North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Contents
White paper
North Korea
Bitten by
Bitcoin Bug
Financially motivated campaigns
reveal new dimension of the
Lazarus Group
Darien Huss
www.proofpoint.com
Table of Contents
EXECUTIVE SUMMARY........................................................................................................................................................... 3
OVERVIEW............................................................................................................................................................................... 4
INTRODUCTION...................................................................................................................................................................... 4
PowerRatankba Downloaders......................................................................................................................................5
Campaign Timeline.................................................................................................................................................................... 5
PowerSpritz................................................................................................................................................................................ 6
Windows Shortcut (LNK)............................................................................................................................................................ 8
Microsoft Compiled HTML Help (CHM)..................................................................................................................................... 9
JavaScript Downloaders.......................................................................................................................................................... 11
VBScript Macro Microsoft Office Documents.......................................................................................................................... 13
Backdoored PyInstaller Applications....................................................................................................................................... 15
Implant Description and Analysis..............................................................................................................................18
PowerRatankba Description..................................................................................................................................................... 18
PowerRatankba.A C&C Description......................................................................................................................................... 19
PowerRatankba.B C&C Description........................................................................................................................................ 20
PowerRatankba Persistence.................................................................................................................................................... 20
PowerRatankba.B Stage2 - Gh0st RAT.................................................................................................................................... 21
Gh0st RAT Purpose.................................................................................................................................................................. 23
Shopping Spree: Enter RatankbaPOS..................................................................................................................................... 23
RatankbaPOS Analysis............................................................................................................................................................ 23
RatankbaPOS Targeted Region............................................................................................................................................... 28
Attribution to Lazarus Group......................................................................................................................................28
Encryption................................................................................................................................................................................ 28
Obfuscation.............................................................................................................................................................................. 30
Functionality............................................................................................................................................................................. 30
Code Overlap........................................................................................................................................................................... 31
Decoys..................................................................................................................................................................................... 32
C&C.......................................................................................................................................................................................... 32
