North Korean state-backed hacking operation APT38
has been leveraging the Beaf, ZZZZ, PXJ, and ChiChi ransomware families in various attacks, according to BleepingComputer
Trellix Lead Threat Researcher Christiaan Beek discovered the link between APT38 and the newly-discovered strains after the Beaf, ZZZZ, and PXJ strains showed significant source code and functionality similarities with the TFlower and VHD ransomware strains, which were previously associated with APT38. Moreover, Beaf and ZZZZ were found to be nearly the same.
“You don't have to be a malware specialist to immediately recognize that the ZZZ and BEAF Ransomware pictures are almost identical. It also becomes apparent that both Tflower and ChiChi are vastly different when compared to VHD," said Beek. Despite few similarities between ChiChi and the other ransomware strains, both ChiChi and ZZZZ were found to have leveraged the Semenov[.][email protected]
[.]com email address in ransom notes. "We suspect the ransomware families [..] are part of more organized attacks. Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence," added Beek.