An Android malware disguising as a mobile messenger or as a cryptocurrency app targeting individual cryptocurrency trader and organization, an infamous APT (Advanced Persistent Threat) group continuously changing its tools to compromise banks, and a subgroup of Lazarus exploiting CVE-2017-10271 to infiltrate a cybersecurity vendor.
Different hacking groups targeting diverse organizations but all are Korean-speaking actors waging threats in the Korean peninsula and in the Southeast Asia region. These and more findings from Kaspersky’s APT Trends Reports Q3 2019.
KONNI and Korea’s cryptocurrency related business
Among the new activities monitored by Kaspersky researchers is an Android malware camouflaging as a mobile messenger or as cryptocurrency-related applications.
After working closely with Korea’s local CERT in taking down the attacker’s server, Kaspersky was able to investigate the new malware and to discover its relation to KONNI. KONNI is a Windows malware strain that has been used in the past to target a human rights organisation and personalities with an interest in Korean Peninsula affairs.
It is also known for targeting cryptocurrencies by implementing full-featured functionalities to control an infected Android device and steal personal cryptocurrency using these features.
Stealthy BlueNoroff and banks in Southeast Asia
Kaspersky has also monitored BlueNoroff, the financial-arm of the infamous APT group Lazarus, infecting a bank in Myanmar during the third quarter of 2019.
With the prompt alert the global cybersecurity company has sent to the concerned bank, researchers were able to obtain valuable information on how the attackers move laterally to access high value hosts, such as those owned by the bank’s system engineers interacting with SWIFT.
Kaspersky’s investigation also uncovered the tactics BlueNoroff has been implementing to evade detection such as using and continuously changing its Powershell script. The group also employs highly sophisticated malicious software which can run as passive or active backdoor, or even a tunnelling tool, depending on the command line parameters.