VHD Ransomware Linked to North Korea’s Lazarus Group

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific (APAC) region, researchers have found.

Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.

Researchers at cybersecurity firm Trellix has been tracking attacks on financial institutions from what they believe is North Korea’s cyber army—which typically generate from Lazarus Group—for the last few years. The group is perhaps best known for its deftness at ripping off the crypto-currency market through money-laundering schemes to raise money for the North Korean government.Infosec Insiders NewsletterHowever, Lazarus also appears to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week. Researchers found that Bitcoin transactions and connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they said.

Financial Attacks Raise Suspicion

A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.

“The investigation, performed by several U.S. agencies, led to a North Korean actor, dubbed ‘Hidden Cobra,'” he wrote. “Ever since then, the group has been active, compromising numerous victims.”

Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting U.S. businesses with malware- and botnet-related attacks.

“Over time we have observed several methods North Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.”

Trellix has followed North Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers and users from South Korea–over the last few years. Tactics used included spear-phishing emails as well as the use of fake mobile applications and companies, researchers noted.

“Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income,” Beek wrote.

Code Links

Knowing that ransomware has emerged a part of the toolkit of the North Korean cyber army, Trellix researchers peered under the hood of the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.

“Using those [code] blocks as a starting point, a hunt was started from March 2020 onwards to discover related families,” he wrote.

Researchers identified code from four ransomware families known to be used by North Korean threat actors—BGEAF, PXJ, ZZZZ and CHiCHi–in the code of VHD.

While the Tflower and ChiChi families share only generic-function code with VHD, “the ZZZZ ransomware is almost an exact clone of the Beaf ransomware family,” which has been linked to North Korea, Beek wrote.

“Another observation is that the four letters of the ransomware ‘BEAF’ … are exactly the same first four bytes of the handshake of APT38’s tool known as Beefeater,” he added.

The use of the MATA framework in VHD—which has been used to spread the Tflower ransomware family—also links the VHD to Lazarus, as MATA has previously been linked to North Korea, researchers said.

Following the Money

Researchers then investigated the various ransomware families they’d linked to North Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between then.

They extracted the Bitcoin  wallet addresses and started tracing and monitoring the transactions, though they did not find overlap in the wallets themselves, Beek wrote.

“We did find, however, that the paid ransom amounts were relatively small,” he wrote, linking a pattern between the ransomware families attributed to North Korean actors.

For example, a transaction of 2.2 Bitcoin in mid-2020 was worth around $US20,00 and was transferred multiple times through December 2020, researchers found. At that time, a transaction took place on a Bitcoin exchange to either cash out–as the value had roughly doubled–or exchange for a different and less traceable cryptocurrency, they said.

“We suspect the ransomware families … are part of more organized attacks,” Beek wrote. “Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to [North Korean] hackers with high confidence.”

Suggested articles