Cryptocurrency thief Lazarus Group seems to be expanding into using ransomware as a way to steal from financial institutions & other targets in the Asia-Pacific (APAC) region, researchers have found.
Source code & Bitcoin transactions point to the malware, which was noted in March 2020, being the work of APT38, researchers at Trellix stated.
Financial transactions & similarities to previous malware in its source code link a recently emerged ransomware type called VHD to the N. Korean threat players, also known as Unit 180 or APT35.
Researchers at cyber-security firm Trellix has been tracking attacks on financial institutions from what they believe is N. Korea’s cyber army, which typically generate from Lazarus Group for the last few years.
Lazarus also seems to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week. Researchers found that Bitcoin transactions & connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they suggested.
Financial Attacks Raise Suspicion
A significant predecessor to linking Lazarus to VHD was an attempt by threat players in Feb. 2016 to transfer nearly US$1b through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.
“The investigation, performed by several US agencies, led to a N. Korean player, dubbed ‘Hidden Cobra,’” he wrote. “Ever since then, the group has been active, compromising numerous victims.”
Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting US businesses with malware & botnet-related attacks.
“Over time we have observed several methods N. Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.”
Trellix has followed N. Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers & users from South Korea–over the last few years. Tactics used included spear-phishing emails as well as the use of fake mobile applications & companies, researchers noted.
“Since these attacks were predominantly observed targeting the APAC region with targets in Japan & Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income,” Beek wrote.
Knowing that ransomware has emerged a part of the toolkit of the N. Korean cyber army, Trellix researchers looked at the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.
“Using those code blocks as a starting point, a hunt was started from March 2020 onwards to discover related families,” he wrote.
Researchers identified code from 4 ransomware families known to be used by North Korean threat players—BGEAF, PXJ, ZZZZ & CHiCHi–in the code of VHD.
Tflower & ChiChi
While the Tflower & ChiChi families share only generic-function code with VHD, “the ZZZZ ransomware is almost an exact clone of the Beaf ransomware family,” which has been linked to N. Korea, Beek wrote.
“Another observation is that the 4 letters of the ransomware ‘BEAF’ … are exactly the same 1st 4 bytes of the handshake of APT38’s tool known as Beefeater,” he added.
The use of the MATA framework in VHD—which has been used to spread the Tflower ransomware family—also links the VHD to Lazarus, as MATA has previously been linked to N. Korea, researchers explained.
Follow the Money
Researchers then investigated the various ransomware families they had linked to N. Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between them.
They extracted the Bitcoin wallet addresses & started tracing & monitoring the transactions, though they did not find overlap in the wallets themselves, Beek wrote.
“We did find, however, that the paid ransom amounts were relatively small,” he wrote, linking a pattern between the ransomware families attributed to N. Korean players.
Transferred Multiple Times
A transaction of 2.2 Bitcoin in mid-2020 was worth around $US20,000 & was transferred multiple times through Dec. 2020, researchers found.
At that time, a transaction took place on a Bitcoin exchange to either cash out–as the value had roughly doubled–or exchange for a different & less traceable cryptocurrency, they outlined.
“We suspect the ransomware families … are part of more organised attacks,” Beek wrote. “Based on our research, combined intelligence, & observations of the smaller targeted ransomware attacks, Trellix attributes them to N. Korean hackers with high confidence.”