New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

More North Korean Malware Samples Added to VirusTotal

North Korea:  The United States Cyber Command has issued a new malware alert pertaining to North Korea. The alert states that they have uploaded new samples to VirusTotal that are used by North Korean actors. The command stated, “the malware samples are currently used for fund generation and malicious cyber activities including remote access, beaconing, and malware command by malicious cyber actors.” The names of the victims affected by these new samples were not released, but it is known that they were all used in attacks that targeted the finance industry, and more specifically targeted the SWIFT system that is used by banks internationally. Separately, the FBI issued a different alert about North Korean-linked malware that had the same IOCs (Indicators of Compromise) as previous North Korean malware, which was linked by researchers at Alyac. It was unclear if the FBI release and Cyber Command release were linked. Seven samples were uploaded by the command to includes multiple backdoor builders, two backdoors, and two loaders. The backdoors had different capabilities including, but not limited to, listening to audio and the ability to download alternate malware, according to researchers at Cylance.

Analyst Notes

The exposure of this malware shows that North Korean threat actors are devoting more time to intelligence and espionage efforts as opposed to solely focusing on financial gain like they have done in the past with attacks on the finance industry. Instead of accessing funds and quickly transferring them, the group was seen staying persistent in the networks and downloading alternate tools to help them collect more information. With the sanctions on North Korea, they are still using these attacks as a way to make money to fund their nuclear research, but the attacks they are carrying out seem to have a dual purpose. The United States Cyber Command has more recently been making information such as malware samples public in their efforts to enhance VirusTotal–an initiative they have had for about a year. They will never release the names of victims or how they acquired the different samples, but are working to make them publicly known to better help others. For more information about the malware that was uploaded, read here: https://www.cyberscoop.com/north-korea-malware-cyber-command-virus-total-apt38/