CONCLUSION........................................................................................................................................................................ 33
Research Contributions........................................................................................................................................................... 33
Indicators of Compromise (IOCs)............................................................................................................................................ 34
ET and ETPRO Suricata/Snort Signatures............................................................................................................................... 37
North Korea Bitten by Bitcoin Bug
2
Executive Summary
With activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive, successful,
and far-reaching nation-state sponsored actors. The March 20, 2013 attack in South Korea, the Sony Pictures hack in 2014,
the successful theft of $81 million from the Bangladesh Bank in 2014, and perhaps most …
North Korea
Bitten by
Bitcoin Bug
Financially motivated campaigns
reveal new dimension of the
Lazarus Group
Darien Huss
www.proofpoint.com
Table of Contents
EXECUTIVE SUMMARY........................................................................................................................................................... 3
OVERVIEW............................................................................................................................................................................... 4
INTRODUCTION...................................................................................................................................................................... 4
PowerRatankba Downloaders......................................................................................................................................5
Campaign Timeline.................................................................................................................................................................... 5
PowerSpritz................................................................................................................................................................................ 6
Windows Shortcut (LNK)............................................................................................................................................................ 8
Microsoft Compiled HTML Help (CHM)..................................................................................................................................... 9
JavaScript Downloaders.......................................................................................................................................................... 11
VBScript Macro Microsoft Office Documents.......................................................................................................................... 13
Backdoored PyInstaller Applications....................................................................................................................................... 15
Implant Description and Analysis..............................................................................................................................18
PowerRatankba Description..................................................................................................................................................... 18
PowerRatankba.A C&C Description......................................................................................................................................... 19
PowerRatankba.B C&C Description........................................................................................................................................ 20
PowerRatankba Persistence.................................................................................................................................................... 20
PowerRatankba.B Stage2 - Gh0st RAT.................................................................................................................................... 21
Gh0st RAT Purpose.................................................................................................................................................................. 23
Shopping Spree: Enter RatankbaPOS..................................................................................................................................... 23
RatankbaPOS Analysis............................................................................................................................................................ 23
RatankbaPOS Targeted Region............................................................................................................................................... 28
Attribution to Lazarus Group......................................................................................................................................28
