Tag: Korean | Page 4

OODA Loop – North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities

June 23, 2023/in Computer Security

Read more: https://www.securityweek.com/north-korean-hackers-caught-malware-with-microphone-wiretapping-capabilities/Cybersecurity firm AhnLab has reported that a hacking group, identified as APT37 and linked to the North Korean government, has been using new wiretapping malware in recent surveillance attacks. The group employed a Go-based backdoor exploiting the Ably messaging platform, as well as an information stealer with microphone wiretapping capabilities. Spear phishing emails delivering a password-protected document and a disguised CHM payload were used to lure victims into executing the malicious script. The malware exfiltrates files, takes screenshots, steals data from removable devices, logs keystrokes, and conducts unauthorized wiretapping. APT37 has targeted North Korean defectors, human rights activists, journalists, and policymakers for surveillance purposes.

Source…

3CX Supply Chain Attack: North Korean Hackers Likely Targeted Cryptocurrency Firms

April 4, 2023/in Computer Security

More information has come to light on the recent 3CX supply chain attack, which appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency companies.

Cybersecurity firm Kaspersky has conducted its own analysis of the incident and found links to attacks observed by the company back in 2020.

Those attacks involved a backdoor dubbed Gopuram, which had been spotted on systems belonging to a Southeast Asian cryptocurrency firm. Gopuram was present at the time on compromised devices alongside AppleJeus, malware linked to North Korea’s Lazarus group.

Kaspersky has seen only few Gopuram infections since 2020, but there was a surge in March 2023 and an analysis revealed that the surge was a result of the 3CX supply chain attack. The hackers behind the 3CX attack likely delivered the Gopuram malware to victims that were deemed of interest.

According to Kaspersky, Gopuram was deployed on less than 10 devices as part of the 3CX attack, mainly belonging to cryptocurrency companies, which suggests that the operation was aimed at this sector.

This would not be surprising considering that North Korean state-sponsored hackers have been known to steal significant amounts of cryptocurrency. UN experts said recently that last year they stole between $630 million and more than $1 billion worth of virtual assets. Cryptocurrency is used by Pyongyang to fund its national priorities and objectives, including cyber operations.

Kaspersky’s investigation further points to North Korean government-backed hackers being behind the 3CX attack, after companies such as CrowdStrike and Sophos also found links to the Lazarus group.

3CX says its business communication products are used by 600,000 companies worldwide, including major brands. The malware distributed through 3CX may have been pushed to thousands of companies, but the hackers were not interested in all of these companies. Instead, based on Kaspersky’s data, they were looking for cryptocurrency companies to which they could deliver the full-fledged Gopuram backdoor, which the security firm believes is the main implant and the final payload in the attack chain.

Fortinet and BlackBerry previously reported

Source…

Another year, another North Korean malware-spreading, crypto-stealing gang named • The Register

March 30, 2023/in Computer Security

Google Cloud’s recently acquired security outfit Mandiant has named a new nasty from North Korea: a cyber crime gang it calls APT43 and accuses of a five-year rampage.

“Mandiant assesses with high confidence that APT43 is a moderately sophisticated cyber operator that supports the interests of the North Korean regime,” states a report on the gang released on Wednesday.

The report observes that APT43’s activities have sometimes been attributed to actors known as “Thallium” or “Kimsuky” – such as the 2021 attack on South Korea’s nuclear research agency.

That raid is typical of APT43’s activities. It aligns with the gang’s goal of strategic intelligence collection to keep North Korea informed of its foes’ activities and capabilities.

APT43 mostly uses spear phishing and fake websites to gather information, eschewing zero-day vulnerabilities. Once it compromises a target, the gang’s favorite tool is LATEOP – a backdoor based on VisualBasic scripts. It’s also used malware such as gh0st RAT, QUASARRAT, and AMADE to go about its business. The gang appears not to be a notable malware innovator, but Mandian has observed “a steady evolution and expansion of the operation’s malware library over time.”

As North Korea’s needs change, so do APT43’s activities and targets. Before 2020 it targeted diplomatic organizations and think tanks that considered strategic issues around the Korean peninsula. It then shifted focus to healthcare organizations, in what Mandiant assesses was a desire to gather information related to COVID-19.

Those shifts have seen the group attack different types of target. But Mandiant’s analysts believe it has an overarching purpose of “enabling North Korea’s weapons program, including: collecting information about international negotiations, sanctions policy, and other countries’ foreign relations and domestic politics as these may affect North Korea’s nuclear ambitions.”

APT43 funds its own activities by stealing and laundering cryptocurrency, but those heists aren’t its purpose. Indeed, North Korea backs another gang – APT38 – to pinch cryptocurrency.

But the gangs don’t operate in isolation. Mandian asserts “APT43 has shared infrastructure and…

Source…

South Korean Android Banking Menace – FakeCalls

March 14, 2023/in Mobile Security

Research by: Bohdan Melnykov, Raman Ladutska

When malware actors want to enter the business, they can choose markets where their profit is almost guaranteed to be worth the effort – according to past results. The malware does not need to be high profile, just careful selection of the audience and the right market can be enough.

This “stay-low-aim-high” approach is what the Check Point Research team saw in our recent Android malware research. We encountered an Android Trojan named FakeCalls, a malware that can masquerade as one of more than 20 financial applications and imitate phone conversations with bank or financial service employees – this attack is called voice phishing. FakeCalls malware targeted the South Korean market and possesses the functionality of a Swiss army knife, of being able not only to conduct its primary aim but also to extract private data from the victim’s device.

Voice phishing attacks have a long history in the South Korean market. According to the report published on the South Korean government website, financial losses due to voice phishing constituted approximately 600 million USD in 2020, with the number of victims reaching as many as 170,000 people in the period from 2016 to 2020.

We discovered more than 2500 samples of the FakeCalls malware that used a variety of combinations of mimicked financial organizations and implemented anti-analysis (also called evasions) techniques. The malware developers paid special attention to the protection of their malware, using several unique evasions that we had not previously seen in the wild.

In our report, we describe all of the encountered anti-analysis techniques and show how to mitigate them, dive into the key details of the malware functionality and explain how to stay protected from this and similar threats.

Before we get to the technical details, let’s discuss how voice phishing works in the example of FakeCalls malware.

The idea behind voice phishing is to trick the victim into thinking that there is a real bank employee on the other side of the call. As the victim thinks that the application in use is an internet-banking application…

Source…

Tag Archive for: Korean