Tag Archive for: Korean

Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity

/in


Mar 08, 2023Ravie LakshmananZero-Day / BYOVD Attack

North Korean Hackers

The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year.

While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that’s widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program.

Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said it’s refraining from divulging more specifics owing to the fact that “the vulnerability has not been fully verified yet and a software patch has not been released.”

The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a BYOVD attack.

It’s worth noting here that the Bring Your Own Vulnerable Driver, aka BYOVD, technique has been repeatedly employed by the Lazarus Group in recent months, as documented by both ESET and AhnLab in a series of reports late last year.

Zero-Day Vulnerability

Among other steps taken to conceal its malicious behavior include changing file names before deleting them and modifying timestamps using an anti-forensic technique referred to as timestomping.

The attack ultimately paved the way for multiple backdoor payloads (Keys.dat and Settings.vwx) that are designed to connect to a remote command-and-control (C2) server and retrieve additional binaries and execute them in a fileless manner.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The development comes a week after ESET shed light on a new implant called WinorDLL64 that’s deployed by the notorious threat actor by means of a malware loader named Wslink.

“The Lazarus group is researching the vulnerabilities of various other software and are constantly changing their TTPs by altering the way…

Source…

Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

/in


Feb 17, 2023Ravie LakshmananMobile Security / Cyber Threat

RambleOn Android Malware

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign.

The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn.

The malicious functionalities include the “ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromise on the target,” Interlab threat researcher Ovi Liber said in a report published this week.

The spyware camouflages as a secure chat app called Fizzle (ch.seme), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex.

The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic.

The primary purpose of RambleOn is to function as a loader for another APK file (com.data.WeCoin) while also requesting for intrusive permissions to collect files, access call logs, intercept SMS messages, record audio, and location data.

RambleOn Android Malware

The secondary payload, for its part, is designed to provide an alternative channel for accessing the infected Android device using Firebase Cloud Messaging (FCM) as a command-and-control (C2) mechanism.

Interlab said it identified overlaps in the FCM functionality between RambleOn and FastFire, a piece of Android spyware that was attributed to Kimsuky by South Korean cybersecurity company S2W last year.

“The victimology of this event fits very closely with the modus operandi of groups such as APT37 and Kimsuky,” Liber said, pointing out the former’s use of pCloud and Yandex storage for payload delivery and command-and-control.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…


[the_ad_group id="27628"]

‘No Pineapple’ Hacking Campaign Reveals North Korean Toolkit

/in


Cybercrime
,
Cyberwarfare / Nation-State Attacks
,
Endpoint Security

Espionage Campaign Bore Telltale Signs of Pyongyang – And a Major OPSEC Failure

Jayant Chakravarti (@JayJay_Tech) •
February 2, 2023    

'No Pineapple' Hacking Campaign Reveals North Korean Toolkit
A picture of a lot of pineapple, the opposite of the “No Pineapple” North Korean hacking campaign (Image: Shutterstock)

A threat intelligence firm spotted North Korean hackers engaged in technological espionage in a campaign that betrayed recurring elements of the Pyongyang hacking toolkit.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

Cybersecurity firm WithSecure says* it detected a campaign targeting the medical research and energy sectors that came to its attention after endpoint detection scans showed a Cobalt Strike beacon on a customer’s servers connecting to known threat actor IP addresses.

Researchers from the Finnish company dub the campaign “No Pineapple,” taking the name from the apparently fruit-loving software developer of a remote access Trojan called acres.exe deployed by the hackers. The tool truncates data exfiltration messages greater than 1,024 bytes with the message “No Pineapple!”

Many campaign indicators point to North Korea and possibly to the government hacking unit Mandiant identifies as Bureau 325. Attribution to North Korean hackers often occurs under the catchall rubric of Lazarus Group, but Mandiant argues that different cyber units specialize in different types of operations despite nearly all North Korean cyber activity…

Source…

(LEAD) Chinese hackers attack 12 S. Korean academic institutions: KISA

/in


(ATTN: ADDS photo, more details in last 7 paras)

SEOUL, Jan. 25 (Yonhap) — South Korea’s internet safety watchdog said Wednesday a Chinese hacking group has launched a cyberattack against 12 South Korean academic institutions.

The Korea Internet & Security Agency (KISA) said the attackers hacked into the websites of 12 institutions Sunday, which included some departments of Jeju University and the Korea National University of Education.

Most of the 12 websites, including that of the Korea Research Institute for Construction Policy, were still unavailable for access as of 10 a.m. Wednesday.

KISA said the Chinese hacking group had warned of a cyberattack against multiple S. Korean agencies, including KISA.

But the internet watchdog’s site was not affected, it said.

The Chinese hacking group, identifying itself as the Cyber Security Team, claimed it had successfully compromised the computer networks of 70 South Korean educational institutions around the Lunar New Year holiday that ran from Saturday to Tuesday.

The group also warned that it will disclose 54 gigabytes of data it claimed to have stolen from South Korea’s government and public institutions.

The Ministry of Science and ICT asked government agencies and individuals to stay vigilant against rising hacking threats.

Science Minister Lee Jong-ho visited the Korea Internet Security Center on Tuesday to check on the security posture against possible cyberattacks.

(LEAD) Chinese hackers attack 12 S. Korean academic institutions: KISA - 1

(END)

Source…