab236524ff4b9

2f4a958b148bef4be10780e8128860cdca21ec26537f51cec8960a9e019aa1f0

4838f85499e3c68415010d4f19e83e2c9e3f2302290138abe79c380754f97324

5b1663d5eb565caccca188b6ff8a36291da32f368211e6437db339ce2dc2e9cd

7985af0a87780d27dc52c4f73c38de44e5ad477cb78b2e8e89708168fbc4a882

afba8105793b635d4ed7febdae4b744826ca8b2381c1b85f5e528bb672ed63c2

c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8

d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3

e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292

927120588e6c4e5db5b5a1ea9914cd78a0fa0c9fb558726604747de672c6adf3

e76b3fd3e906ac23218b1fbd66fd29c3945ee209a29e9462bbc46b07d1645de2

3cde54dce88a4544bf5ffa36066a184958d4ff74c2e0ce32fdbf91729c0f574e

 

Domains

tpddata[.]com

itaddnet[.]com

wifispeedcheck[.]net

 

Potentially related phishing domains:

coinoen[.]org                          

coinmaketcape[.]com

bitfiniex[.]org

 

URLs

https://www.apshenyihl[.]com/include/arc.speclist.class.php                                   

https://www.ap8898[.]com/include/arc.search.class.php                              

https://www.anlway[.]com/include/arc.search.class.php                              

https://tpddata[.]com/skins/skin-8.thm                                   

https://tpddata[.]com/skins/skin-6.thm

http://168wangpi[.]com/include/charset.php

http://ando.co[.]kr/service/s_top.asp

http://ansetech.co[.]kr/smarteditor/common.asp

http://mileage.krb.co[.]kr/common/db_conf.asp

http://www.028xmz[.]com/include/common.php

http://www.33cow[.]com/include/control.php

http://www.51up[.]com/ace/main.asp

http://www.530hr[.]com/data/common.php

http://www.97nb[.]net/include/arc.sglistview.php

http://www.anlway[.]com/include/arc.search.class.php

http://www.ap8898[.]com/include/arc.search.class.php

http://www.apshenyihl[.]com/include/arc.speclist.class.php

http://www.marmarademo[.]com/include/extend.php

http://www.paulkaren[.]com/synthpop/main.asp

http://www.shieldonline.co[.]za/sitemap.asp

 

Network Detection

ETPRO TROJAN Win32/Agent.WTE HTTP CnC Beacon

ETPRO TROJAN Win32/Agent.WTE/Manuscrypt HTTP CnC Beacon

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT