Cyber Command flags North Korean-linked hackers behind ongoing financial heists

The Department of Defense has once again called out North Korean hackers by exposing malware samples researchers say are linked to regime-backed financial heists, including past attacks on the interbank messaging system known as the Society for Worldwide Interbank Financial Telecommunication (SWIFT), CyberScoop has learned.

Cyber Command assessed that the malware, which it posted to the information sharing platform VirusTotal, is being used in ongoing cyberattacks aimed at the financial sector.

“These malware samples are currently used for fund generation and malicious cyber activities including remote access, beaconing, and malware command by malicious cyber actors,” the command said in a tweet.

The command did not name victims or describe the magnitude of the scheme.

It’s a rare statement from the Pentagon’s cyber-operations division on the intent and capabilities of adversary-linked malware in what appears to be an expansion of the command’s willingness and ability to discuss the intelligence behind its VirusTotal effort. The command, which launched the information sharing program last year as a way to thwart adversary hacking campaigns, normally declines to discuss the context around the malware it is posting, such as whether it is currently being used or what kinds of actors are using it in campaigns.

The alert comes just weeks after a meeting with North to discuss possible denuclearization with the U.S. in Stockholm failed to produce a deal, just the latest in a series of meetings where both the U.S. and North Korea have walked away without a resolution.

Privately, the FBI has also flagged North Korean-linked malware. The bureau’s Cyber Division issued an alert, obtained by CyberScoop, which details IOCs that have some overlap with North Korean IOCs previously detailed in research from South Korean cybersecurity firm Alyac. That research, posted in February 2018, detailed a North Korean hacking campaign targeting cryptocurrency exchange users.

The alert provided info on remote access trojans (RATs), command line tools, and a web shell, which could provide remote access to victim machines, downloading and uploading of files, and execution of arbitrary code.

It was not immediately clear if the FBI and Cyber Command announcement were linked.

The North Koreans are listening

In all, the Cyber Command upload includes seven samples, which Symantec’s Vikram Thakur described as “custom, complicated, [and] well written.” The upload includes backdoor builders, two backdoors, and two loaders, which inject a backdoor binary into memory to establish persistence on victim machines, multiple cyber researchers told CyberScoop.

Some of the RATs could allow hackers to record audio, BlackBerry Cylance Vice President of Research & Intelligence Josh Lemos told CyberScoop. The North Korean hackers can also use the backdoor to steal credentials, capture keystrokes, view browser history of victims, and operate a reverse shell, which enables the victim machine to communicate back with the attacking machine, Lemos said.

It is also possible that the backdoor downloads additional malware modules, according to Cylance researchers.

More broadly speaking, the exposure of this malware shows North Korean hackers dedicating time to intelligence-gathering and espionage even though they are typically more focused on plug and chug banking heists, Read said.

“Instead of simply obtaining accesses and moving to transfer funds as quickly as possible, APT38 is believed to operate more similarly to an espionage operation, carefully conducting reconnaissance within compromised financial institutions and balancing financially motivated objectives with learning about internal systems,” Read said.

Some of the samples similarly suggest the North Koreans have been trying to obfuscate their campaign. One of the backdoors, for instance, has the capability to update or uninstall itself, according to Lemos’ analysis.

Most of the samples resemble malware families that North Korean-linked hackers have been using for years, FireEye Senior Manager for Cyber Espionage Analysis Ben Read told CyberScoop.

For example, one of the samples is a variant of a backdoor North Korean government-linked hackers have used to targer SWIFT before, according to FireEye. FireEye dubs this backdoor “CHEESETRAY.”

FireEye also syas many of the samples are linked with a backdoor it calls “ROCKEYE” that gathers information on victim systems, downloads and runs files, and pilfers off data. That backdoor shares code with so-called “ROGUEEYE” malware that North Korean hackers have used in financially motivated intrusions, Read said.

Sean Lyngaas contributed reporting to this story.