North Korean Cyber-Attacks and Collateral Damage

February 15, 2018 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.

There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.

Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.

The Voice of Korea and the Rivts Virus

This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.

A simple file-infector

We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats.  One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.

Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.

Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.

North Korean Software

As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:

Below are the details of these two files, nnr60.exe and hana80.exe:

Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using MacOS, Microsoft Windows is still popular. DPRK software is generally ‘very rare’, but nn660 and hana80 are more common than other DPRK software and could be described as ‘uncommon’. They may be part of the DPRK “standard build” of Microsoft Windows (which we’ve seen called “Windows Standard (KCC)”).We can see from these details that Nnr60.exe and Hana80.exe are pieces of DPRK software created by the Korea Computer Center.

One possible explanation for the reason these files are listed amongst the other Windows system files is that the malware author was developing on a DPRK build of Windows, and simply included a list of all the system files on their own machine.

The Initial Delivery, or Escape, of Rivts

Whilst Rivts continues to propagate, it took us some time to track down the first place it was seen. The first public reference of Rivts we have identified was at the following URL in January 2011:

  • http://www.vok.rep[.]kp/CBC/CBC_download/HMSPlayer.exe

The domain vok.rep[.]kp is the Voice of Korea - the DPRK’s international broadcasting service. It is similar to Voice of America or BBC World:

The Voice of Korea Website vok.rep[.]kp

Who made Rivts?

There are four apparent explanations for the apparent connections between Rivts and the DPRK:

  • Rivts was developed within the DPRK;

  • Rivts was created outside of the DPRK to target systems within the DPRK;

  • Rivts is a false-flag, pretending to be malware created by the DPRK; or

  • The DPRK connections are just a combination of very unlikely coincidences.

In our view the most likely explanation of the facts is that Rivts was developed within the DPRK.

The first file infected with Rivts we have visibility of was in 2011 - but the file meta-data indicates1 it was compiled two years earlier in February 2009 from the following folder:

F:\meWork\ksj\Test\testVir-ga\testvir_non\Debug\testvir_non.pdb

It may be that Rivts bounced around infecting systems within the DPRK for two years, then escaped via the Voice of Korea website:

A learning project?

Rivts contains the word ‘test’ in multiple places, and may be part of a prototype or learning project. We also haven’t identified a backdoor component, which is present in file-infectors used in real attacks (including by Lazarus) to allow the attackers access to compromised networks.

Overall on the scale of threats, Rivts doesn’t rank highly. But it is a reminder that once a worm is released, it continues to spread for a long time. The new samples we receive of Rivts are “echoes” of the first infections - many years from its initial release the virus continues to spread across insecure networks, despite it’s solid detection by most antivirus vendors.

The JML Virus

This wouldn’t be the first time the DPRK has had problems with home-made file-infectors.

The first Lazarus malware likely1 dates back to March 2007. That’s the same month that the South Korean government reported the DPRK had compromised their military networks, stealing plans for responses to Toxic Chemical incidents.

But there is an even earlier description of DPRK malware from New Focus magazine. New Focus describes, based on an interview with a defector, the development of an early file-infector called ‘JML’ in 1997 as part of a student project. The defector notes that JML continued to be under development, and that later variants accidentally spread to infect systems within the DPRK:

“The JML virus was developed around 1997: as his graduation thesis, Cho had written about the militarization capabilities of the computer virus. The value of his proposal was recognized, and a research group centered around Cho was duly established at Mirim University. This research group was the first incarnation of the Computer Technology Institute under the General Political Bureau.

Beginning its life on Visual C++5.0 and MASM 6.0, the JML virus was soon fixed as a North Korean military standard. Mutations have continued to be developed ever since.
 
Most North Koreans do not have access to the internet. Instead, they connect to an intranet, which has email and chatting capabilities, as well as  the ability to transmit viruses. The bulk of these viruses are JML mutations, and are proving to be a headache for the North Korean authorities. Just like the production of drugs for foreign export, the computer virus intended for foreign export has become an increasing nuisance for North Koreans.”

It would be very interesting if Rivt proved to be a later evolution of this ‘JML’ malware.

Rivts too is compiled with the (now rare and ancient) Visual Studio C++ 5.0, and as mentioned above may be a learning project.

However the technical details within the New Focus report are somewhat confused and make it impossible to positively identify a sample of the JML virus. Regardless of a possible link, it’s interesting to hear a report of malware under development in the DPRK around the same time as the first malware families from Russia and the West have been traced back to.

The Korean Central News Agency and the Faedevour Worm

Rivts isn’t the only malware that has been served from the website of a DPRK broadcasting agency. Back in January 2015 an independent researcher identified that the Korean Central News Agency website (KCNA.kp) was serving malware known as ‘Faedevour’.

The Korean Central News Agency website kcna[.]kp

Unlike with the Voice of Korea website, this was quite clearly an intentional compromise. Malicious Javascript was added to the KCNA website to serve Faedevour as a fake Adobe Flash update.

Initially there was a suspicion that attackers located within the DPRK were attempting to infect users outside, but this proved not to be the case. An analysis by Kaspersky showed the website was probably compromised to infect users within the DPRK itself. Further, they found the attack was likely the work of a group of attackers known as DarkHotel. DarkHotel are an extremely capable group of attackers (and renowned enough to have been name dropped in CSI Cyber), and not located within the DPRK.

Somewhat similarly to Rivts, Faedevour contains references to DPRK software that it looks for on a system - Hana (as mentioned with reference to Rivts above) and another called SamHung.

Faedevour is also a worm like Rivts - it copies itself across to infect network shares and USB disks. Given Rivts similaries to Feadevour’s infection and delivery mechanisms it is possible our hypothesis about Rivts creation is wrong - and they are in fact both the work of DarkHotel. However so far this does not seem to be the most likely explanation.