Encryption................................................................................................................................................................................ 28
Obfuscation.............................................................................................................................................................................. 30
Functionality............................................................................................................................................................................. 30
Code Overlap........................................................................................................................................................................... 31
Decoys..................................................................................................................................................................................... 32
C&C.......................................................................................................................................................................................... 32
CONCLUSION........................................................................................................................................................................ 33
Research Contributions........................................................................................................................................................... 33
Indicators of Compromise (IOCs)............................................................................................................................................ 34
ET and ETPRO Suricata/Snort Signatures............................................................................................................................... 37
North Korea Bitten by Bitcoin Bug
2
Executive Summary
With activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive, successful,
and far-reaching nation-state sponsored actors. The March 20, 2013 attack in South Korea, the Sony Pictures hack in 2014,
the successful theft of $81 million from the Bangladesh Bank in 2014, and perhaps most …
IoC
000102030405060708090A0B0C0D0E0F
01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49
030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863
100c6400331fa1919958bed122b88f1599a61b3bb113d98b218a535443ebc3a7
122.248.34.23
144.217.51.246
158.69.57.135
1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666
180.235.133.121
180.235.133.235
192.168.102.21
198.100.157.239
201.139.226.67
201.211.183.215
20f7e342a5f3224cab8f0439e2ba02bb051cd3e1afcd603142a60ac8af9699ba
25f13dca780bafb0001d521ea6e76a3bd4dd74ce137596b948d41794ece59a66
2B7E151628AED2A6ABF7158809CF4F3C
2b05a692518a6102c540e209cb4eb1391b28944fdb270aef7ea47e1ddeff5ae2
3a856d8c835232fe81711680dc098ed2b21a4feda7761ed39405d453b4e949f6
3cd0689b2bae5109caedeb2cf9dd4b3a975ab277fadbbb26065e489565470a5c
3e91f399d207178a5aa6de3d680b58fc3f239004e541a8bff2cc3e851b76e8bb
41ee2947356b26e4d8aca826ae392be932cd8800476840713e9b6c630972604f
41f155f039448edb42c3a566e7b8e150829b97d83109c0c394d199cdcfd20f9b
4eb2dd5e90bda6da5efbd213c8472775bdd16e67bcf559f58802a8c371848212
51.255.219.82
5a162898a38601e41d538f067eaf81d6a038268bc52a86cf13c2e43ca2487c07
6c8c801bb71b2cd90a2c1595092358e46cbfe63e62ef6994345d6969993ea2d6
6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984
6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d
772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01
7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e
79a4b6329e35e23c3974960b2cecc68ee30ce803619158ef3fefcec5d4671c98
81617bd4fa5d6c1a703c40157fbe16c55c11260723b7f63de022fd5dd241bdbf
85a263fc34883fc514be48da2d814f1b43525e63049c6b180c73c8ec00920f51
8f0b83d4ff6d8720e134b467b34728c2823c4d75313ef6dce717b06f414bdf5c
8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3
92.222.106.229
972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
97c6c69405ed721a64c158f18ab4386e3ade19841b0dea3dcce6b521faf3a660
99ad06cca4910c62e8d6b68801c6122137cf8458083bb58cbc767eebc220180d
9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453
9cc69d81613285352ce92ec3cb44227af5daa8ad4e483ecc59427fe23b122fce
9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5
[email protected]
b265a5d984c4654ac0b25ddcf8048d0aabc28e36d3e2439d1c08468842857f46
b3235a703026b2077ccfa20b3dabd82d65c6b5645f7f15e7bbad1ce8173c7960
b46530fa2bd5f9958f664e754ae392dc400bd3fcb1c5adc7130b7374e0409924
b530de08530d1ba19a94bc075e74e2236c106466dedc92be3abdee9908e8cf7e
b66624ab8591c2b10730b7138cbf44703abec62bfc7774d626191468869bf21c
b9cf1cba0f626668793b9624e55c76e2dab56893b21239523f2a2a0281844c6d
bd7332bfbb6fe50a501988c3834a160cf2ad948091d83ef4de31758b27b2fb7f
beecb33ef8adec99bbba3b64245c7230986c3c1a7f3246b0d26c641887387bfe
cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411
d334c40b42d2e6286f0553ae9e6e73e7e7aaec04a85df070b790738d66fd14fb
d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48
d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a
db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471
