According to researchers at AlienVault, North Korea-linked hackers planted an ActiveX zero-day vulnerability on the website of a South Korean think tank focused on national security.
The experts attributed the attack to the notorious Lazarus APT group in attacks, they pointed out that ActiveX controls are usually disabled on most systems, but the South Korean government authorities demand citizens to enable them.
“Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.” reads the post published by Alien Vault.
Of course, attackers that aimed at South Korean targets could leverage ActiveX controls in their attacks. Many attacks that abused these controls against South Korean targets were attributed to North Korean hackers.
Initially, local media attributed the attacks to the Andariel gang, a gang that is considered part Lazarus APT group.
The investigation conducted by AlienVault pointed out the Lazarus APT as the threat actor that launched the attacks that abused the ActiveX controls.
The recent attacks featured a profiling script used to gather intelligence on the targets, this attack scheme was commonly used by threat actors including the Lazarus group.
The attackers also used scripts capable of gathering additional information from the potential targets and deliver the ActiveX exploit.
Simon Choi, the founder of the Cyber Warfare Intelligence Center and IssueMakersLab, published a tweet with some details of these scripts.
The expert suggests the initial reconnaissance scripts were deployed in January 2017, while script the malicious ActiveX controls were injected in late April 2018.
North Korea's Watering Hole Attack History (case, Sejong Institute) pic.twitter.com/E3mscFMyYd
— Simon Choi (@issuemakerslab) May 24, 2018
The reconnaissance script allows to identify the browser and operating system running on the target computer, it is based on the PinLady’s Plugin-Detect code. The malicious code is able to detect if Internet Explorer is running on a machine, then to check if ActiveX is enabled, as well as the plugins running from a specific list of ActiveX components.
“Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.” continues the analysis.
“This script is similar to typical exploit kits – it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components”
One of the profiling scripts used in the last attacks sends data to a website that was used as a command and control (C&C) server by Lazarus APT malware in 2015.
Choi also shared the ActiveX exploit on Twitter, it was used by attackers to download malware from peaceind[.]co.kr.
“If successful, it downloads malware from: http://www.peaceind[.]co.kr/board/skin_poll/gallery/poll.php” continues Alien Vault.
“To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable.”
Experts noticed that the malicious code is a backdoor tracked as Akdoor that is designed to execute commands using Command Prompt.
Further details, including IoCs are reported in the analysis published by Alien Vault.
(Security Affairs – Lazarus APT, North Korea)