North Korea Targets South Korean Cryptocurrency

January 22, 2018 • Amanda McKeon

Facing sanctions from much of the rest of the world, North Korea has turned to cybercrime to help finance their operations. The Lazarus Group is well known as a state-sponsored team of criminal hackers serving North Korean interests, and in 2017 they set their sights on cryptocurrency users and exchanges in South Korea with a spear phishing campaign. Additionally, they’ve targeted South Korean college students interested in foreign affairs, part of a group called “Friends of MOFA” (Ministry of Foreign Affairs).

Juan Andres Guerrero-Saade is a principal security researcher for Recorded Future’s Insikt Group, and he joins us to help explain what the North Koreans are up to, the methods and tools they are using, just how sophisticated they may or may not be, and why, in the end, sophistication might not really matter much.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 40 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. Thanks for joining us.

North Korea, facing sanctions from much of the rest of the world, has turned to cybercrime to help finance their operations. The Lazarus Group is well known as a state-sponsored team of criminal hackers serving North Korean interests. In 2017, they set their sights on cryptocurrency users and exchanges in South Korea with a targeted spear phishing campaign.

Juan Andres Guerrero-Saade is a principal security researcher for Recorded Future’s Insikt Group. He joins us to help explain what the North Koreans are up to, the methods and tools they’re using, just how sophisticated they may or may not be, and why in the end, sophistication might not really matter much. Stay with us.

Juan Andres Guerrero-Saade:

We have an interesting group of analysts over at the Insikt Group and Recorded Future. I was talking to my partner in crime, Priscilla Moriuchi, and part of her analysis situation, geopolitically, was to focus on the Pyeongchang Olympics, which are happening now in South Korea — or, are meant to happen. There’s quite an interesting history there between North and South Korea, and the Olympics, in the past. It was her assessment to say that we are for sure going to be — at least, as far as the Lazarus Group is concerned — using the Olympics as a sort of lure. It was kind of a challenge for us. Saying, “Okay, we expect to see this, so can we actually find it.”

We went digging and actually stumbled upon our very first sample, using that as a lure. It was using this exploit to target this office suite that is used primarily in South Korea that’s called Hancom Hangul. It uses these HWP files. The idea is, it’s essentially Office, but it’s its own sort of software suite. The attackers had essentially developed, or were using, an exploit for that software platform, but the documents that they were using to lure people in, the first one that we found was an Olympics lure that was targeting this geopolitical group. Then, from that, we went on to find a bigger campaign that also included cryptocurrency exchanges, and so on.

Dave Bittner:

So, take us through some of the details of what you found here. Take us through some of the technical information about it.

Juan Andres Guerrero-Saade:

For me, this was quite interesting. There’s been a certain amount of reporting about North Korea attacking South Korea when it comes to cryptocurrency exchanges, or when it comes to the Olympics, so it’s not like we were the first ones to make the claim. However, having worked on the Lazarus Group for quite some time now, their reporting didn’t quite add up with me. The TTPs were not the same. The tools, techniques, and procedures that we’re used to seeing for the Lazarus Group don’t usually include things like JavaScript, HTML applications, PowerShell. Things like this that are relatively common for other active groups are not very common for the Lazarus Group.

For us, it was interesting to run into this new, small sub-site of samples that were targeting these institutions in South Korea that we expected to be targeted, but then to actually start to unravel the mechanism of how those samples worked, and to actually find the culprit that we expected. It was sort of like a backwards attribution thing, but we’re trying to be as careful as possible to make sure that we were discussing the right team. The way that this thing works is, essentially, you’ve got this malicious file for somebody using Hangul to open. Once you open the file, it’s going to execute this shellcode. That shellcode is going to decrypt, or de-obfuscate, this thing in memory. What ends up popping out, or at least is loaded in memory into the explorer process, is actually a DLL.

Now, what’s interesting about that DLL is, once we pulled it down and actually started to reverse engineer it, analyze it, check code similarities, and so on, is that the application itself is composed in large parts of the Destover code. I don’t know if you remember Destover — I’m sure it came across your radar at some point. Destover is the infamous malware from the Sony Pictures Entertainment hack back in 2014, if I’m not mistaken.

Dave Bittner:

Yeah, which, of course, widely attributed to …

Juan Andres Guerrero-Saade:

Widely attributed to North Korea. Also, sort of like one of the main namesakes of the Lazarus Group.

Dave Bittner:

I see.

