North Korea pursues cryptocurrency exchanges in South Korea

North Korea pursues cryptocurrency exchanges in South Korea

This is a contributed piece by Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future

In his 2018 New Year’s speech, Kim Jong Un acknowledged that the international sanctions and pressure were having an impact on North Korea’s economy. He called the sanctions “vicious” and vowed to increase North Korea’s independence from the global financial system.

Likely in response to this increasing economic pressure, we have seen a wave of attacks targeting cryptocurrency exchanges and users since early 2017. This campaign continues a theme in the North’s cyber operations focusing on utilizing cryptocurrencies to generate revenue for the Kim regime, which ranges from mining to ransomware and outright theft.

The latest major operation discovered by Recorded Future was a spear phishing campaign launched in late 2017 which leveraged four different lures to trick victims into installing malware which exploited the popular word processing program Hangul Word Processor (.hwp file extension). Once deployed, the malware would steal information about the victim system and exfiltrate files.

Compute power from many organizations is being slyly diverted into cryptocurrency mining. Find out: Why cryptojacking is an overlooked security threat

The TTPs (tactics, techniques and procedures) in this campaign are consistent with well-known and researched Lazarus Group operations – widely attributed to the North Korean government. The group is most well-known for the 2014 attack on Sony Pictures Entertainment but has been linked to a number of attacks over the last few years.


Crypto in the crosshairs

This time around, the group appeared to be targeting South Korean cryptocurrency exchanges at large, and particularly users of the popular Coinlink exchange. Friends of MOFA (Ministry of Foreign Affairs), a group for South Korean college students with an interest in foreign affairs, also appears to have been specifically targeted. 

Our initial investigation focused on the lure used to target Friends of MOFA members, which used a blog from the group about a recent Korean Day celebration where President Moon Jae-in spoke about the upcoming Pyeongchang Winter Olympics. The attached blog actually contained a Ghostscript exploit (CVE-2017-8291) that can be triggered from within an embedded PostScript in a Hangul Word Processor document.

Once we created a signature for this particular use of the Hangul exploit, we found three additional lure documents in a public malware repository tied together using the same exploit. One of these targeted Coinlink users and was designed to obtain login emails and passwords. Alongside this, two other lures targeted cryptocurrency exchanges that had job postings out, and used real resumes stolen from South Korean computer scientists with experience at South Korean exchanges. All were created in the span of a month, from mid-October to late November.


Inside the attack

It was also notable that function names used in the PostScript are transliterated Chinese words. While “yima” (decode) and “yaoshi” (key) appear appropriate in their functional context, the word “yinzi” (factor/money) does not. The latter may be obscure technical slang but may also be an error that signifies a potential false-flag designed to point towards a Chinese-speaking culprit.

If so, this would not be the first time the Lazarus Group sought to misdirect attribution by using foreign language terms. Earlier in 2017, researchers at BAE found transliterated Russian terms in previous Lazarus operations. Alternatively, these Chinese words may also indicate that the exploit was initially obtained from a Chinese supplier.

This campaign relies on multiple payloads fashioned out of the Destover info-stealer code to collect information about the victim system and exfiltrate files. Each payload contains an embedded 64-bit version of itself. The payloads accompanying the newer cryptocurrency exchange-themed lure docs compiled a month after the Korean Day payload further obfuscate their functionality by resolving imports at runtime.

Upon de-obfuscating the payloads, we found 32-bit DLLs built in part on the Destover malware code. Destover has been used in a number of North Korea-attributed operations, including the Sony attack, as well as attacks on Polish banks in January 2017 and the first WannaCry victim in February 2017.


Moving beyond the South

While this latest campaign continued North Korea’s emphasis on cryptocurrency operations targeting the South, we believe this trend will change in 2018 and the North will refocus its financial attacks on other parts the world – something rarely seen outside of WannaCry.

As South Korea responds to these attempted thefts by increasing security and government oversight, they will become less viable targets, forcing North Korean actors to look to exchanges and users in other countries as well. This means cryptocurrency exchanges and users in other countries should be aware of an increased threat from North Korean actors over the coming year. Further, the Ghostscript vulnerability exploited in the campaign can be easily adapted to fit other software, and we will be monitoring for it to resurface in the near future.


«Peer networking: The importance for CIOs and other IT leaders


Will the ‘future of work’ make employees more productive? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?