Canadian organizations victimized, part of global malware relay network

Canadian organizations have been used as part of a suspected North Korean-backed global network of hacked firms to relay malware that infiltrates and gathers data from a wide range of industries, says a report from McAfee.

The report, issued last week, unveils a campaign the company calls Operation GhostSecret, whose implants, tools and malware variants are associated with the state-sponsored cyber group Hidden Cobra. The U.S. government says Hidden Cobra is run by North Korea.

Ryan Sherstobitoff, McAfee Lab’s senior analyst for major cyber campaigns, said in an interview the command and control (C2) implant found in a “small number” of Canadian organizations has been dubbed Proxysvc. This previously undocumented implant was also found on servers in 10 other countries including the U.S., Germany, the U.K., Bangladesh, Belgium, Brazil, France, Guatemala, Thailand and Turkey.

He wouldn’t identify which Canadian organizations had been hit by Proxysvc, but the report said most victims were in the higher education sector.

“Targeted intentions at this point are unknown, Sherstobitoff said. “Once we analyze C2 infrastructure a bit more we’ll have further insight into if these targets in Canada were intentionally targeted for surveillance or simply a relay point.”

What these command and control points have been doing is spreading a new information-gathering malware on targets which resembles parts of the Destover malware used in the devastating 2014 attack on Sony Pictures, McAfee said.

As part of Operation GhostSecret, McAfee said that “it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.”

That Destover-like malware was found on computer systems in 17 countries, mainly in Thailand, but also in the U.S., Japan, India, China, Australia and Russia. It was not found in Canada.

This mysterious malware that, so far, just seems to be doing reconnaissance on victims systems – reading directories and files, looking for this of interest. “This may very well be a first stage payload which is used to gather initial information,” said Sherstobitoff. The McAfee report said it includes a wide variety of capabilities including data exfiltration and arbitrary command execution on the victim’s system – such as wiping a drive.

And while initial infections may have come from a range of attacks including spear phishing, “these are not accidental operations,” he said. “These entities were either targeted for command and control hosting, or targeted for data reconnaissance, data gathering.”

“This is not common, run-of-the-mill malware. It doesn’t get hosted on sites for drive-by download. It’s something uniquely created by this advanced threat actor and used specifically in targets of their choice.”

Among the techniques used in Operation GhostSecret are custom SSL certificates transmitted over TLS (therefore called FakeTLS) in implants found in a Destover backdoor variant known as Escad. This was also used in the Sony Pictures attack.

Interestingly, Sherstobitoff said, in March McAfee released a report on a campaign attributed to Hidden Cobra because malware similar to that the gang uses had surfaced in the Turkish financial system. But despite that publicity the GhostSecret operation carried on, he pointed out.

According to ThreatPost, a day after last week’s McAfee report on GhostSecret was published Thailand’s Computer Emergency Response Team (ThaiCERT) said that — working with McAfee and local police — it had seized a server in that country which was used to control the global GhostSecret espionage campaign.

For now to prevent initial infections CISOs and infosec teams have to do basic hygiene, including ensuring all software is patched and employee security awareness training is regular.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now