Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Abuse ActiveX in Recent Attacks

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

An ActiveX zero-day vulnerability discovered recently on the website of a South Korean think tank focused on national security has been abused by the North Korean-linked Lazarus group in attacks, AlienVault reports.

ActiveX controls are usually disabled on most systems, but the South Korean government demands they are enabled on machines in the country. This has led to numerous attacks abusing ActiveX to compromise systems in South Korea, with many of the attacks attributed to North Korean hackers.

The same applies to the newly observed attacks, where JavaScript code was used to deploy various ActiveX vulnerabilities, including a zero-day. Soon after the attacks occurred, local media attributed them to the Andariel gang, which is said to be part of Lazarus, the state-sponsored hacking group considered the most serious threat against banks.

Also referred to as BlueNoroff, the group has orchestrated high profile attacks such as the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank in 2016. This year, the actor supposedly switched targets to cryptocurrency, but also hit an online casino in Central America.

According to a new AlienVault report, the Lazarus hackers were behind the recently revealed ActiveX attacks as well.

The group used a profiling script as the initial reconnaissance tool, in an attempt to gather information on possible targets. Although this is a tactic the Lazarus group has employed before, other threat actors use it as well.

The next step of the attack involved scripts capable of gathering additional information from the system and designed to deliver the ActiveX exploit.

In a tweet several weeks ago, Cyber Warfare Intelligence Center and IssueMakersLab founder Simon Choi shared some details on the scripts used in the assault, revealing that an initial reconnaissance stage was deployed in January 2017, while script injections only occurred in late April 2018.

The script was designed to identify the browser and operating system running on the victim’s machine and borrows much of the code from PinLady’s Plugin-Detect. When detecting Internet Explorer on a machine, the script checks if ActiveX is enabled, as well as plugins running (from a specific list of ActiveX components).

AlienVault also notes that one of the other scripts involved in the attack, apparently used for profiling, sends data to a website that might have been compromised a while back, as it was previously recorded as a command and control (C&C) server for Lazarus malware in 2015.

The ActiveX exploit used in the recent assault, also shared by Simon Choi on Twitter, was meant to download malware from peaceind[.] and save it to the system as splwow32.exe.

“Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.] site has been previously identified as vulnerable,” AlienVault says.

The malware appears to be called Akdoor, a simple backdoor designed to execute commands using Command Prompt. The malware also uses a “distinctive command and control protocol,” the security researchers say.

Related: North Korean Hackers Behind Online Casino Attack 

Related: North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.