Juan Andres Guerrero-Saade:

For us, it was like, “Okay, we’ve clearly found our man.” Just to clarify, even though in the Sony Pictures Entertainment hack, Destover was known for having caused the wiping of several hundreds or thousands of machines, in this particular case, it did not include the wiper component. It mostly was composed of the info-stealer component. They were looking for different archives and files that they were going to exfiltrate. It’s mostly an espionage tool in the way that it’s been built for this particular purpose.

Dave Bittner:

I see. So, take us through … That’s their attack vector. They’re using a phishing campaign, I suppose, to get people to open these word processor files. The infection occurs, and what happens next?

Juan Andres Guerrero-Saade:

Well, the malware is sitting there and stealing files, which I think is particularly interesting given that the targets here are two … What looks, to us, like two very different swaths of targets. You’re either talking about people that are geopolitically interesting, like one of the strings involved in the Olympics lure was a friend of MOFA, or MOFA, which, it seems to be this geopolitical group very interested in the situation between North and South, and composed largely of students. In that case, you could talk about … If that’s the group that they’re targeting, then you’re talking about the sort of standard espionage activities, and maybe counteracted as an activity that you might expect. However, on the other side, the other lures were suggesting to us was that they were going after cryptocurrency exchanges. In that particular case, it’s interesting that they’re in there trying to collect information and trying to collect files, because what you would expect is for them to be looking for some kind of further access into these sort of exchanges.

Now, one of the ways you might look at it is, say, “Well, they just want the wallets.” That’s one way to look at it, but I think that as far as the Lazarus Group goes, we’ve seen that when they get interest in a financial crime, they get overly ambitious, whether it’s with Swift, whether it was with WannaCry. In this particular case, with the cryptocurrency exchanges, my guess is that they’re looking to establish a foothold within these exchanges, rather than simply try to steal some wallets.

Dave Bittner:

Rather than going into a bank and doing a smash and grab, or holding up the teller, they want someone inside who can get into the vault, I guess … as an awkward analogy, I suppose.

Juan Andres Guerrero-Saade:

Yeah, that’s a way to put it. Honestly, that’s what we saw with the Swift hacks. They went in, and what they wanted was to make these massive transfers and these massive transactions. Interestingly, in the case of the Bangladesh Central Bank, had they not gone quite so over the top, quite so big … I mean, what ended up screwing them in the end was a misspelling, but I also wonder if they’d had the patience not to try to transfer 80 million dollars at a time, if they might have also been able to handle this differently. They’re not the first group to do this, you know.

Dave Bittner:

What is your estimation of their success?

Juan Andres Guerrero-Saade:

It’s really kind of hard to understand to what extent they are being successful with this particular new campaign. Just to dampen some of the thud involved in this, the vulnerability that the exploit was intended for has already been patched. That will all come down to the update cycle in South Korea, as far as Hancom and Hangul goes, which I’m not too familiar with, but it’s not a zero-day exploit perse. There is a certain amount of warning already out there for people involved in cryptocurrency exchanges. There are some things to limit the notion of how effective this might be. However, the Lazarus Group has been unbelievably effective in the things that they do, for the most part. It depends on whether you’re looking at the end run of the campaign, whether they get what they intended to get, or whether they actually got to the target that they intended.

That’s kind of a fuzzy distinction, but from the perspective of malware researchers, if they infected the target, then they clearly already got something. They succeeded to a certain extent. That’s from our perspective. From their perspective, if what they wanted was to get the money, or to get the bitcoins, then we can start to talk about some different metrics. If you look at campaigns like WannaCry, we could say that their success — as far as their metric goes — if their idea was to make money, was not good. It did not go well. If you look at it from the perspective of a malware researcher, you say, “Well, they hit thousands and thousands of machines worldwide.” That, to us, looks like a successful campaign. You say they clearly established a foothold where they had presumably intended to go. WannaCry is a very complicated example.

With the Swift hacks, you can see something different. You say, “Well, they clearly got to where they wanted to go.” They got inside of the banks, they started transactions. What we’re hearing, as far as reporting from Swift and from the banks, is that they had some partial success. They were able to get some of that money out. Now, moving on to this campaign, what they’re going to be able to do with Bitcoin — I mean, that’s variable. That’s complex. Especially in South Korean exchanges, they’re starting to introduce a certain level of laws. They’re trying to dampen some of the craze, as far as Bitcoin goes, in the peninsula, but worldwide, we’re also seeing these massive fluctuations of prizes. We’re seeing a sort of cash-flow shortage from a lot of exchanges. It’s sort of interesting, whether you can actually cash out large amounts of what you’re getting.

