Several cybercrime predictions have been made for 2023.
Thales, for example, has outlined 16 potential trends to watch, stating that attackers could begin to target standalone 5G networks and space tech such as satellites, major cryptocurrencies and deepfake technologies more actively. While attackers will undoubtedly evolve their methods to catch potential victims off guard, we’re also likely to see them leaning further into those tried and tested techniques that have recently caused major havoc.
At Menlo Security, we expect this to be the case with template injection attacks – a topic discussed in my previous two Infosecurity Magazine columns.
In October, we initially looked at how weaponized template injection documents work and how organizations can combat them. The Menlo Labs research team expanded its studies into template injection attacks – efforts that led us to uncover several weaponized documents using an interesting camouflage technique covered in a second column.
If you are new to the topic, I recommend reading both of those first. We’ll now dive deeper into new findings that explore which parties may be responsible for the current wave of weaponized document attacks.
Lokibot and a Range of Similar Samples
During this latest analysis, we noticed that North Korean threat actors have been using tactics, techniques and procedures (TTPs) similar to those seen in previous threats, sharing many indicators of compromise (IOCs).
We came across a 2020 article by Fortinet, which revealed that they had previously been leveraging a seemingly benign Microsoft Word document that outlined South Korea’s supposed response to COVID-19 – this was designed to trick victims into downloading the BabyShark malware through the use of a malicious macro.
In another campaign, North Korean threat actors previously sent falsified emails impersonating global delivery specialist FedEx, encouraging targets to open an executable disguised as a PDF to exfiltrate data. Critically, this IOC was used by LokiBot in other similar attacks dating back to 2018.
We also uncovered a sample of similar attacks on Joe Sandbox that showed that the standard North Korean language, Munhwaŏ, was the common resource language for both LokiBot and a similar URL structure. These were also similar to those analyzed in my previous columns.
Looking at the malicious documents, we found that the metadata was repeated in all 57 samples analyzed. While some used camouflaged URLs with periods and others did not, all samples used template injection TTPs and exploited the CVE-2017-0199 vulnerability.
BlueNoroff’s SnatchCrypto Campaign
The repetition doesn’t end there. Kaspersky’s Securelist blog also highlights the use of similar TTPs by BlueNoroff – a North Korean APT group that typically targets cryptocurrency firms.
In a recent SnatchCrypto campaign, the attack group analyzed the inner workings of successful cryptocurrency startups to understand interactions between individuals. This, in turn, allowed the attackers to manipulate trust in internal communications and execute high-quality social engineering attacks.
Using these tactics, BlueNoroff has successfully leveraged macro-enabled documents or older exploits, including CVE-2017-0199, that initially allows for the automatic execution of a remote script linked to a weaponized document.
How does this execution work in practice? Essentially, it happens in three steps.
First, exploiting CVE-2017-0199 sees the retrieval of remote content via an embedded URL inside one of the document meta files. This contains two Base64-encoded binary objects – one for 32-bit Windows and one for 64-bit Windows.
Next, this document fetches a second remote template containing a VBA macro that extracts one of these objects, enabling the spawn of a new process (notepad.exe) to inject and execute the binary code.
Third, the VBA macro does a clean-up by removing the binary objects and any reference to the remote template from the original document and saving it to the same file, essentially de-weaponizing the document.
Similar TTPs Used in a Malicious Email Campaign
Alongside the BlueNoroff example, there is evidence to suggest that a North Korean threat actor used similar TTPs in a malicious email campaign that spoofed reach outs from job recruiters.
Each spoofed email housed malicious documents designed to again exploit CVE-2017-0199 by executing a malicious dynamic link library (DLL) to steal victim information. In this example, data would be exfiltrated, compressed, encrypted and Base64 encoded before being transmitted to a command-and-control server.
It was identified that the threat actors were exfiltrating the data to malicious domains, such as shopandtravelusa[.]com, while they also hosted a webmail login that appeared to be a phishing site. In other words, it is possible that this could have been a multi-use command-and-control server – something that North Korean threat actors have a track record for.
On 27 June 2022, for example, Twitter user ‘Phantom XSec’ reported that a North Korean phishing site with a link containing a (naver[.]challengedrive[.]42web.io) was targeting “defectors” in South Korea, showcasing a link that contained a Base64-encoded Google drive URL and victim email. Here, the site would ask users to identify themselves before they became able to download the malicious Google drive link.
Today’s Threats Will Persist
Our research shows that many of the TTPs used by weaponized document attacks were not only similar but had identical footprints and IOCs, enabling us to attribute the metadata to a single threat actor.
Given the methods used and the trail of data points uncovered, it is highly likely that each of the weaponized document attack methods discussed here can be attributed to a threat actor operating out of North Korea, likely tied to the infamous Lazarus group.
Indeed, North Korean cyber-criminals are renowned for their continued reliance on aging malicious infrastructure.
Moving forward, we don’t expect this to change. While threat actors will continue evolving their malware and infrastructure, the overlap in TTPs will ensure we keep a close eye on attacks from North Korean actors.