A First Look at the North Korean Malware Family Tree

Security researchers have analyzed malware samples from threat actors associated with North Korea and discovered connections with tools from older unattributed campaigns.

The research is spread over several months and connects a diverse range of operations from cyberespionage to financially-motivated campaigns. The campaigns analyzed by the researchers and a timeline of their release can be shown below.

Timeline of analyzed malware campaigns

Most of these appear to be the doing of one of the two known hacker collectives in North Korea called Unit 180 or Unit 121.

According to a report by McAfee shared with BleepingComputer, Unit 180 focuses on making money for the country by means of hacking and Unit 121 has a nationalist agenda, which includes providing tools and malware for the other groups, spying on other states, and disrupting their actions and military targets.

Looking for code similarities in samples attributed to the DPRK (Democratic People’s Republic of Korea), security experts from McAfee and Intezer found unique code shared in tools used from 2009 until 2017. They created a map that lays out the ties between multiple malware families based on code recycling for different operations.

Malware code similarities

It appears that there are strong links between DarkSeoul (2012), Operation Blockbuster (the Sony Pictures attack in 2014), NukeSpeed backdoor, Operation Troy (military espionage 2009-2013). These connections have been previously revealed in a report from a consortium of security companies investigating the activity of the Lazarus group responsible for the Sony Pictures attack.

The map also connects WannaCry ransomware that took the world by storm in May last year with Jaku – a tool for targeted tracking and data exfiltration that ran disguised as botnet malware.

Using Intezer’s code analysis engine, which breaks code into small “genes” that can then be used to compare the “DNA” of one sample to other malware samples. The reports indicated that there was a shared SMB module used among malware from 2009 to 2017.

“The first code example appeared in the server message block (SMB) module of WannaCry in 2017, Mydoom in 2009, Joanap, and DeltaAlfa. Further shared code across these families is an AES library from CodeProject,” the researchers wrote in their report. “These attacks have been attributed to Lazarus; that means the group has reused code from at least 2009 to 2017.”

Intezer Code Analysis
Intezer Code Analysis

In another example, the researchers noticed code overlapping between Operation Troy campaign revealed in 2013 and the Darkhotel operation disclosed a year later. Both were cyberespionage activities, the former bent on military espionage, while the latter targeted important individuals at companies from various verticals.

Revelations go further, showing a high percentage of code-DNA in backdoors used for targeting South Korea’s manufacturing industry in particular, in utilities used by Operation Blockbuster and in the WannaCry version that wreaked havoc. The similarities also paved the way to painting a more clear picture of the Lazarus group’s operational scale. Some of the links are feebler than others, but building the relations took into account only unique code and ignored common code and libraries.

If there is undeniable proof of affiliation with DPRK for even one of the malware families or hacking tools, the code DNA betrays the entire arsenal of the actor or at least a large part of it. Work like this is definitely going to help track the evolution of adversaries.