Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Thailand Seizes 'Hidden Cobra' Command-and-Control Servers

North Korea Suspected of Running 'GhostSecret' Attacks Against Banks, Others

GhostSecret campaign: McAfee says that "technical analysis, telemetry and data from submissions" leads it to conclude "with high confidence that this is the work of the Hidden Cobra group."

The Thai government says it has seized servers used by a group that's been tied to cyber espionage attacks, while preserving the servers for review by law enforcement agencies.

See Also: Live Webinar | Leveraging AI in Next Generation Cybersecurity

Thailand's Computer Emergency Response Team, ThaiCERT, announced the takedown on Wednesday, saying it's working with law enforcement authorities as well as information security firm McAfee as part of an investigation into what the security firm has dubbed Operation GhostSecret.

McAfee says the operation, which remains active, gives attackers advanced tools for conducting network reconnaissance, stealing information as well as deleting data.

"The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators," Raj Samani, McAfee's chief scientist, says in a blog post. "The implants vary considerably and although they share some functionality and code, they are categorized as different families."

Malware families that have been used by the group of attackers include a new type of attack code called Proxysvc. Researchers have also found variants of Destover, which was used in the Sony Pictures Entertainment attack in 2014, as well as Bankshot, which was recently used to target the Turkish financial sector as well as financial services firms in other countries (see Bankshot Trojan Targets Turkish Financial Sector).

"The 2018 Destover-like implant appeared in organizations in 17 countries between March 14 - March 18. The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure + entertainment."https://t.co/JAUawAguhK#malware @McAfee_Labs pic.twitter.com/UKLzoi7w5G — Raj Samani (@Raj_Samani) April 25, 2018

Destover, Bankshot and Proxysvc all "contain overlapping code and functionality with current tools of Hidden Cobra," McAfee says.

Bankshot, aka Trojan Manuscript, has been seen in previous attacks that appear to be tied to a group of hackers referred to as Hidden Cobra, Lazarus Group, Reaper or Group 123 that may be linked to the government of North Korea.

McAfee says with "high confidence" that based on all the available clues, the APT group known as Hidden Cobra is behind the GhostSecret campaign.

McAfee first publicized the Bankshot attacks last month. Samani says that unfortunately, outing the attackers didn't appear to sway what appears to have been the initial stage of Operation GhostSecret. "Within days of publication, new attacks appeared beyond the financial sector. Between March 14 and 18, we observed the data reconnaissance implant in organizations across 17 countries," he says.

In other words, attackers - not for the first time - have soldiered on despite their efforts having been spotted (see Lazarus Hackers Phish For Bitcoins, Researchers Warn).

"They are carrying out attacks with impunity," Samani tells the Wall Street Journal. "They're in your network. They're learning about you, understanding how you operate."

Ties to Sony Hack

Attackers also expanded from targeting the financial sector to infecting organizations in additional sectors, including critical infrastructure, enterprise and healthcare.

They're infiltrating organizations, in part, by using a variant of Destover malware that was first spotted in 2015, McAfee says. "The code reappeared in variants surfacing in 2017 and 2018 using nearly the same functionality and with some modifications to commands, along with an identical development environment based on the rich PE [portable executable] header information," according to a detailed technical write-up published by McAfee.

But the security firm says attackers have also been using an implant - malware - called Proxysvc, which appears to have been distributed last year with Destover but which went undetected since mid-2017. "We have also uncovered additional control servers that are still active and associated with these new implants," McAfee says.

Proxysvc Receives Stolen Data

Proxysvc infections have been found in 11 countries, but primarily in the United States, Germany and the U.K., and mostly on infrastructure owned by organizations in the higher education sector. McAfee says the malware appears to be involved in core command-and-control capabilities and that the infrastructure was in place for more than a year before being discovered.

Proxysvc also includes a list of hardcoded IP addresses, all of which are in India, and the malware appears to be designed to receive data stolen by malware infections on other systems. "Despite the name, this component is not an SSL proxy, but rather a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections," McAfee says.

The number of infected systems by country in which Proxysvc.dll was operating in March. (Source: McAfee Advanced Threat Research)

McAfee has counted three command-and-control servers for Operation GhostSecret, all hosted in Thailand - residing at Thammasat University in Bangkok

"The same entity hosted the control server for the Sony Pictures implants," McAfee says. "This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. ... Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant."

Samani saluted ThaiCERT's seizure of the command-and-control servers. "This is a great example of collaboration, where researchers and the public sector can quickly work together to disrupt criminal networks, and long may this continue," he tells Information Security Media Group.