New Fileless Attack Targets North Korea

Baijiu is a newly detected stealthy threat that currently targets North Korea, and seems to have Chinese provenance. It is delivered by phishing, and comprises a downloader that is being called Typhoon together with a set of backdoors being called Lionrock.

The campaign was discovered by Cylance, and it is thought to be hitherto unknown. “Three distinctive elements of Baijiu drew and held our attention,” writes Cylance in an analysis published today: “the unusual complexity of the attack; the appropriation of web hosting service GeoCities (of 1990s fame); and the use of multiple methods of obfuscation.”

The phishing lure is a reference to the 2016 floods in North Korea’s North Hamgyong province caused by Typhoon Lionrock. More than 100 people died, and more than 100,000 were left homeless. The lure comprises a LNK file and the reference, “2016 North Korea Hamgyung [sic] province flood insight.”

The LNK file executes a Windows command that fetches and runs javascript code. The javascript downloads two DLLs also hosted on GeoCities. “Both DLLs functioned as elaborate launchers for a PowerShell script encoded within their resource sections,” comments Cylance; and both used an expired certificate belonging to mywellnessmatters.com.

The PowerShell script queries further GeoCities URLs looking for named files. If none are available, the script does nothing. One of the files obtained and analyzed by Cylance was another PowerShell script responsible for delivering and executing the final payloads. 

These are “full-featured backdoors that provided the attacker the ability to enumerate and manipulate files, enumerate drive and volume information, manipulate processes, enumerate and manipulate registry information, upload/download files, capture screenshots, and securely remove traces of the backdoor.”

The campaign is another example of sophisticated adversaries moving to fileless or non-malware attacks in the hope of avoiding detection. “Baijiu’s circuitous route from LNK file to LIONROCK backdoor through multiple DLL files and PowerShell scripts,” notes Cylance; “and its ability to obfuscate itself through each stage while doing so — makes this attack stand out.” It also notes that using GeoCities to hide the component parts in plain sight “signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo’s GeoCities.”

In its analysis, Cylance goes to considerable effort — including a separate email clarification — that it is not attributing the campaign directly to China. It does however suggest that “it probably evolved from the Egobot codebase first described by Symantec… and is subsequently connected to the larger Dark Hotel Operation.” 

In November 2014, Kaspersky Lab’s principal security researcher Kurt Baumgartner commented, “For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior. This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”