e7581e1f112edc7e9fbb0383dd5780c4f2dd9923c4acc09b407f718ab6f7753d
eab612e333baaec0709f3f213f73388607e495d8af9a2851f352481e996283f1
eb372423e4dcd4665cc03ffc384ff625ae4afd13f6d0589e4568354be271f86e
f2f6b4770718eed349fb7c77429938ac1deae7dd6bcc141ee6f5af9f4501a695
f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b
[email protected]
http://122.248.34.23/lndex.php?t=SkypeSetup&r=mail_new
http://122.248.34.23/lndex.php?t=Telegram&r=1.1.9
http://144.217.51.246
http://158.69.57.135
http://158.69.57.135/theme.gif
http://158.69.57.135:443
http://180.235.133.121/images/img.gif
http://180.235.133.121:443
http://180.235.133.235/img.gif
http://180.235.133.235:443
http://192.168.102.21/power.ps1
http://192.168.102.21/pso.ps1
http://198.100.157.239
http://198.100.157.239/hide.gif
http://198.100.157.239/theme.gif
http://201.139.226.67
http://201.211.183.215:8080/
http://201.211.183.215:8080/pdfviewer.php?o=0&t=report&m=0
http://201.211.183.215:8080/update.php?t=Skype&r=update
http://51.255.219..82/files/download/falconcoin.pdf
http://51.255.219.82
http://51.255.219.82/
http://51.255.219.82/files/download/falconcoin.pdf
http://51.255.219.82/files/download/falconcoin.zip
http://51.255.219.82/theme.gif
http://51.255.219.82:443
http://92.222.106.229
http://92.222.106.229/theme.gif
http://\windows\temp.This
http://africawebcast.com
http://apps.got-game.org
http://apps.got-game.org/files/download/transaction.pdf
http://apps.got-game.org/images/character.gif
http://bitforex.linkpc.net
http://coinbases.org
http://coinbroker.linkpc.net
http://deaftone.com:8080/mainls.cs
http://dogecoin
http://dogecoin.deaftone.com:8080/mainls.cs
http://macintosh.linkpc.net
http://macintosh.linkpc.net:8080/mainls.cs
http://mail.com
http://moneymaker.publicvm.com
http://online-help.serveftp.com
http://online-help.serveftp.com/list.jsp?action=up
http://publicvm.com
http://skype.2.vu/1
http://skype.2.vu/k
http://skypeupdate.2.vu/1
http://telegramupdate.2.vu/5
http://tinyurl.com/y9jbk8cg
http://trade.publicvm.com
http://trade.publicvm.com/images/character.gif
http://trade.publicvm.com/images/top_
http://trade.publicvm.com/images/top_bar.gif
http://vietcasino.linkpc.net
http://vietcasino.linkpc.net:8080/search.jsp
http://www.btc-gold.us/images/top_bar.gif
http://www.businesshop.net
http://www.businesshop.net/hide.gif
http://www.energydonate.com
http://www.energydonate.com/files/download/Bithumb.zip
http://www.energydonate.com/files/download/bithumb.pdf
http://www.energydonate.com/files/download/bithumb.zip
http://www.energydonate.com/images/character.gif
http://www.energydonate.com/list.jsp?action=up
http://www.unsunozo.org
http://www.webkingston.com/top.gif
http://www.webkingston.com/update.jsp?action=need_update
http://xn--6fgp.com
http://xn--bitcin-zxa.org
http://xn--bitcingold-hcb.org
http://xn--bitcingold-jbb.com
http://xn--bitcingold-t3b.com
http://xn--bitcoigold-o1b.com
http://xn--bitcoingld-lcb.com
http://xn--bitcoingld-lcb.org
http://xn--bitcoingldlcb.org
http://xn--bitcoingldwallet-twb.org
http://xn--bitcoingod-8yb.com
http://xn--bitcoingol-4kb.com
http://xn--bitoingold-1ib.com
http://xn--btcoingold-v8a.com
http://xn--btcongold-54ad.com
http://xn--btcongold-g5ad.com
http://xn--electrm-s2a.org
https://bitcoing
https://bitcoingöld.org/
https://bitcoingöld.org/bitcoingold
https://bitcoingöld.org/bitcoingold.exe
https://doc-00-64-docs.googleusercontent.com/docs/securesc/
https://drive.google.com/uc?export=download&id=0B63J1WTZC49hdDR0clR3cFpITVE
https://skype.2.vu/1
https://xn--bitcoingld-lcb.org/
https://xn--electrms2a.org/electrum-3.0.3.exe
[email protected]
[email protected]
[email protected]
[email protected]
01b047e0f3b49f8ab6ebf6795bc72ba7f63d7acbc68f65f1f8f66e34de827e49
030b4525558f2c411f972d91b144870b388380b59372e1798926cc2958242863
100c6400331fa1919958bed122b88f1599a61b3bb113d98b218a535443ebc3a7
122.248.34.23
144.217.51.246
158.69.57.135
1768f2e9cea5f8c97007c6f822531c1c9043c151187c54ebfb289980ff63d666
180.235.133.121
180.235.133.235
192.168.102.21
198.100.157.239
201.139.226.67
201.211.183.215
20f7e342a5f3224cab8f0439e2ba02bb051cd3e1afcd603142a60ac8af9699ba
25f13dca780bafb0001d521ea6e76a3bd4dd74ce137596b948d41794ece59a66
2B7E151628AED2A6ABF7158809CF4F3C
2b05a692518a6102c540e209cb4eb1391b28944fdb270aef7ea47e1ddeff5ae2
3a856d8c835232fe81711680dc098ed2b21a4feda7761ed39405d453b4e949f6
3cd0689b2bae5109caedeb2cf9dd4b3a975ab277fadbbb26065e489565470a5c
3e91f399d207178a5aa6de3d680b58fc3f239004e541a8bff2cc3e851b76e8bb
41ee2947356b26e4d8aca826ae392be932cd8800476840713e9b6c630972604f
41f155f039448edb42c3a566e7b8e150829b97d83109c0c394d199cdcfd20f9b
4eb2dd5e90bda6da5efbd213c8472775bdd16e67bcf559f58802a8c371848212
51.255.219.82
5a162898a38601e41d538f067eaf81d6a038268bc52a86cf13c2e43ca2487c07
6c8c801bb71b2cd90a2c1595092358e46cbfe63e62ef6994345d6969993ea2d6
6cb1e9850dd853880bbaf68ea23243bac9c430df576fa1e679d7f26d56785984
6d4415a2cbedc960c7c7055626c61842b3a3ca4718e2ac0e3d2ac0c7ef41b84d
772b9b873100375c9696d87724f8efa2c8c1484853d40b52c6dc6f7759f5db01
7975c09dd436fededd38acee9769ad367bfe07c769770bd152f33a10ed36529e
79a4b6329e35e23c3974960b2cecc68ee30ce803619158ef3fefcec5d4671c98
