A North Korean threat group targeting small and midsize businesses with ransomware could be part of Pyongyang’s hacking-backed efforts to obtain cryptocurrency, or it could be the side project of hackers based in the hermit kingdom.
Threat researchers at Microsoft say they’ve been tracking the group, dubbed DEV-0530, since June 2021. The group prefers the moniker H0lyGh0st.
As of early July 2022, the group doesn’t appear to be very successful. Microsoft’s review of its wallet transactions shows that it has not successfully extorted ransom payments from their victims despite maintaining a dark web website to interact with victims in its demands for Bitcoin.
North Korea’s hereditary totalitarian dictatorship is notorious for fueling its nuclear weapons program with stolen cryptocurrency used to dodge international sanctions (see: North Korea Behind $100M Harmony Theft, Say Researchers).
Indicators including email exchanges suggest the group has overlap with another Northern Korean threat actor group known as PULTONIUM that’s targeted energy and defense industries in the United States, India and South Korea since at least 2014.
That link, along with the group’s unusual targeting behavior – hitting apparently randomly selected small businesses in multiple countries including an events planning company – suggests someone with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain, Microsoft says.
Microsoft “observed both groups operating from the same infrastructure set and even using custom malware controllers with similar names.”
Researchers suspect that DEV-0530 might have exploited a remote code execution vulnerability on public-facing web applications and content management systems tracked as CVE-2022-26352 to gain initial access.
Between June 2021 and May 2022, Microsoft tracked two new families of malware deployed by the group, dubbing them SiennaPurple and SiennaBlue. They identified four variants under these families:
BLTC.exe. It was able to cluster the variants based on tell-tale indicators such as code similarity, command-and-control URL patterns, and ransom note text.
Microsoft says BTLC_C.exe is an outlier compared to the other variants, given that it was written in the C++ programing language and lacks many of the features in the SiennaBlue variants, which were written in Go. In particular, it if not launched by an user with Windows machine admin privileges, it wouldn’t execute.
SiennaBlue variants became more sophisticated over time, including features such as various encryption options, string obfuscation, public key management, and support for the internet and intranet.
All malware variants encrypt files with a
The researchers observed the
BTLC.exe variant among the latest ransomware variants used by DEV-0530 and say it has been in the wild since April 2022.
A key feature of BTLC.exe is a persistence mechanism creating a foothold for attackers to later launch the malicious encryption. Specifically, the malware creates or deletes a scheduled task called lockertask. When launched, it connects to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.
Microsoft found that attackers asked for 1.2 to 5 Bitcoins from victims and in some cases lowered the ransom to less than one-third of the asking price. Victims appear not to be in a buying mood.