Security researchers recently uncovered a phishing campaign that suspected Korean hackers had, since August 2017, unleashed on humanitarian aid organisations by using topics on North Korean politics.
The phishing campaign, dubbed Operation Honeybee by researchers at McAfee Advanced Threat Research, not only involved the use of political themes to draw the attention of humanitarian aid organisations, but also involved the use of Word compatibility messages, thereby enticing victims to enable content in malicious Microsoft Word attachments sent to them.
The said Microsoft Word attachments were found to contain a Visual Basic macro that had previously been used by hackers in other campaigns. The macro has the capability to execute an implant known as SYSCON which can, in turn, extract data from systems and send such data to remote C&C servers while taking steps to avoid detection.
Upon further research, the McAfee Advanced Threat Research team found that the Visual Basic macro was part of several campaigns using North Korea–related topics, and a unique key used by the Visual Basic script had been used by hackers since August last year.
"Based on the indicators and evidence we researched, we were able to correlate samples of the malware/payloads back to August 2017. North Korean document topics were used to lure the victims (humanitarian aid organisations) to open the documents and get infected by the malware," said Christiaan Beek, lead scientist & senior principal engineer at McAfee's Office of the CTO in an email to SC Magazine UK.
"The malware is capable of exfiltrating information to a server outside the targeted organisation but also can upload/download and execute files. If victims were infected, possible information and files could be in hands of the attackers."
Beek added that the targeted humanitarian organisations are involved in inter-Korean affairs and most of them reside in the APAC region. Because of the nature of their activities, they run the risk of being targeted by hackers for espionage purposes and therefore, must remain vigilant to the potential threat of malware designed to gather information.
“Operation Honeybee exploits the heightened media attention on North Korea, and in particular the likely interest from the victim organisations. It further demonstrates that with limited research, any organisation is potentially vulnerable, exploiting the human as an entry point,” added Raj Samani, chief scientist and fellow at McAfee.
Researchers at McAfee also found several additional documents between 17 January and 3 February that contained the same Visual Basic macro code, contained "non-compatible" messages to lure victims into enabling malicious content, and were mostly found in South Korea. They noted that similar documents were also used in operations that targeted victims located in Vietnam, Singapore, Argentina, Japan, Indonesia, and far-off Canada.
While the researchers, after studying the various metadata in both documents and executables, concluded that the hacker behind the operation was likely a Korean speaker, they also noted that the hacker used the email address [email protected] to register two free hosting accounts, and also used his email to register a free account for a control server.
Commenting on the new phishing operation, Javvad Malik, security advocate at AlienVault, told SC Magazine UK that organisations must train their staff not only to spot fake email addresses, but also to look out for poor grammar and spelling, and to check where an email has originated from.
"If a user does fall victim to a scam, enterprises should have threat detection capabilities that can notify when an account has been compromised, new devices added to the network, or strange outbound traffic occurs. Finally companies should have a response plan in place. That way if a user does fall victim to a phishing scam, any malware infection, or compromised credentials can be isolated and contained so as not to adversely impact the organisation," he added.
Paul Norris, senior systems engineer for EMEA at Tripwire, also urged organisations to urge caution while communicating with other organisations or individuals using emails.
"Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, with hackers using sophisticated tactics to extract the critical information. This is why individuals should be wary of all links and attachments sent to them.
"Organisations should take a proactive step towards phishing attacks against their own domains by using companies that offer anti-phishing services. Furthermore, people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown links and attachments as hackers succeed in preying on human naivety," he said.
The phishing campaign, dubbed Operation Honeybee by researchers at McAfee Advanced Threat Research, not only involved the use of political themes to draw the attention of humanitarian aid organisations, but also involved the use of Word compatibility messages, thereby enticing victims to enable content in malicious Microsoft Word attachments sent to them.
The said Microsoft Word attachments were found to contain a Visual Basic macro that had previously been used by hackers in other campaigns. The macro has the capability to execute an implant known as SYSCON which can, in turn, extract data from systems and send such data to remote C&C servers while taking steps to avoid detection.
Upon further research, the McAfee Advanced Threat Research team found that the Visual Basic macro was part of several campaigns using North Korea–related topics, and a unique key used by the Visual Basic script had been used by hackers since August last year.
"Based on the indicators and evidence we researched, we were able to correlate samples of the malware/payloads back to August 2017. North Korean document topics were used to lure the victims (humanitarian aid organisations) to open the documents and get infected by the malware," said Christiaan Beek, lead scientist & senior principal engineer at McAfee's Office of the CTO in an email to SC Magazine UK.
"The malware is capable of exfiltrating information to a server outside the targeted organisation but also can upload/download and execute files. If victims were infected, possible information and files could be in hands of the attackers."
Beek added that the targeted humanitarian organisations are involved in inter-Korean affairs and most of them reside in the APAC region. Because of the nature of their activities, they run the risk of being targeted by hackers for espionage purposes and therefore, must remain vigilant to the potential threat of malware designed to gather information.
“Operation Honeybee exploits the heightened media attention on North Korea, and in particular the likely interest from the victim organisations. It further demonstrates that with limited research, any organisation is potentially vulnerable, exploiting the human as an entry point,” added Raj Samani, chief scientist and fellow at McAfee.
Researchers at McAfee also found several additional documents between 17 January and 3 February that contained the same Visual Basic macro code, contained "non-compatible" messages to lure victims into enabling malicious content, and were mostly found in South Korea. They noted that similar documents were also used in operations that targeted victims located in Vietnam, Singapore, Argentina, Japan, Indonesia, and far-off Canada.
While the researchers, after studying the various metadata in both documents and executables, concluded that the hacker behind the operation was likely a Korean speaker, they also noted that the hacker used the email address [email protected] to register two free hosting accounts, and also used his email to register a free account for a control server.
Commenting on the new phishing operation, Javvad Malik, security advocate at AlienVault, told SC Magazine UK that organisations must train their staff not only to spot fake email addresses, but also to look out for poor grammar and spelling, and to check where an email has originated from.
"If a user does fall victim to a scam, enterprises should have threat detection capabilities that can notify when an account has been compromised, new devices added to the network, or strange outbound traffic occurs. Finally companies should have a response plan in place. That way if a user does fall victim to a phishing scam, any malware infection, or compromised credentials can be isolated and contained so as not to adversely impact the organisation," he added.
Paul Norris, senior systems engineer for EMEA at Tripwire, also urged organisations to urge caution while communicating with other organisations or individuals using emails.
"Phishing campaigns are extremely popular and aim to dupe people into giving away personal and financial information, with hackers using sophisticated tactics to extract the critical information. This is why individuals should be wary of all links and attachments sent to them.
"Organisations should take a proactive step towards phishing attacks against their own domains by using companies that offer anti-phishing services. Furthermore, people can help avoid future attacks is by educating themselves about the risks and consequences of clicking unknown links and attachments as hackers succeed in preying on human naivety," he said.
