Chris Swagler | May 10th, 2022

There have been numerous ransomware strains connected to a North Korean-sponsored threat group, APT38, known for targeting and stealing funds from global financial institutions and other targets in the Asia-Pacific (APAC) region. Additionally, during the last stage of their attacks, APT38 deploys destructive malware on their victims’ networks destroying any traces of their activities. Threat research indicates that the group’s operators, who are part of Unit 180 of North Korea’s cyber army Bureau 121, used the Beaf, PXJ, ZZZZ, and ChiChi ransomware families to extort their victims. While analyzing code and artifact similarity with VDH ransomware, connections to APT38 were discovered, just like TFlower ransomware, connecting VDH to the North Korean Lazarus APT group. Researchers made the connection after detecting the two strains being installed on victims’ networks through the cross-platform MATA malware framework, a malicious tool used only by the Lazarus operators.

PXJ, Beaf, and ZZZZ share a significant amount of source code and functionality with VHD and TFlower ransomware based on visualizing the code using Hilbert curve mapping. Beaf and ZZZZ are almost exact clones of each other because the ransomware pictures are almost identical. When compared to VHD, it’s clear that both TFlower and ChiChi are drastically different. Even though ChiChi’s codebase has few commonalities, it was discovered that both ChiChi and ZZZZ used the Semenov[.]akkim@protonmail[.]com email address in their ransom notes. Because there were no negotiating chats or leak sites to examine, attacks utilizing these ransomware mainly targeted entities in Asia-Pacific (APAC), which made it difficult to identify the victims’ identities. A researcher analyzed the cryptocurrency transfers behind ransom payments attempting to find more connections but discovered no overlap in the crypto wallets used to collect ransoms.

According to a researcher, an attempt by threat actors in February 2016 to transfer roughly US$1 billion through the SWIFT system to recipients at other banks was a significant precursor to linking Lazarus to VHD. Numerous US agencies investigated leading to a North Korean actor, named “Hidden Cobra”. The group has been active since then, compromising several victims. Lazarus Group is thought to be behind Hidden Cobra, which has been active since 2014. The FBI issued a warning in 2017 that the group was targeting US companies with malware- and botnet-related attacks.

A cybersecurity company has tracked North Korean-linked actors’ attacks, over the last years, on financial institutions, including global banks, blockchain providers, and South Korean users. Researchers highlighted that spear-phishing emails along with fake mobile applications and companies were employed. Because the attacks were mostly spotted targeting the APAC region, the researchers suspect the attacks were executed to discover if the ransomware is a valuable source of income.

Researchers investigated numerous ransomware families connected to North Korea, which all seemed to target certain entities in APAC regions, attempting to locate financial overlap between them. They took the Bitcoin wallet addresses and began tracking and monitoring the transactions, however, no overlap was found in the wallets themselves. However, the researchers discovered that the paid ransom amounts were small and attempted to link a pattern between the ransomware families connected to North Korean threat actors. Researchers discovered a transaction of 2.2 Bitcoin worth around $US20,000 and transferred several times. The transaction occurred on a Bitcoin exchange at the time to either cash out because the value had doubled or exchange for a different, less traceable cryptocurrency. The researchers suspect the ransomware families are part of more organized attacks. Based on their research, combined intelligence, and observing smaller ransomware attacks, the researchers attributed them to North Korean threat operators.

With the sudden emergence of new ransomware groups with connections to known hacking groups, it’s crucial for high-profile companies to remain vigilant on the current threat landscape and regularly update their data network security infrastructure. At SpearTip, our advisory services allow our certified engineers to examine companies’ security posture from the top down to improve the weak points in their network. Our team engages the companies’ people, processes, and technology to measure the maturity of the technical environment. For any vulnerability SpearTip uncovers, our experts will provide technical roadmaps to ensure companies have the awareness and support to optimize their overall cyber security posture. We provide customized assessment reports for our client risk assessments. Every client risk assessment is designed to uncover gaps in security and is accompanied by a technical summary complete with an individualized risk report detailing necessary steps to remediate the gaps.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.