North Korea's Hidden Cobra linked to new, complex GhostSecret cyberespionage campaign

Researchers have uncovered a new state-sponsored espionage campaign found targeting multiple industries in at least 17 countries including critical infrastructure, entertainment, finance, healthcare, and telecommunications. According to McAfee, the GhostSecret campaign employs multiple methods, tools, and malware variants linked to the North Korean Lazarus Group, also known Hidden Cobra.

McAfee researchers initially identified activities related to this campaign targeting Turkish financial institutions using the Bankshot implant in March 2018. Within just days, the global espionage campaign expanded to siphon data from multiple industries in other countries as well. Between March 14 and 18, researchers found the data reconnaissance implant in organizations across 17 countries.

Researchers noted that the campaign featured many similarities to indicators used in the infamous 2014 Sony Pictures hack.

"The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators," researchers said. "The implants vary considerably and although they share some functionality and code, they are categorized as different families.

In mid-February, McAfee's Advanced Threat Research team discovered a previously unknown data-gathering implant that "appeared to be a derivative of implants authored before by Hidden Cobra and contains functionality similar to that of Bankshot, with code overlaps from other Hidden Cobra implants."

"When we compared the PE rich header data of the new February 2018 implant with a variant of the destructive Backdoor.Escad (Destover) from 2014 shortly before the Sony Pictures attack, we found the signatures to be identical," McAfee researchers said in a detailed analysis report. The Destover-style variant was found to be 83% similar in code to 2015 variant, featuring the same rich PE header signature as the Backdoor.Escad variant.

"We determined that the implant is not a direct copy of well-known previous samples of Destover; rather, Hidden Cobra created a new hybrid variant using functionality present in earlier versions," researchers said.

A second, previously unidentified implant called Proxysvc.dll was initially collected on 22 March, 2018, that has been operating in the wild from March 16 to 21 and primarily targeting higher education organizations. McAfee believes this component is part of a covert network of SSL listeners to gather data and install additional payloads or infrastructure.

Extensive investigation into the campaign's control server infrastructure also revealed some interesting connections. The server resides at Thammasat University in Bangkok, Thailand that has the same IP address as the one used in Hidden Cobra campaigns since the Sony hack. McAfee also stated that it is working with Thailand Government authorities to take down the control server infrastructure.

"The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools. Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks," researchers said.