North Korean Cyber Threat Groups Unleash New Malware Arsenal in 2024
On September 9, 2024, Palo Alto Networks' Unit 42 released a detailed threat assessment outlining the activities of various North Korean cyber threat groups operating under the Reconnaissance General Bureau (RGB).
On September 9, 2024, Palo Alto Networks' Unit 42 released a detailed threat assessment outlining the activities of various North Korean cyber threat groups operating under the Reconnaissance General Bureau (RGB). The report highlights how these state-sponsored groups have targeted industries across the globe, deploying custom malware across Windows, macOS, and Linux platforms. This article delves into the key findings, detailing the tools, techniques, and groups involved in recent campaigns.
Introduction
The Lazarus Group has often been used as an umbrella term for North Korean threat actors in public reports. However, the Unit 42 report clarifies that multiple distinct groups operate under the RGB, each with its specific focus, ranging from financial theft to geopolitical disruption. Some notable threat groups mentioned include:
- Alluring Pisces (APT38/Bluenoroff)
- Gleaming Pisces (Citrine Sleet)
- Jumpy Pisces (Andariel/Hidden Cobra)
- Selective Pisces (TEMP.Hermit/ZINC)
- Slow Pisces (TraderTraitor)
- Sparkling Pisces (Kimsuky)
These groups have been active for over a decade, with significant campaigns such as the Sony Pictures hack in 2014 and the WannaCry ransomware outbreak in 2017. More recently, their focus has shifted toward the cryptocurrency sector, supply chain attacks, and espionage.
Report Overview
The Unit 42 threat assessment identifies 10 distinct malware families actively used by North Korean groups, many of which target macOS, Linux, and Windows systems. Below are key examples:
- RustBucket (macOS)
- A backdoor malware, RustBucket uses a multi-stage infection chain that starts with an AppleScript file. The final payload, written in Rust, allows attackers to download and execute files and self-terminate the malware.
- KANDYKORN (macOS)
- This malware follows a five-stage infection process, starting with a malicious ZIP file. Through reflective loading, it delivers the final payload, capable of data exfiltration and arbitrary command execution.
- SmoothOperator (macOS)
- Deployed via a Trojanized version of the 3CX client application, SmoothOperator extracts sensitive data and executes follow-up payloads.
- OdicLoader (Linux)
- This downloader uses a Unicode trick to masquerade as a PDF file. It was observed in the 2023 Operation DreamJob campaign.
- Comebacker (Windows)
- Distributed through malicious PyPI packages, Comebacker communicates with its C2 server, allowing attackers to exfiltrate data and execute payloads.
Insights and Analysis
The activities of these North Korean groups have significant geopolitical and financial implications. By targeting cryptocurrency exchanges, defense contractors, and critical infrastructure, these actors pose a persistent and evolving threat. Their ability to adapt malware to different platforms further complicates detection and prevention efforts.
There are several key defensive measures to protect against these threat actors. Their Cortex XDR platform provides a multi-layered defense, detecting and preventing malware from groups like Alluring Pisces and Sparkling Pisces. Behavioural threat protection, combined with malware analysis and Advanced DNS Security, can help identify malicious activity before it can cause damage.
North Korean cyber actors continue to be a formidable force, with their sophisticated malware arsenal posing risks to industries worldwide. For organizations looking to improve their defences:
- User awareness training with an emphasis on self-reporting
- Implementing behavioral analytics to detect unusual activity patterns.
- Deploying endpoint detection and response (EDR) solutions to prevent the execution of unknown malware.
