North Korea’s Post-Infection Python Payloads

Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.

A few good sources that showcase the progression of the security community’s understanding of this attack workflow include:

Phlyum, which has been tracking this threat since last year
Palo Alto’s Unit 42, which provided additional information in November 2023
– A Medium post detailing a similar attack to the ones described above and in this blog post

Interestingly, it appears that the threat actors may have either moved to – or begun using in parallel – a series of Python scripts for this attack instead of solely delivering malicious DLLs (as observed by Phylum researchers in their original reports). This may be due to the added flexibility and speed of Python scripting, or it may simply be a result of the threat actors attempting to make their delivered tools and files appear more legitimate to users and investigators.

Read more “North Korea’s Post-Infection Python Payloads”

DPRK Targeting Researchers II: .Sys Payload and Registry Hunting

In an earlier post, this blog examined malware from a DPRK-affiliated campaign targeting security researchers. Since the initial public post about this activity from Google, multiple vendors have corroborated and supplemented the technical details in this attack.

Whereas the previous post examined a DLL file delivered via social engineering and VisualStudio, this post examines the inner-workings of a malicious .sys file likely delivered through a watering hole. In addition to reverse engineering, this post offers possible threat hunting avenues for identifying data associated with this file hidden in the registry of a compromised system.

For those purely interested in the hunting portion of this post (the malware reads, and likely executes, data from the registry), click here to skip ahead. As a disclaimer, the hunt workflow proposed is merely hypothetical, and should not be considered any sort of official security guidance.

(2/1 Update, Stage 2 can be found here)

Read more “DPRK Targeting Researchers II: .Sys Payload and Registry Hunting”

Another Lazarus Injector

Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.

This blog post offers a brief analysis of the features and purpose of this injection tool, as well as a comparison with a previously identified injection tool that behaves significantly differently and likely serves a different operational purpose.

Update 20 October, 2019: A small section towards the bottom of this post has been updated to reflect this malware’s strong resemblance to a file described in a US-CERT Report in late 2018. The file in that report served as an injector for the FASTCash AIX malware. Given this file’s similarity, it is highly likely that this file is intended to perform a similar function, but on a Windows environment.

Read more “Another Lazarus Injector”

The Lazarus Injector

In May and June, two files were submitted to VirusTotal that were signed with the same digital certificate and were connected to the SWIFT-heist wing of the DPRK. One file is re-themed version of the fake resume creating tool used in the Redbanc and Pakistan attacks. The second file is a tool used to inject and run payloads inside of explorer.exe.

This brief post documents the capabilities of this second tool.

MD5: b9ad0cc2a2e0f513ce716cdf037da907
SHA1: 1a50a7ea5ca105df504c33af1c0329d36f03715b
SAH256: db0f102af2d350aa1a63772e6ee9b211d78aa962a34f75c8702e71ccd261243e

Read more “The Lazarus Injector”

OSINT Reporting Regarding DPRK and TA505 Overlap

Yesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in 2018. As part of this research (a leaked video of the presentation is available online), BAE included two key points not previously disclosed in the public domain:

– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace
– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.

This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions have been available in open source for quite some time.

In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published by 360 TIC), and a handful of PowerShell scripts that are generally identical aside from a handful of configuration changes. Furthermore, the aforementioned keylogger was first uploaded by a submitter (fabd7a52) in Pakistan in December 2018. That same submitter acted as the first uploader for one of the PowerShell samples identified below (b88d4d72fdabfc040ac7fb768bf72dcd), further corroborating a possible link.

Given the multi-sourced reporting overlaps and the additional Pakistan findings mentioned above, this blog assesses that the PowerShell scripts in question likely belong to the same family of DPRK-attributable malware reported by BAE systems.

A listing of selected IOCs is below the fold, alongside a few brief notes (and a script) for how to analyze the PowerShell malware.

Read more “OSINT Reporting Regarding DPRK and TA505 Overlap”

A Lazarus Keylogger- PSLogger

This blog recently referenced a late July VNCert report containing file-based IOCs affiliated with attempted intrusions against financial organizations in Vietnam. Several contextual and technical characteristics of these files tie them to recent activity typically attributed to North Korean adversaries with a specific interest in the financial sector.

