Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

10/19/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

McAfee: Seasalt Malware Raises Its Head Again

Code from the Seasalt malware that was last seen in 2010 has been found in new campaigns in North Korea and North America, according to McAfee.

Some of the code used a decade ago by a threat group that attacked more than 140 US companies over a four-year period has resurfaced in a number of campaigns that primarily target South Korean organizations, but has also expanded to include the US and Canada, according to researchers with McAfee.

The report, "Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group," which was released this week at the MPower 2018 show in Las Vegas, finds that the Oceansalt implant includes code from a campaign called Operation Seasalt, which targeted US organizations between 2006 and 2010. The traces of the source code from Seasalt, which was run by the group APT1 -- also known as Comment Crew -- hadn't been seen since 2010 until this year, when campaigns using some of the code were detected in South Korea.

APT1 hadn't been heard from since it was exposed in a report in 2013 outlining attacks in the US.

"This report detailed the inner workings of Comment Crew and its cyber offensive capabilities," according to McAfee's report, written by researches Ryan Sherstobitoff and Asheer Malhortra. "The consequences of releasing this public report forced the group to either make changes to their techniques or cease their activity altogether. Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea."

Cybercriminals reusing code from other campaigns is not unusual -- McAfee and Intezer recently outlined code reuse among an array of North Korea-based malware groups like Lazarus, Hidden Cobra and Group 123 -- but what's different here is that as far as McAfee researchers can tell, the source code from APT1 was never made public. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)

The bad actors behind Oceansalt are unknown.

In their report, the researchers said it's unlikely that the Oceansalt campaigns mean that APT1 has returned, but that somehow those behind the attacks have gained access to it. They suggest it could be a code-sharing arrangement between two actors or that a hacker has gained access to the code from someone involved in the APT1 operations. It also could be a false-flag operation to make it appear that China and North Korea are collaborating on the Oceansalt attacks.

"We have not seen this group prior, and therefore determined this to be a significant finding as a result," Raj Samani, chief scientist at McAfee and a McAfee Fellow, told Security Now in an email. "Certainly code reuse is normal practice; indeed one of our previous publications shows with attacks attributed to [North Korea], for example, this has been done. However, this one is two different threat actor groups, and in particular using code from many years before."

Samani added that there is a "growing trend of threat actors beginning to collaborate more. This is not only between nation-states but in fact we have seen this in the criminal environments. For example, the GandCrab [ransomware] crew are developing relationships with other groups."

McAfee researchers have found five Oceansalt attack waves that have been tailored to their targets. The bad actors initially used spear-phishing attacks that leveraged two infected Microsoft Excel documents written in Korean that acted as downloaders of the malware that included parts of the code from APT1.

The targets were involved with public infrastructure projects in the country.

There was a second round of malicious documents that included the same metadata and author -- called "Lion" -- as the Excel documents but were housed in Microsoft Word docs. This wave was first aimed at the Inter-Korean Cooperation Fund and initially appeared on May 31 in South Korea. However, organizations in the US and Canada involved in investment, banking and agriculture have since been hit by the attack, the researchers said.

They said it was possible that the attacks in North America are part of a campaign separate from that in South Korea. The threat of Oceansalt is significant.

"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victim," the analysts wrote. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target. Further, the code overlaps with that from a previously reported advanced state-sponsored group. The overlap suggests a close collaboration between members of a state-sponsored group and the current actors in conducting cyber operations."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...