The question then, is, is this the kind of campaign where they were trying to pay their own way? As in, to say hacking operations are expensive. If you steal some money, you can pay for what you yourself are consuming, or what resources you need, and then we can talk about the rest. Or is this the sort of campaign where you’re just trying to steal large amounts of money for the regime? Those are very different things.

Dave Bittner:

You say … I’m sorry, when you say paying your own way, do you mean building up a cash of Bitcoin, for example, and being able to use that to buy processor time on services, or those sorts of things? Is that what you’re talking about?

Juan Andres Guerrero-Saade:

Yeah, I mean, that’s something that we need to consider when it comes to attackers using Bitcoin. I mean, we’ve seen … I’m trying to dig back, but we’ve seen SOFA, APT28, Pawn Storm, whatever you’d like to call them — we’ve seen them looking for Bitcoin wallets in the past. This is a team that’s much more interesting in what they do, as far as their servers and their infrastructure, because it looks like they would use those bitcoins to establish new virtual private servers to use as command and control servers. However, the Lazarus Group is a little different. They tend to use hacked infrastructure. They almost always use IPs instead of domains. It makes it a lot harder to track or sinkhole their campaigns.

The question, then, is what will you use Bitcoin for, as far as they’re concerned? I think one of the big things would be more exploits. The exploit involved in this campaign is actually kind of interesting to us. It’s a very particular implementation. It’s not one that we have seen being used by any other group, so far. We actually were able to delimit the campaign on the basis of that particular exploit. When you look at it, it actually includes some Chinese terms, which is sort of unusual for the Lazarus Group, at least. I don’t think … While they might leave a lot of Korean resources in their malware sort of carelessly, you don’t usually see any kind of Chinese terminology in there.

To us, it suggested a very crude attempt at a false flag, which would not be the first time that they’ve done this. Researchers over at BAE found them embedding Russian terms into some of their malware around the time of some of the Swift investigations. So, maybe it’s a crude attempt at a false flag, or alternatively, they bought this exploit from a Chinese supplier or developer, and they’re sort of reusing that.

Dave Bittner:

The kind of cutting and pasting from various sources to make a custom version of what they need.

Juan Andres Guerrero-Saade:

Well, that’s actually … What you described is actually one of the most fundamental understandings of the Lazarus Group that we have.

Dave Bittner:

I see.

Juan Andres Guerrero-Saade:

That’s from their operations for several years. The Lazarus Group tends to, essentially, cut and splice what they need. If you ask me what their development environment must look like, I would say it’s something along the lines of a very, very, very big code base that they’ve amassed over a long time of development. Rather than having some kind of point and click builder, it looks more like they’re cutting and pasting that code base to create the software that they need on a basis of functionality.

It’s actually what has made it really, really hard for researchers to properly cluster and categorize a lot of the Lazarus Group malware over the years. You’ve got a lot of different families with a lot of different names, like SpaSpe, Hangman, Volgmer, Duuzer, Destover, and so on. But when you try to look at this malware and categorize it properly, it’s almost like it’s all overlapping, like they all seem to have pieces of each other. If you write the right kind of rules and detections for these, you actually pick up a lot of different families at once, in one go. It’s actually … It can be quite challenging to look at Lazarus Group malware in bulk and try to understand the campaigns properly.

Dave Bittner:

It’s interesting to me because at first glance, I would think, well, that cut-and-paste approach speaks to a lack of sophistication, but the way you describe it, it could just be the opposite, that it’s … I don’t know, crazy, like a fox. The simplicity is the sophistication of it. Does that make any sense?

Juan Andres Guerrero-Saade:

Yeah, it definitely makes sense. It’s sort of interesting. I don’t like the idea of talking about the Lazarus Group as sophisticated, particularly because we have worked with very sophisticated groups before, we have seen very sophisticated groups in the past who really deserve that notch, or that star — the gold star. But the Lazarus Group, I don’t think they’re particularly sophisticated. What they are is relentless. I mean, these guys will do just about anything to gain a foothold where they want to be, and then they’ll exploit it in ways that you would have considered … any rational actor would have decided was not a wise thing to do. They’re very interesting, and they’re definitely not to be minimized or to be thought lowly of. I think for any defender having a run in with this particular threat actor, it’s not a very good day. But as far as sophistication goes, I mean, we would expect a really sophisticated group to have a much better quality assurance process, development process, as far as their malware goes, a much more standardized way of going about it.

