Secret Comment Crew Code Spotted in New Attack

Written by

Researchers have spotted the first stage of a new advanced persistent threat (APT) campaign targeting mainly South Korean victims and borrowing code from the notorious Chinese hacking group Comment Crew.

Operation Oceansalt is the first time white hats have seen code associated with the group, also known as APT1, since it was outed in 2013. Crucially, that code was never made public, according to McAfee.

The campaign uses spear phishing tactics to deliver booby-trapped Office documents to several targets: those with knowledge of South Korean public infrastructure projects and their expenses, the Seoul-backed Inter-Korean Cooperation Fund and various targets in the US and Canada in a variety of sectors including healthcare, telecoms and agriculture.

Those behind the campaign appear to have good working knowledge of the Korean language.

The malware delivered to victims is designed to take full remote control of any targeted machine and associated network, with McAfee speculating the spear phishing emails may be a precursor to a major financially motivated attack on a bank or similar.

As for the Comment Crew cross-over, there are three possible options: code-sharing between a former member of the group and another actor; someone has managed to access code from the original APT1 operation; or a false flag operation to make it appear China and North Korea have collaborated on this campaign.

“One thing is certain. Threat actors have a wealth of code available to leverage new campaigns, as previous research from the Advanced Threat Research team has revealed. In this case we see that collaboration not within a group but potentially with another threat actor — offering up considerably more malicious assets,” explained McAfee chief scientists Raj Samani and senior analyst, Ryan Sherstobitoff.

“We often talk about partnerships within the private and public sector as the key to tackling the cybersecurity challenges facing society. The bad actors are not putting these initiatives on PowerPoint slides and marketing material; they are demonstrating that partnerships can suit their ends, too.”

What’s hot on Infosecurity Magazine?