Canadian organizations have been used as part of a suspected North Korean-backed global network of hacked firms to relay malware that infiltrates and gathers data from a wide range of industries, says a report from McAfee.
The report, issued last week, unveils a campaign the company calls Operation GhostSecret, whose implants, tools and malware variants are associated with the state-sponsored cyber group Hidden Cobra. The U.S. government says Hidden Cobra is run by North Korea.
Ryan Sherstobitoff, McAfee Lab’s senior analyst for major cyber campaigns, said in an interview the command and control (C2) implant found in a “small number” of Canadian organizations has been dubbed Proxysvc. This previously undocumented implant was also found on servers in 10 other countries including the U.S., Germany, the U.K., Bangladesh, Belgium, Brazil, France, Guatemala, Thailand and Turkey.
He wouldn’t identify which Canadian organizations had been hit by Proxysvc, but the report said most victims were in the higher education sector.
“Targeted intentions at this point are unknown, Sherstobitoff said. “Once we analyze C2 infrastructure a bit more we’ll have further insight into if these targets in Canada were intentionally targeted for surveillance or simply a relay point.”
What these command and control points have been doing is spreading a new information-gathering malware on targets which resembles parts of the Destover malware used in the devastating 2014 attack on Sony Pictures, McAfee said.
As part of Operation GhostSecret, McAfee said that “it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.”
That Destover-like malware was found on computer systems in 17 countries, mainly in Thailand, but also in the U.S., Japan, India, China, Australia and Russia. It was not found in Canada.
This mysterious malware that, so far, just seems to be doing reconnaissance on victims systems – reading directories and files, looking for this of interest. “This may very well be a first stage payload which is used to gather initial information,” said Sherstobitoff. The McAfee report said it includes a wide variety of capabilities including data exfiltration and arbitrary command execution on the victim’s system – such as wiping a drive.
And while initial infections may have come from a range of attacks including spear phishing, “these are not accidental operations,” he said. “These entities were either targeted for command and control hosting, or targeted for data reconnaissance, data gathering.”
“This is not common, run-of-the-mill malware. It doesn’t get hosted on sites for drive-by download. It’s something uniquely created by this advanced threat actor and used specifically in targets of their choice.”
Among the techniques used in Operation GhostSecret are custom SSL certificates transmitted over TLS (therefore called FakeTLS) in implants found in a Destover backdoor variant known as Escad. This was also used in the Sony Pictures attack.
Interestingly, Sherstobitoff said, in March McAfee released a report on a campaign attributed to Hidden Cobra because malware similar to that the gang uses had surfaced in the Turkish financial system. But despite that publicity the GhostSecret operation carried on, he pointed out.
According to ThreatPost, a day after last week’s McAfee report on GhostSecret was published Thailand’s Computer Emergency Response Team (ThaiCERT) said that — working with McAfee and local police — it had seized a server in that country which was used to control the global GhostSecret espionage campaign.
For now to prevent initial infections CISOs and infosec teams have to do basic hygiene, including ensuring all software is patched and employee security awareness training is regular.