Numerous ransomware strains have been connected to APT38, a North Korean-sponsored hacking team known for its aim on targeting and thieving funds from money institutions throughout the world.
They’re also known for deploying harmful malware on their victims’ networks all through the very last stage of their assaults, very likely to destroy any traces of their action.
Christiaan Beek, a direct danger researcher at cybersecurity company Trellix, said that the group’s operators (portion of Unit 180 of North Korea’s cyber-military Bureau 121) have also utilized the Beaf, PXJ, ZZZZ, and ChiChi ransomware family members to extort some of their victims.
The one-way links to APT38 were uncovered even though analyzing code and artifact similarity with VHD ransomware which, just like TFlower ransomware, was linked to the North Korean Lazarus APT team.
Kaspersky and Sygnia researchers built the relationship following viewing the two strains remaining deployed on victims’ networks by using the cross-platform MATA malware framework, a destructive tool solely made use of by Lazarus operators, according to Kaspersky.
Beek revealed on Wednesday that — centered on visualizing the code employing Hilbert curve mapping — PXJ, Beaf, and ZZZZ share a notable amount of source code and functionality with VHD and TFlower ransomware, with Beaf and ZZZZ being nearly correct clones of each other.
“You don’t have to be a malware expert to promptly realize that the ZZZ and BEAF Ransomware shots are almost similar,” the Trellix researcher reported.
“It also becomes obvious that equally Tflower and ChiChi are vastly unique when compared to VHD.”
Even though ChiChi’s codebase has minimal to no common points, Beek was able to discover that the Semenov[.][email protected][.]com email tackle was employed by both of those ChiChi and ZZZZ in their ransom notes.
Attacks using these ransomware people have only qualified entities in the Asia-Pacific (APAC), generating it more durable to obtain the victims’ identities since there had been no negotiation chats or leak internet sites to examine.
Trellix also attempted to explore more links by examining the cryptocurrency transfers driving ransom payments but discovered no overlap in the crypto wallets utilised to collect ransoms.
Nonetheless, they learned that the North Korean hackers were being only ready to acquire little amounts of crypto assets (for instance, a 2.2 BTC transfer in mid-2020, truly worth $20,000 at the time).
“We suspect the ransomware families [..] are portion of much more organized attacks,” Beek included.
“Dependent on our analysis, mixed intelligence, and observations of the lesser focused ransomware attacks, Trellix attributes them to DPRK affiliated hackers with higher assurance.”