Connect with us

Hi, what are you looking for?

HEADLINES

SEAsia and Korea remain main targets of Korean-speaking APT groups

An Android malware disguising as a mobile messenger or as a cryptocurrency app targeting individual cryptocurrency trader and organization, an infamous APT (Advanced Persistent Threat) group continuously changing its tools to compromise banks, and a subgroup of Lazarus exploiting CVE-2017-10271 to infiltrate a cybersecurity vendor.

An Android malware disguising as a mobile messenger or as a cryptocurrency app targeting individual cryptocurrency trader and organization, an infamous APT (Advanced Persistent Threat) group continuously changing its tools to compromise banks, and a subgroup of Lazarus exploiting CVE-2017-10271 to infiltrate a cybersecurity vendor.

Different hacking groups targeting diverse organizations but all are Korean-speaking actors waging threats in the Korean peninsula and in the Southeast Asia region. These and more findings from Kaspersky’s APT Trends Reports Q3 2019.

KONNI and Korea’s cryptocurrency related business

Among the new activities monitored by Kaspersky researchers is an Android malware camouflaging as a mobile messenger or as cryptocurrency-related applications.

After working closely with Korea’s local CERT in taking down the attacker’s server, Kaspersky was able to investigate the new malware and to discover its relation to KONNI. KONNI is a Windows malware strain that has been used in the past to target a human rights organization and personalities with an interest in Korean Peninsula affairs.

It is also known for targeting cryptocurrencies by implementing full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features.

Advertisement. Scroll to continue reading.

Stealthy BlueNoroff and banks in Southeast Asia

Kaspersky has also monitored BlueNoroff, the financial-arm of the infamous APT group Lazarus, infecting a bank in Myanmar during the third quarter of 2019.

With the prompt alert the global cybersecurity company has sent to the concerned bank, researchers were able to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank’s system engineers interacting with SWIFT.

Kaspersky’s investigation also uncovered the tactics BlueNoroff has been implementing to evade detection, such as using and continuously changing its Powershell script. The group also employs highly sophisticated malicious software which can run as passive or active backdoor, or even a tunnelling tool, depending on the command line parameters.

Andariel APT and South Korean security vendor

Another sub-group of Lazarus, Andariel APT group, has been conducting new efforts to build a new C2 infrastructure targeting vulnerable Weblogic servers through exploiting CVE-2017-10271. This tactic has proven effective after a successful breach by the attackers who implanted malware signed with a legitimate signature belonging to a South Korean security software vendor. The malicious signature has been revoked through the quick response of South Korean CERT.

Traditionally focused on geopolitical espionage and financial intelligence in South Korea, Andariel is also using a brand new type of backdoor dubbed as ApolloZeus. This complex and discreet backdoor uses a relatively large shellcode in order to make analysis difficult.

Advertisement. Scroll to continue reading.

Based on Kaspersky’s investigation of the artifact found, the group’s attack is an early preparation stage for a new campaign.

 “Targeted attacks against financial institutions combine sophisticated techniques – that were previously seen only in APT attacks – with typical criminal infrastructures used to launder the stolen goods. In Q3, we’ve seen advanced threat actors such as Andariel and Lazarus’ BlueNoroff arm attempting to breach not only banks, but investment companies and cryptocurrency exchanges, among others. We advise all companies in APAC to be vigilant and take precautions to guard against such attacks,” says Costin Raiu, Director of Global Research & Analysis Team at Kaspersky.

DADJOKE and geopolitical entities in Southeast Asia

Aside from the active Korean-speaking APT groups in Q3 2019, Kaspersky has also observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE hunting intelligence in Southeast Asia.

Researchers have monitored the use of this malware in a small number of campaigns during the beginning of the year against government, military, and diplomatic entities in the Southeast Asia region. The latest known movement of this malware was detected last August 29 involving a select few individuals working for a military organization.

“We have highlighted in our Q2 APT Report the increased attention Korean-focused APT campaigns have been giving towards different organizations and personalities in Southeast Asia and Korea. True to our prediction, we have monitored several malicious activities of Korean-speaking APT groups and new malware in both regions from July to September this year. Our observations suggest that most of them are intelligence-hungry, both for financial and geopolitical secrets,” comments Seongsu Park, senior security researcher at Kaspersky.

Advertisement. Scroll to continue reading.


Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

APPS

Experts suggest that the goal of the attackers is to steal cryptocurrency assets from residents of Southeast Asia and China. Users in the Philippines...

White Papers

Nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in...

GAMING

To help players stay safe, Kaspersky is launching “Case 404” — an interactive cybersecurity game that teaches Gen Z how to recognize threats and protect their...

HEADLINES

A zero-trust secure connection has many applications beyond automotive. It’s really for any industry that cares about security, and managing that security at scale.

HEADLINES

Organisations across the Asia-Pacific and Japan region are putting their security posture first, and many are now detecting intrusions early in the attack lifecycle,...

HEADLINES

Agentic AI Assistants—such as Apple Siri, Google Gemini, Microsoft Copilot, OpenAI ChatGPT, and others—are increasingly available to mobile users in consumer and enterprise environments. However, the same...

HEADLINES

Based on breach-tracking research conducted for over two decades, over 124 million Filipino user accounts have been compromised since 2004. This puts the Philippines...

HEADLINES

The results reveal a threat landscape that is not only evolving in complexity but also shifting toward gaps in visibility, governance, and infrastructure, posing...

Advertisement