Security researchers have discovered that several North Korean advanced persistent threat (APT) groups have been re-using an old malicious code in multiple attacks spanning across years.
This code reuse has enabled security experts at McAfee and Intezer, who analyzed this old code, to identify a trail of digital footprints that allowed them to trace their malicious activities back to North Korea.
“North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal. Together these puzzle pieces show the connections between the many attacks attributed to North Korea and categorize different tools used by specific teams of their cyber army,” researchers at McAfee and Intezer said in their joint report.
In its effort to establish itself as an independent and self-sufficient nation, North Korea has had to resort to underhanded efforts. This is primarily because of the numerous international sanctions imposed on North Korea. The reclusive nation first turned to money laundering, and eventually cyber crime, to earn foreign currency and turn a profit for its dwindling economy.
Over the past few years, North Korea has been blamed for numerous cyberattacks, including the Sony hack, the Bangladesh Bank heist, the WannaCry ransomware epidemic, as well as more recent attacks on cryptocurrency exchanges.
Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are all believed to be North Korea-linked APT groups, who have over the past decade, launched numerous espionage and financially-driven cyber attacks around the world.
Malware code reuse is fairly common in the cybercrime community - attackers often alter some part of their attack campaign to boost the scale of their attack when their campaign becomes less successful. The same is also applicable to North Korean APT groups.
“During our research, we found many malware family names that are believed to be associated with North Korea’s cyber operations,” the researchers said.
The examination of the malware code reuse not only revealed the use of a common or shared networking infrastructure, but also highlighted that a succession of campaigns conducted across the globe, over decades, was actually the work of the North Korean cyber army.
The malicious code was found re-used by malware variant as old as the 2009 Brambul - which is considered to be the oldest malware sample associated with Pyongyang.
"They improve all the time but when you look at the code, it has so much overlap with other attack campaigns: elements of the malware used in WannaCry was already used in past attacks," Christiaan Beek, lead scientist and senior principal engineer at McAfee told ZDNet.
A significant element of the WannaCry ransomware, the server message block (SMB) module, has been traced back to decade-old campaigns such as DeltaAlfa and Joanap. In other words, WannaCry, considered to be one of the most powerful ransomware attacks ever, was powered by an over 10-year-old code.
Different elements of the same old code were also found in DarkHotel, which is a long-term espionage campaign that targeted luxury hotels in Asia.
According to the security researchers, North Korean hackers’ penchant for code reuse enabled experts to trace the attackers’ activities and origins. However, the upside of code reuse is that it can be a time-saver and enable cybercriminals to churn out malicious payloads at much faster pace, using limited resources.
"What could take an experienced developer weeks or even months to create from scratch, can be pieced together, using existing code within a matter of hours or days. Code reuse is therefore, a routine occurrence; it directly saves programmers and hackers alike a lot of time, while guaranteeing the desired operational results," Jay Rosenberg, senior security researcher at Intezer told ZDNet.