APT38, a North Korean-sponsored hacking outfit infamous for targeting and stealing funds from financial institutions around the world, has been linked to several ransomware variants.
They’re also renowned for using destructive software on their victims’ networks in the last stages of their attacks, obliterating any evidence of their presence.
The group’s operators (part of North Korea’s cyber-army Bureau 121) have also employed the Beaf, PXJ, ZZZZ, and ChiChi ransomware families to extort some of their victims, according to Christiaan Beek, a lead threat researcher at cybersecurity firm Trellix.
The linkages to APT38 were discovered when studying code and artifact resemblance with VHD ransomware, which was tied to the North Korean Lazarus APT organization, just like TFlower ransomware.
After detecting the two strains being installed on victims’ networks via the cross-platform MATA malware framework, a malicious tool only utilized by Lazarus operators, Kaspersky and Sygnia researchers made the connection.
PXJ, Beaf, and ZZZZ share a significant amount of source code and functionality with VHD and TFlower ransomware, according to Beek, who visualized the code using Hilbert curve mapping. Beaf and ZZZZ are practically exact clones of each other.
“You don’t have to be a malware expert to notice that the ZZZ and BEAF Ransomware images are nearly identical,” said the Trellix researcher.
“When compared to VHD, it’s also clear that Tflower and ChiChi are drastically different.”
While ChiChi’s codebase has few commonalities, Beek discovered that both ChiChi and ZZZZ used the Semenov[.]akkim@protonmail[.]com email address in their ransom notes.
Because there were no negotiating chats or leak sites to examine, attacks utilizing these ransomware families mainly targeted entities in Asia-Pacific (APAC). This made it more difficult to identify the victims’ identities.
Trellix also looked into the cryptocurrency transfers behind ransom payments to see if there were any overlaps in the crypto wallets used to collect ransoms, but discovered none.
They observed, however, that the North Korean hackers were only able to collect modest quantities of cryptocurrency (for example, a 2.2 BTC transfer in mid-2020, valued at $20,000 at the time).
“We believe the ransomware families [..] are part of larger attacks,” Beek continued.
“Trellix connects the smaller targeted ransomware attacks to DPRK associated hackers with high confidence based on our study, pooled intelligence, and observations of the smaller targeted ransomware assaults.”