81617bd4fa5d6c1a703c40157fbe16c55c11260723b7f63de022fd5dd241bdbf
85a263fc34883fc514be48da2d814f1b43525e63049c6b180c73c8ec00920f51
8f0b83d4ff6d8720e134b467b34728c2823c4d75313ef6dce717b06f414bdf5c
8ff100ca86cb62117f1290e71d5f9c0519661d6c955d9fcfb71f0bbdf75b51b3
92.222.106.229
972b598d709b66b35900dc21c5225e5f0d474f241fefa890b381089afd7d44ee
97c6c69405ed721a64c158f18ab4386e3ade19841b0dea3dcce6b521faf3a660
99ad06cca4910c62e8d6b68801c6122137cf8458083bb58cbc767eebc220180d
9ca3e56dcb2d1b92e88a0d09d8cab2207ee6d1f55bada744ef81e8b8cf155453
9cc69d81613285352ce92ec3cb44227af5daa8ad4e483ecc59427fe23b122fce
9d10911a7bbf26f58b5e39342540761885422b878617f864bfdb16195b7cd0f5
[email protected]
b265a5d984c4654ac0b25ddcf8048d0aabc28e36d3e2439d1c08468842857f46
b3235a703026b2077ccfa20b3dabd82d65c6b5645f7f15e7bbad1ce8173c7960
b46530fa2bd5f9958f664e754ae392dc400bd3fcb1c5adc7130b7374e0409924
b530de08530d1ba19a94bc075e74e2236c106466dedc92be3abdee9908e8cf7e
b66624ab8591c2b10730b7138cbf44703abec62bfc7774d626191468869bf21c
b9cf1cba0f626668793b9624e55c76e2dab56893b21239523f2a2a0281844c6d
bd7332bfbb6fe50a501988c3834a160cf2ad948091d83ef4de31758b27b2fb7f
beecb33ef8adec99bbba3b64245c7230986c3c1a7f3246b0d26c641887387bfe
cbebafb2f4d77967ffb1a74aac09633b5af616046f31dddf899019ba78a55411
d334c40b42d2e6286f0553ae9e6e73e7e7aaec04a85df070b790738d66fd14fb
d5f9a81df5061c69be9c0ed55fba7d796e1a8ebab7c609ae437c574bd7b30b48
d844777dcafcde8622b9472b6cd442c50c3747579868a53a505ef2f5a4f0e26a
db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471
e7581e1f112edc7e9fbb0383dd5780c4f2dd9923c4acc09b407f718ab6f7753d
eab612e333baaec0709f3f213f73388607e495d8af9a2851f352481e996283f1
eb372423e4dcd4665cc03ffc384ff625ae4afd13f6d0589e4568354be271f86e
f2f6b4770718eed349fb7c77429938ac1deae7dd6bcc141ee6f5af9f4501a695
f7f2dd674532056c0d67ef1fb7c8ae8dd0484768604b551ee9b6c4405008fe6b
[email protected]
http://122.248.34.23/lndex.php?t=SkypeSetup&r=mail_new
http://122.248.34.23/lndex.php?t=Telegram&r=1.1.9
http://144.217.51.246
http://158.69.57.135
http://158.69.57.135/theme.gif
http://158.69.57.135:443
http://180.235.133.121/images/img.gif
http://180.235.133.121:443
http://180.235.133.235/img.gif
http://180.235.133.235:443
http://192.168.102.21/power.ps1
http://192.168.102.21/pso.ps1
http://198.100.157.239
http://198.100.157.239/hide.gif
http://198.100.157.239/theme.gif
http://201.139.226.67
http://201.211.183.215:8080/
http://201.211.183.215:8080/pdfviewer.php?o=0&t=report&m=0
http://201.211.183.215:8080/update.php?t=Skype&r=update
http://51.255.219..82/files/download/falconcoin.pdf
http://51.255.219.82
http://51.255.219.82/
http://51.255.219.82/files/download/falconcoin.pdf
http://51.255.219.82/files/download/falconcoin.zip
http://51.255.219.82/theme.gif
http://51.255.219.82:443
http://92.222.106.229
http://92.222.106.229/theme.gif
http://\windows\temp.This
http://africawebcast.com
http://apps.got-game.org
http://apps.got-game.org/files/download/transaction.pdf
http://apps.got-game.org/images/character.gif
http://bitforex.linkpc.net
http://coinbases.org
http://coinbroker.linkpc.net
http://deaftone.com:8080/mainls.cs
http://dogecoin
http://dogecoin.deaftone.com:8080/mainls.cs
http://macintosh.linkpc.net
http://macintosh.linkpc.net:8080/mainls.cs
http://mail.com
http://moneymaker.publicvm.com
http://online-help.serveftp.com
http://online-help.serveftp.com/list.jsp?action=up
http://publicvm.com
http://skype.2.vu/1
http://skype.2.vu/k
http://skypeupdate.2.vu/1
http://telegramupdate.2.vu/5
http://tinyurl.com/y9jbk8cg
http://trade.publicvm.com
http://trade.publicvm.com/images/character.gif
http://trade.publicvm.com/images/top_
http://trade.publicvm.com/images/top_bar.gif
http://vietcasino.linkpc.net
http://vietcasino.linkpc.net:8080/search.jsp
http://www.btc-gold.us/images/top_bar.gif
http://www.businesshop.net
http://www.businesshop.net/hide.gif
http://www.energydonate.com
http://www.energydonate.com/files/download/Bithumb.zip
http://www.energydonate.com/files/download/bithumb.pdf
http://www.energydonate.com/files/download/bithumb.zip
http://www.energydonate.com/images/character.gif
http://www.energydonate.com/list.jsp?action=up
http://www.unsunozo.org
http://www.webkingston.com/top.gif
http://www.webkingston.com/update.jsp?action=need_update
http://xn--6fgp.com
http://xn--bitcin-zxa.org
http://xn--bitcingold-hcb.org
http://xn--bitcingold-jbb.com
http://xn--bitcingold-t3b.com
http://xn--bitcoigold-o1b.com
http://xn--bitcoingld-lcb.com
http://xn--bitcoingld-lcb.org
http://xn--bitcoingldlcb.org
http://xn--bitcoingldwallet-twb.org
http://xn--bitcoingod-8yb.com
http://xn--bitcoingol-4kb.com
http://xn--bitoingold-1ib.com
http://xn--btcoingold-v8a.com
http://xn--btcongold-54ad.com
http://xn--btcongold-g5ad.com
http://xn--electrm-s2a.org
https://bitcoing
https://bitcoingöld.org/
https://bitcoingöld.org/bitcoingold
https://bitcoingöld.org/bitcoingold.exe
https://doc-00-64-docs.googleusercontent.com/docs/securesc/
https://drive.google.com/uc?export=download&id=0B63J1WTZC49hdDR0clR3cFpITVE
https://skype.2.vu/1
https://xn--bitcoingld-lcb.org/
https://xn--electrms2a.org/electrum-3.0.3.exe
[email protected]
[email protected]
[email protected]
[email protected]