Paul Scott

Paul Scott
on July 30, 2020

North Korea gets part-time job in ransomware

North Korea gets part-time job in ransomware

It’s been a few weeks since we got around to doing our usually weekly threat report! We’ve had quite a bit going on, so let’s get to it:

  • Emotet back for a hack-back
  • NetWalker warning from the FBI
  • VHD ransomware attributed to Lazarus

Emotet is back and hacked-back

Emotet recently returned from a five-month vacation with a blast of malicious spam aimed at spreading a backdoor that installs ransomware, bank-fraud trojans, and other nasty malware.

The botnet sent 250,000 emails during their first day back at work, mostly to people in the United States and the United Kingdom, but also the Middle East, South America, and Africa. The botnet followed its pattern of sending either a malicious document or link to a malicious file that, when opened, installs the Emotet backdoor.

In a fun twist, unknown hackers hacked-back and sabotaged Emotet operations by replacing linked Emotet payloads with animated GIFs.

According to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante hacker has impacted a quarter of all Emotet’s payload downloads.

Emotet operators host payloads on hacked sites and maintain access via web shells – a type of malware installed to maintain persistence over HTTP protocol.

It was pointed out last year that Emotet operators use open-source web shells and employ the same password for all. This exposes the payload hosting infrastructure to hijacks if you have the web shell password.

The unknown intruder has been replacing Emotet payloads on some of the hacked WordPress sites with animated GIFs, which means that Emotet victims won’t get infected as the Emotet malware won’t get downloaded and executed on their systems.

According to Cryptolaemus member Joseph Roosen, the Emotet gang is more than aware of this issue. In a conversation, Roosen told ZDNet that the Emotet botnet was down as the Emotet gang apparently tried to root out the attacker from their web shells network.

“Since Ivan [the Emotet admin] was having technical difficulties today, the hashes are way down and we barely saw much of anything,” Roosen wrote in a daily Emotet update.

Currently, the identity of the vigilante is unknown, but it is probably a malware researcher. I would expect to see other malware distributing gangs attempt to replace Emotet payloads with their own.

NetWalker ransomware warning from FBI

The FBI has published a (TLP:WHITE) FLASH message providing indicators associated with the NetWalker Ransomware. The FBI states it has received notifications of NetWalker ransomware attacks on U.S. and foreign government organizations and private companies, among other entities, by unidentified cyber actors.

According to the FBI, the operators behind this ransomware strain began targeting U.S. and foreign government organizations starting in June 2020, after NetWalker operators successfully encrypted systems on the network of UCSF School of Medicine, the Australian transportation and logistics company Toll Group (three months later, Toll Group got hit again by Nefilim Ransomware), and Lorien Health Services earlier this month.

The FBI says that the NetWalker actors have also taken advantage of the ongoing COVID-19 pandemic in their attacks “to compromise an increasing number of unsuspecting victims” in March via phishing emails delivering a Visual Basic Scripting (VBS) loader.

Starting in April 2020, NetWalker began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, and weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

“Two of the most common vulnerabilities exploited by actors using NetWalker are Pulse Secure VPN (CVE-2019-11510) and Telerik U.I. (CVE-2019-18935),” the FBI said.

The NetWalker ransomware-as-a-service (RaaS) operation has also recently advertised that they were looking for new collaborators that can provide them with access to large enterprise networks.

Once NetWalker operators successfully infiltrate, they use various tools to collect admin credentials, steal sensitive information for proof-of-hack/leaks, and encrypt data on all Windows devices.

“Actors using NetWalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA. N.Z. (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer.”

“In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service:”

Organizations can lower the chances of becoming ransomed by following FBI + Perch recommendations.

The full list of recommended mitigations includes:

  • Monitor your network, hosts, and logs for threats.
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update antivirus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up to date.

North Korea VHD ransomware

Antivirus maker Kaspersky said in a report that hackers associated with the North Korean regime are behind a new ransomware strain known as VHD.

The report details two incidents to which Kaspersky was privy, where intruders gained access to companies’ networks and deployed the VHD ransomware.

Kaspersky experts say that tools and techniques used during the two intrusions link the attackers to Lazarus Group – a generic name given to hackers working for the Pyongyang regime.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” Kaspersky researchers said.

Based on numerous reports published over the past four years, North Korean hackers are usually divided into two categories: those who engage in cyber-espionage for intelligence purposes, and those who engage in financial crime to raise funds for the Pyongyang government (funds that the U.S. Treasury believes are used to support the country’s weapons and missile programs).

The VHD attacks are, without a doubt, the work of the second group that seeks to extort money from hacked organizations.

Some of this group’s other money-raising activities included hacking banks, stealing funds from cryptocurrency exchanges, orchestrating ATM cashouts, running crypto-mining botnets, and even engaging in web skimming (Magecart) attacks to steal payment card data and resell it on carding forums.

Other activities also include Lazarus hackers breaking into company networks, stealing data, and then asking victims for a ransom not to publish their data online.

Seeing North Korean hackers engage in ransomware attacks isn’t surprising, since ransomware attacks are some of today’s most profitable cybercrime operations. Lazarus operators appear to only deploy VHD sparingly, on the networks of high-profile companies from where they can demand huge ransoms to decrypt data – a tactic that’s known today as “big game hunting.”

That’s all for this week, folks.

  • Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to

Next: MSPs warned: You’re being hunted

Share this on:

Paul Scott

Paul Scott
on July 30, 2020

Perchy Subscribe to our blog