Warning over KeyMarble Trojan as McAfee reveals how North Korean malware is linked

KeyMarble disclosure comes as McAfee and Intezer reveal more details about North Korean malware families

US-CERT has issued a warning over a newly discovered North Korean Trojan, dubbed KeyMarble.

The organisation claims that the Trojan is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

It recommends that organisations maintain up-to-date anti-virus software, install patches promptly, enforce strong password policies and ensure personal firewalls are configured on workstations to deny unsolicited connection requests.

The Trojan has been categorised alongside a whole family of malware attributed to North Korea by the US government under the Hidden Cobra moniker.

The warning over the newly discovered malware comes as researchers from McAfee and Intezer this week at Black Hat 2018 unveiled more details about North Korean malware, revealing how similarities in code has enabled a wide range of Trojans and viruses to be pinned on DPRK.

"Bad actors have a tendency to unwittingly leave fingerprints on their attacks, allowing researchers to connect the dots between them. North Korean actors have left many of these clues in their wake and throughout the evolution of their malware arsenal," wrote Intezer's Jay Rosenberg and McAfee's Christiaan Beek in a joint blog posting.

"There are many reasons to reuse malware code, which is very common in the world of cybercrime. If we take an average ransomware campaign, for example, once the campaign becomes less successful, actors often change some of basics such as using a different packer to bypass defences.

"With targeted campaigns, an adversary must keep its tools undetected for as long as possible. By identifying re-used code, we gain valuable insights about the ‘ancestral relations' to known threat actors or other campaigns."

With the North Korean state behind a number of different cyber attacks over the years, security researchers have been able to identify links between each and every one of them via code analysis.

"We are aware two major focuses of DPRK campaigns: one to raise money, and one to pursue nationalist aims. The first workforce gathers money for the nation, even if that means committing cybercrime to hack into financial institutions, hijack gambling sessions, or sell pirated and cracked software. Unit 180 is responsible for illegally gaining foreign currency using hacking techniques.

"The second workforce operates larger campaigns motivated by nationalism, gathering intelligence from other nations, and in some cases disrupting rival states and military targets. Most of these actions are executed by Unit 121."

McAfee used Intezer's code similarity detection engine to help automate the analysis process.

The two companies' analysis revealed a number of new similarities between the various North Korean malware families. WannaCry and MyDoom, for example, can be definitively linked with North Korea via the common SMB module used across various North Korean malware.

Code integrated in WannaCry has also been linked with a backdoor targeting South Korean manufacturing industry - anything targeting South Korea being a red flag highlighting potential North Korean activity.

Common file mapping is also a giveaway. "This code has appeared in the malware families NavRAT and Gold Dragon, plus a certain DLL from the South Korean gambling hacking campaign. These three RATs are thought to be affiliated with North Korea's Group 123.

"The third example, responsible for launching a cmd.exe with a net share, has been seen in 2009's Brambul, also known as SierraBravo, as well as KorDllBot in 2011. These malware families are also attributed to the Lazarus group."

Security researchers have also been able to glean a wide range of information about North Korean cyber attacks from a seven-year campaign targeting hotels across Asia in which a wide variety of tools were deployed to break-in to systems and take control of hotel companies' servers.

Intriguingly, perhaps, the researchers claim a link between a bank based in Macau "controlled by a billionaire gambling mogul who started a casino in Pyongyang" and the recent spate of malware attacks targeting legitimate banks' SWIFT international payment operations. "The Macau bank was listed twice in the malware's code as a recipient of stolen funds," they claim.

The biggest of those attacks, against Bangladesh Bank, the central bank of Bangladesh, has revealed links with the North Korean campaigns Hidden Cobra, 10 Days of Rain (PDF), Destover (used in the Sony Pictures Entertainment attack), MyDoom and KorHigh.

Lazarus, it should be noted, is an umbrella name given to North Korean cyber operations, but with clear links between them, but malware from Group 123 (NavRAT, gambling and Gold Dragon) appear to be run in parallel, but with some collaboration between the two for particular campaigns.