One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 481023 |
| Date de publication | 2018-02-15 14:00:00 (vue: 2018-02-15 14:00:00) |
| Titre | North Korean Cyber-Attacks and Collateral Damage |
| Texte |
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.
Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.
Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.
North Korean Software
As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:
Below are the details of these two files, nnr60.exe and hana80.exe:
Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using |
| Envoyé | Oui |
| Condensat | $150 $m author description license tlp “background “martin “standard “the “windows ‘collateral ‘kill ‘very just one the 000 0x5a4d 13th 1997 1997: 2007 2009 2011 2011: 2014 2015 2017 2018 2022783 344d3ec0d84d2853e416c664dd577f44 3844ec6ec70347913bd1156f8cd159b8 4b584695ba08e680452be6016886637a 78d3c8705f8baf7d34e6a6737d1cfa18 = ability about above access accidental accidentally across actions added additional additionally adobe affected after against agency aim alerted alienvault all allow almost also america amongst analysis ancient announcement another anti antivirus any apparent appendix april are aren’t around article ascii attaching attack attacker attackers attacks attacks; attempt attempting attempts attention attributed author author's authorities automatically back backdoor backups bad base based bbc become been beginning being below between beyond biggest billions bitcoin blamed bleepingcomputer boring both bounced bouncing brambul brief broadcasting brute build build” bulk bureau but c++ c++5 called campaign can capabilities capable careful case caught caused cdoman@alienvault center centered central centre certain chain chatting checks chemical china cho choose ciarin clearly code coincidences collateral com com/vinfo/us/threat combination come common compile compiled complicated component compromise compromised compromising computer concern conclusion condition: confused connect connected connection connections consider considered contained containing contains continue continued continues control controlled copies could covered created creation credentials criminal csi customers cyber damage damage’ danger darkhotel data dates day debug decided defector delivery described describes description designed despite destruction destructive detailed details detect detected detecting detection detects developed developing development developments disclose discussed discussing disks does doesn’t dollars domain domains down download/hmsplayer dprk dprk’s dprk: dprk; drives dropped drugs duly dyndns earlier early edit effective effort email emails emerging encounter encyclopedia/malware/worm enough ensure escape escaped established estimated even ever every everyday evidence evolution exactly example excellent exe exe: expect explain explanation explanations export extent extremely eye f024ff4176f0036f97ebc95decfd1d5e facing fact facts faedevour fagerland fairly fake false families family famous far feadevour’s fear february ff4721e6edad7d3bec8e0c4d4a8c1d26 fffa05401511ad2a89283c52d0c86472 file files first fixed flag flash focus folder folder: following footnotes force forcepoint forcing foreign found four from further gain gained general generally get given government graduation great group guardian: guide gwas hackers had hana hana80 hard has hashes have haven’t head headache hear here highly his home honeypot how however http://www https://www hypothesis ibm identified identify image images impersonate important impossible incarnation incidents included including increasing incredibly independent indicates1 indicators indicators otx infect infected infecting infection infections infector infectors initial initially insecure install installation instead institute intended intentional interesting international internet interview intezer intranet isn’t it’s its itself jaku january javascript jml joanap johns203@yahoo just kaspersky kcc kcna keeping key kill known korea korean koreans kp/cbc/cbc ksj large largest last later lazarus leaked learning leave lenovo lessons license life like likely likely1 link linking links linux list listed little located long longer looks loses machine macos made magazine maintaining make malicious malware manufacturers many march martin masm may mechanisms mentioned meta meta: mework micro microsoft might militarization military mil |
| Tags | |
| Stories | NotPetya Wannacry Yahoo APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.