Intezer Code Analysis revealed previous malware samples.
Security researchers have analyzed malware samples from threat actors associated with North Korea and discovered connections with tools from older unattributed campaigns.
The research is spread over several months and connects a diverse range of operations from cyberespionage to financially-motivated campaigns. The campaigns analyzed by the researchers and a timeline of their release can be shown below.
Most of the campaign seems to be working for one of the two known hacker collectives in North Korea called Unit 180 or Unit 121.
According to a report by McAfee, Unit 180 focuses on making money for the country by means of hacking. Whereas, Unit 121 has a nationalist agenda, which includes providing tools and malware for the other groups, spying on other states, and disrupting their actions and military targets.
Security experts from McAfee and Intezer found some unique code shared in tools used from 2009 until 2017, describing the similarities in samples attributed to the DPRK (Democratic People’s Republic of Korea). They created a map that lays out the ties between multiple malware families based on code recycling for different operations.
According to the Intezer, there are strong links between the attacks like DarkSeoul (2012), Operation Blockbuster (the Sony Pictures attack in 2014), NukeSpeed backdoor, Operation Troy (military espionage 2009-2013). These connections have been previously revealed in a report from a consortium of security companies investigating the activity of the Lazarus group responsible for the Sony Pictures attack.
The map also connects WannaCry ransomware that took the world by storm in May last year with Jaku – a tool for targeted tracking and data exfiltration that ran disguised as botnet malware.
Using Intezer’s code analysis engine, which breaks code into small “genes” that can then be used to compare the “DNA” of one sample to other malware samples. The reports indicated that there was a shared SMB module used among malware from 2009 to 2017.
“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject,” the researchers wrote in their report. “These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.”
Intezer Code Analysis
Similarly, the researchers noticed code overlapping between Operation Troy campaign revealed in 2013 and the Darkhotel operation which disclosed a year later. Both were cyberespionage activities, the earlier targeted on military espionage, while the latter targeted important individuals at companies.
On further revelations, which shows a high percentage of code-DNA in backdoors used for targeting South Korea’s manufacturing industry in particular, in utilities used by Operation Blockbuster and in the WannaCry version that wreaked havoc. The similarities also paved the way to painting a more clear picture of the Lazarus group’s operational scale. Some of the links are feebler than others, but building the relations took into account only unique code and ignored common code and libraries.
If there is undeniable proof of affiliation with DPRK for even one of the malware families or hacking tools, the coding DNA betrays the entire arsenal of the actor or at least a large part of it. Work like this is definitely going to help track the evolution of adversaries.