Cylance researchers spotted a phishing campaign dubbed “BAIJIU” that looks to capitalize on those curious about the hermit kingdom of North Korea.
While the goal of the campaign is unclear, researchers said the group behind the attacks has been linked to long-term espionage activities in the past, according to a May 12 blog post.
The victims are lured with an email offering insight about a natural disaster that caused massive flooding in 2016 playing upon interest in news from North Korea. The email is used to deploy a set of cyberespionage tools through a downloader dubbed “TYPHOON” and a set of backdoors dubbed “LIONROCK.”
Researchers said the unusual complexity of the attack, the appropriation of the GeoCities web hosting service, and the use of multiple methods of obfuscation drew their attention to the campaign which they say has evaded nearly every legacy AV and NextGen AV solution on the market.
Geocities is a free service owned by Yahoo which does not require users to identify themselves beyond providing a Yahoo email address making it an attractive service for threat actors.
The malware takes advantage of Geocities JP for free high-bandwidth unattributable hosting and uses simple tricks to defeat emulation and automated analysis, making the malware unique, Cylance Director of Threat Intelligence Jon Gross told SC Media.
“The infection vector is complicated and used to deliver payloads with pinpoint accuracy while making it more difficult for researchers and unintended targets to receive the final payloads,” Gross said.
The malware uses a custom obfuscation method that appears to have not been picked out by heuristics.
“Obfuscated strings can end with an arbitrary number of @’s and an arbitrary amount of junk characters can be inserted into the beginning of the strings as well,” Gross said “In addition simple 1byte XOR with variable length byte shifts have also been observed.”
He added that the malware has been successful because it the AntiVirus detection methods haven’t seen the activity and threat patterns before.
Researchers said the CYPHOON/LIONROCK’s provenance is likely Chinese, and that it probably evolved from the Egobot codebase and is subsequently connected to the larger Dark Hotel Operation.
“BAIJIU’s circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts – and its ability to obfuscate itself through each stage while doing so – makes this attack stand out,” the post said. “BAIJIU attackers likely employed this strategy to throw researchers and investigators off their track, and ensure only the targeted victims received the payloads.”