An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.
ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.
The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.
Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.
According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.
The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.
The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.
In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 2018.
The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).
AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.
The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.]co.kr and save it to the system as splwow32.exe.
“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.]co.kr site has been previously identified as vulnerable,” AlienVault says.
The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.
Related: North Korean Hackers Behind Online Casino Attack
Related: North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges

More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
