FireEye researchers have just released details on a new threat group dubbed APT38, held accountable for the attempted heist of approximately $1.1 billion dollars from financial institutions in different geographies.

Also believed to have close ties to the North Korean Regime and their illicit financially-motivated activities, the threat actor appears to differ from the activity of other infamously known groups such as Lazarus (aka Hidden Cobra) and TEMP.Reaper. The characteristics of the malicious tools being employed showed some similarities, leading to think the groups have access to the same developer or code repositories. On the other hand, operations, targets and TTPs proved to diverge over time.

At least 16 organizations have been targeted in 11 countries ever since the first operation was carried out in 2014. In particular, attacks to the SWIFT banking systems between 2016 and 2018 have been reportedly attributed to the APT38, including targets of the calibre of the Bangladesh Bank; Bancomext; and Banco de Chile. According to Fire Eye, additional heist attempts’ victims were financial governing bodies as well as media organizations within the financial sector. The heavy interest in the financial sector, explained FireEye in a detailed timeline, was likely the result of the economic sanctions that have been enacted against North Korea over the years.

The APT38 operation is believed to be a large-scale and well-thought operation. The attack lifecycle appears to be characterized by long term planning and external and internal reconnaissance activity, with ongoing access to the compromised victims’ systems. At least 26 non-public plus two public malware families have been attributed to the threat group. The compromise is then followed by the full destruction of any sort of evidence to evade detection once the money heist is completed.

FireEye has warned on the seriousness of the risk linked to the group, which remains active with operations likely to continue in the future with more sophisticated tactics to avoid detection.

Proficio Threat Intelligence Recommendations:

  • Financial clients should consider implementing additional security steps for SWIFT transactions to avoid falling victims of an attack.
  • Update IDS/IPS to take appropriate actions when triggering on the IOCs detailed in the report (IP address ranges).

FireEye Blog – Click Here
FireEye Special Report – Click Here

METHOD: HIDDEN COBRA Joanap and Brambul Malware Activity

US-CERT has released a technical advisory regarding a RAT (remote access tool) and an SMB (server message block) worm dubbed respectively Joanap and Brambul. Both claimed to be leveraged by the North Korea’s threat actor HIDDEN COBRA (aka Lazarous) since 2009. HIDDEN COBRA is an alias used to describe global hacking performed by a group tied with supporting the North Korean Government.

Based on the report findings, HIDDEN COBRA is responsible for using these two types of malware to target victims globally across multiple sectors. The worm appears to leverage relatively old and unsophisticated attack methods for spreading. Once infected, a system will attempt to brute force remote shares hosted over the SMB protocol using a set of about 150 common passwords such as “123456” and “cookie123” and “dbpassword.”

Analysis of the IoCs (indicators of compromise) provided in the article revealed that infrastructure primarily located in Latin American, the Middle East, and the Asia Pacific have been compromised with the malware. Command and control for the malware is somewhat unique, in that it gathers details and then attempts to send out emails to two known email addresses (misswang8107@gmail[.]com and redhat@gmail[.]com) with the compromised details of the host.

Luckily, most antivirus vendors have good detection rates for this type of malware since its older and well-known, and it attempts to spread using relatively simple passwords.  The risk for most corporate environments regarding this threat is relatively low.

Proficio Threat Intelligence Recommendations:

  • Deny SMB from the internet at perimeter firewalls
  • Enforce a password policy that does not allow weak passwords as a means to authenticate to SMB shares inside the LAN

General Info – Click Here