A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
North Korea stabilizes relations with US and South Korea, but not in cyberspace
The South Korean the Sejong Institute has been targeted with an ActiveX zero-day vulnerability by Andariel hackers
North Korea is stabilizing diplomatic relations with the US and South Korea, but not those in cyberspace. As ZDNet reported, an ActiveX zero-day vulnerability used in attacks against a Seoul think tank has been connected to Lazarus Group. The target of these attacks was the Sejong Institute, a non-profit South Korean think tank which conducts research on national security. The private organization works with academic institutions worldwide. The flaw was discovered on the think tank’s website in May by South Korean cybersecurity firm AhnLab. The attack was one amongst many conducted by Andariel Group, an offshoot of Lazarus, which is believed to be linked to Pyongyang. According to Bleeping Computer, at least nine separate ActiveX vulnerabilities were recorded in the May wave of attacks.
AlienVault cyber security researchers said in a blog post this week that South Korea is a vulnerable target of these cyber attacks. Andariel/Lazarus used the splwow32.exe malware
AlienVault cyber security researchers said in a blog post this week that South Korea is a vulnerable target of these cyber attacks due to government mandates which require ActiveX to often be enabled on machines connected to the institute. The malware used by North Korean hackers, named splwow32.exe, is a simple backdoor which executes commands over the command prompt. However, the command and control protocol, which includes the sending of messages such as “Success!” and “Welcome!” in particular stages of infection is distinctive. The malicious code has previously been seen in an attack against a Taiwanese bank. According to BAE Systems, Lazarus targeted Far Eastern International Bank (FEIB), moving funds from overseas accounts by compromising the bank’s SWIFT financial communications system.
The cyber attacks the Seoul Sejong Institute began began in a reconnaissance stage in 2017
The North Korean Lazarus and Andariel groups also used a ransomware called ‘Hermes’ which the team believes “may have been used as a distraction or cover-up for the security team whilst the heist was occurring.” IssueMakersLab suggests that the cyber attack against South Korean think thank began in a reconnaissance stage in 2017. Three watering hole exploits have been deployed on the domain this year. The malicious files have now been removed.