- Regularly updating security configurations and conducting vulnerability assessments.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8 | SHA256 Hash | RustBucket malware hash |
| c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe | SHA256 Hash | RustBucket malware hash |
| 3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940 | SHA256 Hash | SUGARLOADER malware hash |
| 23.254.226[.]90 | IP Address | SUGARLOADER associated IP |
| 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1 | SHA256 Hash | HLOADER malware hash |
| 689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94 | SHA256 Hash | HLOADER malware hash |
| c6a48365c3db9761bd60981bdcdd87aced23d8e60067caa30fee501bf4b47b84 | SHA256 Hash | HLOADER malware hash |
| a03d13c9825e150810e6e6aaf053d71ec5a53b86581414dd982a74d4a8bc5475 | SHA256 Hash | HLOADER malware hash |
| 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6 | SHA256 Hash | KANDYKORN malware hash |
| e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec | SHA256 Hash | SmoothOperator (malicious 3CX DMG) |
| a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 479038eb12ed07893ee0dcc04fbdcf182489bbb271f5a4f90f83874881a80ce3 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 2546d239a262c24a6f8ea01d890cbc459a22db79b379b6ec3b24fbb56efb5381 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 99dbc6fe3c3e465052fcefa1642861747dc9e069eeb244589b605bd710b1e0d1 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 7667d1b8fcc4f712084e3e3f8b4ab505ab150c52aea7b219249ec508b4b0e224 | SHA256 Hash | SmoothOperator (libffmpeg.dylib) |
| 6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59 | SHA256 Hash | UpdateAgent malware hash |
| msstorageazure[.]com | Domain | Domain used by UpdateAgent |
| officestoragebox[.]com | Domain | Domain used by UpdateAgent |
| visualstudiofactory[.]com | Domain | Domain used by UpdateAgent |
| azuredeploystore[.]com | Domain | Domain used by UpdateAgent |
| msstorageboxes[.]com | Domain | Domain used by UpdateAgent |
| officeaddons[.]com | Domain | Domain used by UpdateAgent |
| sourceslabs[.]com | Domain | Domain used by UpdateAgent |
| zacharryblogs[.]com | Domain | Domain used by UpdateAgent |
| pbxcloudeservices[.]com | Domain | Domain used by UpdateAgent |
| pbxphonenetwork[.]com | Domain | Domain used by UpdateAgent |
| akamaitechcloudservices[.]com | Domain | Domain used by UpdateAgent |
| azureonlinestorage[.]com | Domain | Domain used by UpdateAgent |
| msedgepackageinfo[.]com | Domain | Domain used by UpdateAgent |
| glcloudservice[.]com | Domain | Domain used by UpdateAgent |
| pbxsources[.]com | Domain | Domain used by UpdateAgent |
| sbmsa[.]wiki | Domain | Domain used by UpdateAgent |
| 8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4 | SHA256 Hash | ObjCShellz malware hash |
| 15d53bb839e00405a34a8b690ec181f5555fc4f891b8248ae7fa72bad28315a9 | SHA256 Hash | ObjCShellz malware hash |
| f1713afaf5958bdf3e975ebbab8245a98a84e03f8ce52175ef1568de208116e0 | SHA256 Hash | ObjCShellz malware hash |
| swissborg[.]blog | Domain | Domain used by ObjCShellz |
| 081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48 | SHA256 Hash | Fullhouse backdoor hash |
| contortonset[.]com | Domain | Domain used by Fullhouse backdoor |
| relysudden[.]com | Domain | Domain used by Fullhouse backdoor |
| primerosauxiliosperu[.]com | Domain | Domain used by Fullhouse backdoor |
| rentedpushy[.]com | Domain | Domain used by Fullhouse backdoor |
| basketsalute[.]com | Domain | Domain used by Fullhouse backdoor |
| prontoposer[.]com | Domain | Domain used by Fullhouse backdoor |
| 146.19.173[.]125 | IP Address | Fullhouse backdoor associated IP |
| 23.227.202[.]54 | IP Address | Fullhouse backdoor associated IP |
| 38.132.124[.]88 | IP Address | Fullhouse backdoor associated IP |
| 88.119.174[.]148 | IP Address | Fullhouse backdoor associated IP |
| 198.244.135[.]250 | IP Address | Fullhouse backdoor associated IP |
| f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703 | SHA256 Hash | POOLRAT malware hash |
| 5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456 | SHA256 Hash | POOLRAT malware hash |
| 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 | SHA256 Hash | POOLRAT malware hash |
| www.talesseries[.]com/write.php | URL | POOLRAT malware C2 URL |
| rgedist[.]com/sfxl.php | URL |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | User Execution | T1204 | RustBucket and OdicLoader use user execution to trick victims into running malware. |
| Persistence | Boot or Logon Autostart Execution | T1547 | HLOADER uses persistence techniques by replacing or renaming applications like Discord. |
| Defense Evasion | Masquerading | T1036 | OdicLoader masquerades as a PDF using Unicode to evade detection. |
| Command and Control | Application Layer Protocol | T1071.001 | Comebacker uses HTTP for communication with its command and control server. |
| Collection | Data from Local System | T1005 | SmoothOperator collects sensitive data from infected systems. |
References
Unit 42
Comments ()