BAIJIU Malware abuses Japanese Web hosting service to target North Korea

Security researchers from Cylance discovered a new fileless malware dubbed BAIJIU that was used to targets North Korea.

Security experts believe the threat has a Chinese origin, attackers delivered it through a phishing campaign.

“BAIJIU, which evades widespread detection, abuses global concern about the dire humanitarian situation in North Korea. It enters the target environment through an LNK file on the end of a phishing hook with the following bait:

 “2016 North Korea Hamgyung [sic] province flood insight.” reads the analysis published by the experts.

“The lure is a reference to a natural disaster that took place in late August 2016, when Typhoon Lionrock triggered massive flooding that wiped out much of North Korea’s province of North Hamgyong, impacting more than half a million people, drawing worldwide notice, and commanding international news coverage for several months.”

According to the experts at Cylance, the campaign is characterized by an unusual complexity of the attack.

The attackers compromised the web hosting service GeoCities and used a downloader that is being called Typhoon along with a set of backdoors dubbed Lionrock.

“Three distinctive elements of BAIJIU drew and held our attention: the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation. These features have, as far as we can see, helped BAIJIU evade nearly every antivirus (AV) solution.” continues the analysis.

Attackers leveraged on a multi-state obfuscation process and fileless malware making hard its detection.

“Cylance believes TYPHOON/LIONROCK’s provenance is likely Chinese, and that it probably evolved from the Egobot codebase first described by Symantec here and is subsequently connected to the larger Dark Hotel Operation written up by Kaspersky here.”

“Three distinctive elements of Baijiu drew and held our attention,” writes Cylance in an analysis published today: “the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation.”

The LNK file executes a Windows command that downloads and runs javascript code. The javascript downloads two DLLs, “nomz32.tmp” and “nomz64.tmp”, that have been hosted by attackers on GeoCities Japan.

The two files were a 32bit and 64bit DLL, respectively, attackers removed the “MZ” header to decrease the detection rates.

“The files both conveniently utilized the same string-encoding algorithm as the JavaScript, which sped up analysis quite a bit. Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections.” continues the analysis. “Instead of utilizing the FindResource or FindResourceEx functions, the backdoors mapped the entire file using CreateFileMappingW and MapViewOfFile, then proceeded to search for the string “<<<:resource”.”

The PowerShell script searches for GeoCities URLs with specifically named files, if the query doesn’t produce results the script halts nothing. Experts at Cylance analyzed another PowerShell script responsible for delivering and executing the final payloads.

Researchers discovered full-featured backdoors used by attackers to manipulate the local file system, transfer files and capture screenshots.

“The contabXX.tmp DLLs were full-featured backdoors that provided the attacker the ability to enumerate and manipulate files, enumerate drive and volume information, manipulate processes, enumerate and manipulate registry information, upload/download files, capture screenshots, and securely remove traces of the backdoor.” continues the analysis.

Cylance clarified that it is not attributing the campaign directly to China but its experts suggest a possible link to the Egobot codebase connected to the Dark Hotel Operation.

The Darkhotel espionage campaign was first uncovered by security experts at Kaspersky Lab in November 2014. The experts discovered that the hacking campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors behind the Darkhotel campaign aimed to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active.

The attackers appeared as highly skilled professionals that exfiltrate data of interest with a surgical precision and deleting any trace of their activity. The researchers noticed that the gangs never go after the same target twice. The list of targets includes  CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BAIJIU Malware, cyber espionage)

[adrotate banner=”13″]