Operation GhostSecret Linked to Lazarus Group

What Is It?

Researchers from the McAfee Advanced Threat Research team have released a report regarding a new campaign from the Lazarus APT group (aka Hidden Cobra) and believed to have, at the very least, strong ties to North Korea.

The initial stage of this campaign, named Operation GhostSecret, occurred at the end of February 2018 and targeted the Turkish financial sector.

From March 18 to 26, researchers observed additional attacks on organizations in 17 countries, including the United States but mainly in the Asia-Pacific region. The attacks covered a broad range of industries including critical infrastructure, health care, telecommunications, entertainment, higher education and finance. The purpose of this campaign is the exfiltration of sensitive data and the infrastructure related to this attack is still operational at the time of publication.

Researchers found sections of code in the malware associated with these attacks which strongly resemble other Lazarus group related malware, including the Sony Pictures attack in 2014. The malware communicates with its command and control (C2) server using port 443. Despite utilizing the standard SSL port, the traffic uses a custom format, which has been seen in previous Lazarus group malware. The malware contains a list of IP addresses it will not accept connections from, all of which are associated with Indian ISPs. All expected functionality is present in the malware, including manipulation of files, wiping and deletion of files, executing commands on an infected system, exfiltrating data and files and gathering various system information.

The investigation has found the C2 servers are located in Thailand, as was the case for previous Lazarus group attacks. McAfee is working with the Thai government to have the servers taken down, but remaining intact so they can be forensically analyzed by law enforcement agencies.

How Does It Propagate?

The malware does not self propagate.

The initial infection vector is not currently publicly known, however previous Lazarus group attacks have leveraged spear phishing with malicious attachments or compromising remote access tools utilizing easily guessed or brute-forced passwords.

When/How Did BluVector Detect It?

Three samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected all three. Regression testing has shown the samples would have been detected an average of 30 months prior to their release.

All Threat Reports