Connect with us

Hi, what are you looking for?



New Fileless Attack Targets North Korea

Baijiu is a newly detected stealthy threat that currently targets North Korea, and seems to have Chinese provenance. It is delivered by phishing, and comprises a downloader that is being called Typhoon together with a set of backdoors being called Lionrock.

Baijiu is a newly detected stealthy threat that currently targets North Korea, and seems to have Chinese provenance. It is delivered by phishing, and comprises a downloader that is being called Typhoon together with a set of backdoors being called Lionrock.

The campaign was discovered by Cylance, and it is thought to be hitherto unknown. “Three distinctive elements of Baijiu drew and held our attention,” writes Cylance in an analysis published today: “the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation.”

The phishing lure is a reference to the 2016 floods in North Korea’s North Hamgyong province caused by Typhoon Lionrock. More than 100 people died, and more than 100,000 were left homeless. The lure comprises a LNK file and the reference, “2016 North Korea Hamgyung [sic] province flood insight.”

The LNK file executes a Windows command that fetches and runs javascript code. The javascript downloads two DLLs also hosted on GeoCities. “Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections,” comments Cylance; and both used an expired certificate belonging to

The PowerShell script queries further GeoCities URLs looking for named files. If none are available, the script does nothing. One of the files obtained and analyzed by Cylance was another PowerShell script responsible for delivering and executing the final payloads. 

These are “full-featured backdoors that provided the attacker the ability to enumerate and manipulate files, enumerate drive and volume information, manipulate processes, enumerate and manipulate registry information, upload/download files, capture screenshots, and securely remove traces of the backdoor.”

The campaign is another example of sophisticated adversaries moving to fileless or non-malware attacks in the hope of avoiding detection. “Baijiu’s circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts,” notes Cylance; “and its ability to obfuscate itself through each stage while doing so — makes this attack stand out.” It also notes that using GeoCities to hide the component parts in plain sight “signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo’s GeoCities.”

Advertisement. Scroll to continue reading.

In its analysis, Cylance goes to considerable effort — including a separate email clarification — that it is not attributing the campaign directly to China. It does however suggest that “it probably evolved from the Egobot codebase first described by Symantec… and is subsequently connected to the larger Dark Hotel Operation.” 

In November 2014, Kaspersky Lab’s principal security researcher Kurt Baumgartner commented, “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.