This post explores the technical characteristics of one of these files, a keylogging and screengrabbing utility. Two versions of this utility have appeared in-the-wild. The first is directly identified in the VNCert alert and is a DLL injected via a modified version of the open-source PowerSploit framework. The second is a standalone executable submitted to VirusTotal by a user in Pakistan (and possibly used in an intrusion in that region).

syschk.ps1 (Vietnam)

MD5: 26466867557f84dd4784845280da1f27
SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a
SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6

Syschk.ps1 contains three primary components: (1) A Base64 encoded DLL, (2) a Base64 encoded variant of PowerSploit’s Invoke-ReflectivePEInjection, and (3) a routine for decoding and executing these components. This script also contains references to “c:\windows\temp\TMP0389A.tmp” (noted in the previous post for its similarity to another DPRK file path and directory) and “c:\programdata\1.dat” as part of a “remove-item” cmdlet routine. The Base64 DLL can be copied, converted, and saved to another file for analysis.

Extracted DLL
MD5: d45931632ed9e11476325189ccb6b530
SHA1: 081d5bd155916f8a7236c1ea2148513c0c2c9a33
SHA256: efd470cfa90b918e5d558e5c8c3821343af06eedfd484dfeb20c4605f9bdc30e

The extracted malware is designed for 64-bit operating systems and contains an export named “Process.” The malware has two primary functions: grabbing keystroke (and clipboard) data, and grabbing screen captures of the user’s desktop. At launch, the malware creates a file at “c:\windows\temp\TMP0389A.tmp” containing the directory that the malware will save files in.

Next, the file begins monitoring keystrokes. These are logged and saved to a hardcoded path (visible in plaintext) within the user’s “AppData\Local\Temp” directory under a folder named “GoogleChrome” in a file named “chromeupdater_pk.” The keylogging routine uses the GetKeyState and GetAsyncKeyState APIs and is not sophisticated, and logged keystroke and clipboard context is saved in plaintext.

The malware’s other functionality is to capture the desktop, compressing the images and saving them in the same directory. These files are saved with the filename format chromeupdater_ps_[timestamp]. Notably, the malware uses two open-source implementations to achieve this. To capture the desktop, it uses code likely derived from this example (or code from which that example was derived). To perform compression, the malware uses the XZip library, a derivation of the Info-Zip project. The combination of these characteristics is useful for identifying an additional variant of this malware.

Open-source screengrabbing implementation (left) and disassembled code graph (right).
Open-source XZip code implementation.

HSMBalance.exe

MD5 34404a3fb9804977c6ab86cb991fb130
SHA1 b345e6fae155bfaf79c67b38cf488bb17d5be56d
SHA256 c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

The open-source screengrabbing code used in the keylogger from the Vietnam incident is relatively uncommon: while a basic VirusTotal pivot on one of the more distinct strings from this code identifies dozens of additional files that use it, most belong to a benign screen-sharing package. On the other hand, the malicious files include the Vietnam keylogger and a second keylogger submitted by a user in Pakistan with strikingly similar static and dynamic properties (the hash of this file is listed above). A brief static analysis identifies the following strings:

CDisplayHandlesPool: GetDC failed
CDisplayHandlesPool: EnumDisplayMonitors failed
CreateBitmapFinal: GetDIBits failed
CaptureDesktop: CreateCompatibleDC failed
CaptureDesktop: CreateCompatibleBitmap failed
CaptureDesktop: SelectObject failed
CaptureDesktop: BitBlt failed
SpliceImages: CreateCompatibleDC failed
SpliceImages: CreateCompatibleBitmap failed
SpliceImages: SelectObject failed
SpliceImages: BitBlt failed
wild scan
more < 2
.zip
.zoo
.arc
.lzh
.arj
.tgz


As a triaging step, this strongly suggests the use of the same compression and screengrabbing libraries. In addition, there are several other string similarities:

Pakistan file:
%s%s
%s\tmp_%s
[%02d%02d-%02d:%02d:%02d]
[Num %d]
[ENTER]
[EX]
keycode = %ls keystatus = %d \n
%s\tmp_%s_%02d%02d_%02d%02d%02d
PSLogger.exe