An accidental supply chain compromise?

In April 2017 both IBM and Lenovo alerted customers that their supply chain had been compromised. They had sent out USB sticks containing installation software to customers of their storage servers - but they later found they contained a worm.

 

Images of the affected products, from BleepingComputer.com

This announcement received little attention, beyond an analysis by a researcher in China and some brief reports. Reviewing the malware in question - it is the same Faedevour malware that was spread from the KCNA website (researchers at Trend Micro have also noticed this connection). In fact it’s not just the same malware family - it is exactly the same file that was seen on the KCNA website back in 2015.

Compromising the supply chain of some of the worlds largest server manufacturers might be a typical target for an extremely capable attacker like DarkHotel. However it’s very unlikely that they would choose to use a piece of malware they created years earlier and had been reported upon (and attributed to them) by a number of security vendors. Additionally, DarkHotel no longer own some of the domains that control Faedevour.

Given Faedevour is a worm that spreads to USB drives - it’s most likely the infection of the USB installation disks was an accidental infection. Faedevour continues to spread many years after, and far wider, than it’s author's intended.

This wouldn’t be the first time a worm by a capable attacker has spread further than intended.

The original Stuxnet worm was probably designed to infect a small number of key networks, but spread widely and infected tens of thousands. There is a warning here - even the most capable attackers need to be careful of how far their malware can spread.

Faedevour infections

The Lazarus SMB Worms

WannaCry isn’t the only worm created by Lazarus that spreads over SMB file-shares. There are various variants of families of malware known as Brambul that Lazarus have released over the years. Many variants install a backdoor called Joanap, and are therefore also known as Joanap worms.

One gained particular prominence after Lazarus used it in the highly publicised destructive attack against Sony in 2014. There is an excellent description of Brambul and Joanap in a report by Snorre Fagerland, but they have otherwise received little attention.

WannaCry and Brambul

Large portions of WannaCry come from the same code-base as Brambul, and earlier versions of WannaCry perform the same SMB brute-forcing as Brambul. To a certain extent, WannaCry could even be described as a Brambul variant itself.

Image from a technical report by Intezer discussing the links between WannaCry and Brambul

Early Brambul samples are still prevalent, almost ten years on

Early versions of Brambul brute-force access to file-shares using a list of common passwords, then email stolen credentials to the attackers.

Brambul sending passwords to the attackers

These ancient worms are still prevalent. For example, just one sample of Brambul that dates back to 2009 was reported 8 times in the last week from honeypot systems. It’s clearly still bouncing around the internet at a reasonable rate, nine years after it’s initial creation.

Brambul is now part of the “background noise” of the internet, and if you are unfortunate enough to have an internet facing file-share you will encounter access attempts from this malware regularly. A study in 2015 found that if you leave an insecure computer sitting connected to the internet, Brambul is the 13th mostly likely family you will get infected by.

A timeline of Lazarus SMB Worms

In Conclusion

The WannaCry ‘kill-switch’ is well reported - but we continue to see new samples of WannaCry where people have decided to edit out the kill-switch. That may explain why even in 2018 people continue to pay the WannaCry Bitcoin wallet in a vain attempt to recover files.

There is great concern around destructive attacks such as NotPetya that impersonate ransomware for criminal gain - but instead their primary aim is widespread destruction. But collateral damage from attacks like WannaCry may be just as bad. This was noted by the head of the UK’s National Cyber Security Centre (Ciarin Martin) in an interview with The Guardian:

“Martin said one of the biggest lessons from 2017 was to fear reckless as much as controlled attacks. He considered WannaCry, which was blamed on North Korea, as an example of an attack in which the perpetrator loses control.”

Whilst these threats can be a significant danger, the most important responses aren’t complicated. Keeping systems patched and maintaining effective backups is a great way to start. Beyond that, there are more detailed mitigation strategies to consider.

Appendix

Footnotes

  1. Note that it is it is possible to fake compile times.

Prevention

All the malware discussed in this report is old and well detected by anti-virus.

Detecting brute-force attacks is key to stopping many worms spreading. You may wish to review:

  • An article by AlienVault on how to detect and prevent brute-force attacks; and

  • A guide on how to do this in OSSIM created by an Alienvault user

Network connections from Faedevour are detected by indicators within AlienVault OTX, and the Emerging Threats signature 2022783. These also relate to the Jaku campaign identified by ForcePoint.

Rules

Yara rule for detecting Rivts:

rule rivts_pdb {
meta:
description = "Detects Rivts based on PDB folder"
author = "[email protected]"
tlp = "white"
license = "MIT License"
strings:
$m = "F:\\meWork\\" nocase wide ascii
condition: uint16(0) == 0x5a4d and any of them
}
Faedevour Network Indicators OTX Pulse with Additional Indicators

a.gwas.perl[.]sh

a-gwas-01[.]slyip.net

a-gwas-01[.]dyndns.org

 

Rivts Worm File Hashes

4B584695BA08E680452BE6016886637A

 

Faedevour Worm File Hashes

FFFA05401511AD2A89283C52D0C86472

78D3C8705F8BAF7D34E6A6737D1CFA18

 

Brambul Worm File Hashes

FF4721E6EDAD7D3BEC8E0C4D4A8C1D26

344D3EC0D84D2853E416C664DD577F44

F024FF4176F0036F97EBC95DECFD1D5E

3844EC6EC70347913BD1156F8CD159B8

 

Emails Brambul sends stolen credentials to

[email protected]

[email protected]

[email protected]

 

Brambul Brute-Force Password List

See https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_brambul.at

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL