North Korean Cyber-Attacks and Collateral Damage
Contents
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from …
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from …
IoC
344D3EC0D84D2853E416C664DD577F44
3844EC6EC70347913BD1156F8CD159B8
4B584695BA08E680452BE6016886637A
78D3C8705F8BAF7D34E6A6737D1CFA18
F024FF4176F0036F97EBC95DECFD1D5E
FF4721E6EDAD7D3BEC8E0C4D4A8C1D26
FFFA05401511AD2A89283C52D0C86472
http://a-gwas-01.dyndns.org
http://a-gwas-01.slyip.net
http://a.gwas.perl.sh
http://kcna.kp
http://vok.rep.kp
http://www.vok.rep.kp/CBC/CBC_download/HMSPlayer.exe
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_brambul.at
[email protected]
rule rivts_pdb {
meta:
description = "Detects Rivts based on PDB folder"
author = "[email protected]"
tlp = "white"
license = "MIT License"
strings:
$m = "F:\meWork\" nocase wide ascii
condition: uint16(0) == 0x5a4d and any of them
}
[email protected]
[email protected]
3844EC6EC70347913BD1156F8CD159B8
4B584695BA08E680452BE6016886637A
78D3C8705F8BAF7D34E6A6737D1CFA18
F024FF4176F0036F97EBC95DECFD1D5E
FF4721E6EDAD7D3BEC8E0C4D4A8C1D26
FFFA05401511AD2A89283C52D0C86472
http://a-gwas-01.dyndns.org
http://a-gwas-01.slyip.net
http://a.gwas.perl.sh
http://kcna.kp
http://vok.rep.kp
http://www.vok.rep.kp/CBC/CBC_download/HMSPlayer.exe
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_brambul.at
[email protected]
rule rivts_pdb {
meta:
description = "Detects Rivts based on PDB folder"
author = "[email protected]"
tlp = "white"
license = "MIT License"
strings:
$m = "F:\meWork\" nocase wide ascii
condition: uint16(0) == 0x5a4d and any of them
}
[email protected]
[email protected]