Vietnam File:
%s\chromeupdater_pk
%s\chromeupdater_ps_%04d%02d%02d_%02d%02d%02d_%03d_%d
[%02d:%02d:%02d:%03d]
%s%s
[ENTER]
[EX]
[CTL]
PSLogger.dll


While some of these are not a 1:1 match, there are some clear similarities regarding the likely functionality of the file and the naming conventions. Notably, this “new” file also contains the same exported function name (“Process”) as the Vietnam DLL despite being an executable, suggesting that it may have been built using the same codebase. In addition, the file contains a reference to the same “TMP0389A.tmp” file and path as the Vietnam keylogger (though this is decoded at runtime). The combination of the shared strings, export, libraries (including XZip), and (as will be explored shortly) functionality strongly suggests that this file is likely attributable to the same threat actor.

Functionality

As mentioned, this file contains a decoding routine responsible for decrypting several strings, including:
“Downloads” – Appended to the user’s Appdata\Local\Temp path.
“c:\windows\temp\TMP0389A.tmp” – Intended to contain directory storing keylogs and screenshots.
“c:\windows\temp\tmp1105.tmp” – Unknown purpose

XOR decoding routines for several file paths within the malware

As with the Vietnam file, this file’s two core functions are screengrabbing (using the same library) and keylogging. Both files are stored at “Appdata\Local\Temp\Downloads.” Screenshots are generated as Bitmaps via CreateCompatibleBitmap, compressed, and saved in this directory as “tmp_[username][mmdd{time}]” (e.g. tmp_userA_0121_142748″). As additional screenshots are created, they are appended to the same file (although re-running the malware will create a new file). Kesystrokes (along with process data) are recorded in the same directory, under a file named “tmp_[user]” – unlike the Vietnam file, these keylogs are encrypted prior to storage.

While the malware author did take anti-analysis steps (including encoding several filepaths and keystroke logs), the malware as a whole remains generally unsophisticated.

Closing Thoughts

Neither variant of the malware is particularly sophisticated; in fact, key components of each rely on clunky implementations of open source tools and code (including screengrabbing, compression, and memory injection). This deficiency is most evident in the screenshot compression segment, in which new data is simply appended to an older file. A tool such as 7Zip cannot properly unpack every screenshot appended this way; instead, the adversary would need to manually carve these out (or write an additional tool to do so) given the fact that additional zip data is simply appended to the end of the file.

It is also worth noting that neither file contains a C2 mechanism, meaning that log files and compressed images would have to be extracted from the target device manually. This suggests that these tools are designed for post-compromise use, possibly on machines intended to be monitored for an extended period of time.


Recent Lazarus Tools

On 10 January 2019, Spanish-language media outlets reported an attempted intrusion into Redbanc, a Chilean interbank network. Components of the malware used in this attack share characteristics with toolsets typically attributed to North Korean adversaries, including tools possibly related to operations against other financially-affiliated entities in Vietnam. Furthermore, additional public data suggests with low confidence the possibility of similar activity taking place in Pakistan.

Redbanc Attack

Per the aforementioned Spanish-language media reporting, the attempted intrusion into Redbanc’s network occurred when an employee attempted to apply for a (fake) developer position via LinkedIn and was contacted by the adversary. After establishing a relationship with the developer, the adversary requested that the developer install a program named “ApplicationPDF.exe,” which allowed the adversary onto the network.

ApplicationPDF.exe

MD5: b484b0dff093f358897486b58266d069
SHA1: a20ef335481c2b3a942df1879fca7762f2c69704
SHA256: f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
C2: ecombox[.]store

ApplicationPDF.exe is written in .NET and has two primary purposes:
1) The file presents a fake job application form to the user in which they can fill in personal details
2) At launch, the file contacts the C2 server to download and execute a PowerShell payload

The .NET dropper’s C2 and script execution routines

The mechanism for Workflow 2 (the malicious component) is simple: the application decodes a Base64 encoded string (the C2) and passes this variable and a file path variable (c:\users\public\Reg_Time.ps1) to a GET request. The response is written and executed to disk. While this would ordinarily prevent the payload from being examined via static or isolated analysis, an online sandbox report captured the file during its interactions with the C2. This .NET downloader also contains a hardcoded HTML-based version of the application, decoded and rendered once the user clicks through the initial presented form.