Just to kind of give an example of that, I mean, with the Lazarus Group, in this campaign, with this exploit, we have found four or five samples. It’s a very recent campaign. It’s very small. You find four or five samples, and one of them is broken. Had the person … once the person got to that lure doc, they could have opened it and everything, and the malware would have never executed. We see them, essentially, compiling another version of it very quickly after that. It’s one of these cases where you know well they’re not being very careful. They’re just managing such a sprawling amount of campaigns in this hodgepodge way that a lot of mistakes are happening, but that’s not deterring them.

Dave Bittner:

Right, and I suppose they must have a certain amount of success. This must be working for them because they keep at it.

Juan Andres Guerrero-Saade:

Absolutely. That’s the interesting thing about them. It’s a very interesting thing about cyber operations, in general, that we have to keep in mind. Sophistication is not necessary. I mean, it’s not a must. When it comes to very specific types of things, like, “ICS is going to take a certain, specific type of knowledge, like air gap networks, or very well-secured environments” — sure. If you are set on reaching one very specific target, very quietly, and getting to run long-term operations, then yes, that takes a certain level of sophistication and preparation. But that’s not equivalent to value in the real world. What we’ve seen — not just from the Lazarus/BlueNoroff operations against SWIFT banks, but also from groups like Carbanak — is sort of setting the staple back in 2015 as to what it’s like to take on bank heists on a digital level. These groups are not defined by their sophistication.

We were talking about … With Carbanak, we’re talking about exploit kits and publicly available RATs, but the notion was patience and careful lateral movement phases, and careful observation periods where they would just sit there and watch the person in the right machine — the accountant that managed that database, and managed transfers. You sit there and pay attention for a period of two or three months. Once you know exactly how this works, once you know exactly what their schedule is like, then you make your move. In that sense, the Carbanak group proved themselves to be a lot more careful than the Lazarus Group. I really do believe that if the Lazarus Group had the patience to sit there and do this in a much more calculated way, they would have probably gotten away with these multi-million dollar sums, and it might have even taken a lot longer for anybody to catch on.

Dave Bittner:

So, what’s to be done here? What are your recommendations for people to protect themselves against this sort of thing?

Juan Andres Guerrero-Saade:

Well, I’m afraid that as an old school AV guy, the recommendations sent will always be the same. You definitely want to patch your software. You want to have some kind of anti-malware suite involved in your machines. You want to segment your data. These are all important things. However, this has to go a little bit farther, particularly now that we’re involved in this cryptocurrency frenzy. The notion of having that kind of value within your system, within a system that appears relatively easy to compromise … by that, I’m saying just about any endpoint system should be incredibly daunting. Maybe I have a particularly low tolerance for risk, which I do. I have to admit, I’m probably the only person in this side of the industry that hasn’t even gone into speculating over cryptocurrencies. The notion that there is just a file sitting on your system somewhere that might hold thousands of dollars worth of value is just so immediate. It’s removing all of the hurdles that would usually be involved in financial crime and cybercrime.

So, just to take a few steps back, if you look at the evolution of banking malware, before banking malware was a matter of, “Let’s get in the machine, let’s get on the endpoint, let’s wait around until we get banking credentials or credit card numbers, or bank account numbers, and then let’s force a transfer.” Then, as a criminal ecosystem, that wouldn’t be the end of the heist. You needed mules, you needed people that would be able to move that money, and you were hoping that the bank wouldn’t catch on to these transactions in time to stop them. That all changed the moment cryptocurrencies became popular, because all of a sudden, you had Bitcoin as this sort of semi-untraceable mechanism, or certainly decentralized and un-scrutinized payment mechanism. That’s what brought the rise of ransomware.

If you think about it, the first ransomware appeared in the early 90s. It’s actually not a new idea, it just didn’t make a whole lot of sense to try to get payments through the mail, or get payments through credit cards. It’s Bitcoin that enables the rise of ransomware in a lot of ways. Now what we’re seeing is being able to amass that kind of value in large, large quantities, all at once. It’s this sort of natural evolution that happens with these new mechanisms that are in place. If you’re asking me exactly how to tell people to be particularly careful, I mean, there’s really nothing better at the point of having a single file, or a single point of failure, like a Bitcoin wallet on your system, than actually having it in cold storage somewhere. Please, just copy it over to a USB and unplug it from your machine at this point.

That’s not really the sole solution when you’re talking about malware that is persistent, that is probably on your system 24/7 watching, but it’s definitely a big step forward. To say, “You know what? If they gain a foothold there, they shouldn’t have immediate access to the single point of failure.”

Dave Bittner:

Our thanks to Juan Andres Guerrero-Saade for joining us.

You can read the full report about North Korea targeting South Korean cryptocurrency users on the Recorded Future website. It’s in their blog section.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.