GhostTeam
GhostTeam

What began as an aggressive phishing-based malware campaign against Turkish financial institutions earlier this year appears to have since burgeoned into a worldwide cyberspying and data theft operation targeting a wide range of industry sectors with at least two malicious implants.

The campaign, named GhostSecret, is detailed in a McAfee threat analysis report and corresponding blog post, both released this week. According to the report, the operation convincingly bears the hallmarks of suspected North Korean APT threat actor Hidden Cobra (aka Lazarus Group) -- including the presence of code and capabilities that have been found in other Hidden Cobra campaigns.

"The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators," states researcher and blog post author Raj Samani. These malicious implants communicate with a control server using what's known as the “fakeTLS” protocol (because packets are sent in a custom format and not standard SSL, before being transmitted over SSL). It's a tactic that Hidden Cobra is known to have employed before -- and the SSL certificates used in this operation were recycled from prior Lazarus campaigns, McAfee reports.

The first and primary implant associated with GhostSecret is designed to perform reconnaissance, exfiltrate data, execute arbitrary commands, wipe and delete files, introduce additional implants, read data out of files, and more. 

Its functionality has been likened to Bankshot, a Hidden Cobra-linked implant that McAfee researchers discovered invading Turkish financial institutions last March. According to McAfee, this "BankShot2" malware essentially shares 83 percent of its code with a 2015 variant of Destover, the destructive disk-wiping malware that Lazarus Group allegedly used to attack Sony Pictures in 2014. However, it remains a distinct entity from from both Bankshot and previous Destover iterations.

McAfee first became aware of this implant on Feb. 14, finding it to be nearly identical to an unknown 2017 sample. In just a five-day span from Mar. 14-18, the malware was spotted in 17 countries, targeting organizations that specialize in such industries as telecommunications, health, finance, critical infrastructure and entertainment. The vast majority of systems infected during the month March were located in Thailand.

The report notes that this implant uses the same SSL certificates as a particular Destover variant known as Escad. McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities.

A second, previously undocumented implant called Proxysvc.dll were initially collected on Mar. 22 of this year, but its infrastructure had apparently been operating undetected for more than a year. Its main function is to act as a stealthy downloader of additional payloads, but it also offers some reconnaissance capabilities as well.

McAfee's threat report, co-authored by Ryan Sherstobitoff, senior analyst of major campaigns, and fellow researcher Asheer Malhotra, describes the malware as a "unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections."

According to McAfee's Advanced Threat Research team, Proxysvc has largely been targeting higher education institutions around the globe, with a heavy emphasis on U.S.-based organizations. "We suspect this component is involved in core control server infrastructure. These targets were chosen intentionally to run Proxysvc because the attacker would have needed to know which systems were infected to connect to them," the report explains.

Altogether, the component was found in 11 countries, and "appears to be part of a covert network of SSL listeners that allow the attackers to gather data and install more complex implants or additional infrastructure," the report continues. "The SSL listener supports multiple control server connections, rather than a list of hard-coded addresses. By removing the dependency on hard-coded IP addresses and accepting only inbound connections, the control service can remain unknown."