North Korea-linked Lazarus APT behind recent ActiveX attacks

June 12, 2018  By Pierluigi Paganini


North Korea-linked Lazarus APT group planted an ActiveX zero-day exploit on the website of a South Korean think tank focused on national security.

According to researchers at AlienVault, North Korea-linked hackers planted an ActiveX zero-day vulnerability on the website of a South Korean think tank focused on national security.

The experts attributed the attack to the notorious Lazarus APT group in attacks, they pointed out that ActiveX controls are usually disabled on most systems, but the South Korean government authorities demand citizens to enable them.

“Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.” reads the post published by Alien Vault.

“These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.”

Of course, attackers that aimed at South Korean targets could leverage ActiveX controls in their attacks. Many attacks that abused these controls against South Korean targets were attributed to North Korean hackers.

Recently experts observed attacks where hackers leveraged  JavaScript code to deploy ActiveX exploit codes.

Initially, local media attributed the attacks to the Andariel gang, a gang that is considered part Lazarus APT group.

The investigation conducted by AlienVault pointed out the Lazarus APT as the threat actor that launched the attacks that abused the ActiveX controls.

The recent attacks featured a profiling script used to gather intelligence on the targets, this attack scheme was commonly used by threat actors including the Lazarus group.

The attackers also used scripts capable of gathering additional information from the potential targets and deliver the ActiveX exploit.

Lazarus APT

Simon Choi, the founder of the Cyber Warfare Intelligence Center and IssueMakersLab, published a tweet with some details of these scripts.

The expert suggests the initial reconnaissance scripts were deployed in January 2017, while script the malicious ActiveX controls were injected in late April 2018.

The reconnaissance script allows to identify the browser and operating system running on the target computer, it is based on the PinLady’s Plugin-Detect code. The malicious code is able to detect if Internet Explorer is running on a machine, then to check if ActiveX is enabled, as well as the plugins running from a specific list of ActiveX components.

“Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.” continues the analysis.

“This script is similar to typical exploit kits – it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components”

One of the profiling scripts used in the last attacks sends data to a website that was used as a command and control (C&C) server by Lazarus APT malware in 2015.

Choi also shared the ActiveX exploit on Twitter, it was used by attackers to download malware from peaceind[.]co.kr.

“If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php” continues Alien Vault.

“To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.”

Experts noticed that the malicious code is a backdoor tracked as Akdoor that is designed to execute commands using Command Prompt.

Further details, including IoCs are reported in the analysis published by Alien Vault.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lazarus APT, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

VMware addresses a critical remote code execution vulnerability in AirWatch Agent

 VMware has found a critical remote code execution vulnerability in the AirWatch Agent applications for Android and Windows...