Reg_Time.ps1

Reg_Time.ps1 is a two-layer PowerShell script. The first layer contains an Base64 encoded block of encrypted text as well as a decoding function designed to decrypt this text:

First layer of Reg_Time.ps1

By using PowerShell’s “add-content” cmdlet, the decrypted content can be written to disk for analysis:

Decrypted contents of Reg_Time.ps1

Although a handful of logging lines and variables have changed slightly over time, this file largely matches the PowerSpritz family, publicly identified by Proofpoint in December 2017. The malware contains hardcoded paths for VBS and PS1 files along with a hardcoded C2. The malware accepts the following commands:

kagent – Interrupts the command routine

dagent – Deletes the malware from the disk, deletes any additional dropped scripts, and removes the log file

ok – Sleeps the malware before continuing to process commands

delay – Modifies the sleep interval

panel – Decrypts C2 response and then breaks into sub-commands: “Sdel” overwrites the bytes of a file,
“run” writes the contents of a command to the user’s en:temp path and then executes this via PowerShell before removing the written content, and if no sub command is specified, the malware writes a command to disk and executes it via cmd.exe

exagent – Removes the VBS and PS1 files. Comments within the code suggest that it should modify these files; however, this command contains no functionality to write new code.

ragent – Downloads and decypts the contents of an encoded executable file to a .ps1 file, then executes it.

In addition, the malware logs (in encrypted and then Base64-encoded form) certain status information to “c:\windows\temp\tmp0914.tmp.” It also sends device information (e.g. architecture, language, IP address, registry proxy settings, etc.) to the C2.

Vietnam VNCert Alert

In late July, VNCert reported IOCs affiliated with attempted intrusions against banking infrastructure in Vietnam.

The alert included two IP addresses (38.132.124[.]250, 89.249.65[.]220) as well as two files:
syschk.ps1
MD5: 26466867557f84dd4784845280da1f27
SHA1: ed7fcb9023d63cd9367a3a455ec94337bb48628a
SHA256: 791205487bae0ac814440573e992ba2ed259dca45c4e51874325a8a673fa5ef6

hs.exe
MD5: bda82f0d9e2cb7996d2eefdd1e5b41c4
SHA1: 9ff715209d99d2e74e64f9db894c114a8d13229a
SHA256: f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de

Of these two files, hs.exe is a well-known tool affiliated with previous suspected DPRK financial intrusions (solid technical and linguistic analysis of these two files is publicly available from BAE Systems here and here), strongly suggesting that DPRK-affiliated adversaries were also responsible for this Vietnam-centered activity.

Syschk.ps1, at face value, is an entirely different script from the one analyzed above: it decodes and reflectively injects a basic keylogging tool into memory (more details on this keylogger will be provided in a follow-up post); curiously, though, this script contains a variable named “$ProID” that is not as common as one might suspect. This variable triggers a YARA rule generated from the same Proofpoint December 2017 PowerSpritz reporting; while these would normally be low-confidence connections, the context and additional suspected DPRK-affiliated file help tie this malware and Vietnam-centered activity to both the Proofpoint reporting and the Redbanc attack.

As an additional datapoint, syschk.ps1 deletes a file via “remove-item” at “c:\windows\temp\TMP0389A.tmp” which is a similarly named file (at the same directory) as the logs created by the PowerSpritz file from the Redbanc intrusion.

Possible Activity in Pakistan

The keylogger identified by VNCert will be examined at greater detail in a subsequent post; however, it’s worth mentioning that the keylogger contains striking similarities to another file submitted publicly:

MD5: 34404a3fb9804977c6ab86cb991fb130
SHA1: b345e6fae155bfaf79c67b38cf488bb17d5be56d
SHA256: c6930e298bba86c01d0fe2c8262c46b4fce97c6c5037a193904cfc634246fbec

A VirusTotal comment from a reputable researcher suggests that this file has been used by the same adversary and has been “mainly spread in South Asia,” and the first submission for this file is a “community” tagged submission in Pakistan (suggesting it was uploaded manually). This file contains a reference to the same “c:\windows\temp\TMP0389A.tmp” filepath when run, contains similar (but not identical) strings, largely performs the same actions, and uses the same library for capturing the user’s desktop. Unfortunately, no public reporting has been identified that would tie this file to any known intrusion or intrusions.