ThaiCERT Seizes Hidden Cobra Server Linked to GhostSecret, Sony Attacks

Thailand’s Computer Emergency Response Team (ThaiCERT) has seized a server operated by the North Korea-linked Hidden Cobra APT, which is used to control the global GhostSecret espionage campaign. The campaign is still ongoing.

ThaiCERT said in an alert on Wednesday that it is working with McAfee and law enforcement to analyze the control server, which was located at Thammasat University in Bangkok. Researchers said that the server has the same IP address as the one used in the infamous 2014 Sony Pictures hack, known to be linked to Hidden Cobra (a.k.a. the Lazarus Group) and North Korea.

Earlier this week McAfee warned that the GhostSecret campaign was carrying out data reconnaissance on a wide number of industries, including critical infrastructure, entertainment, finance, healthcare and telecommunications, in at least 17 countries.

“The public exposure is likely to force the actors to change infrastructure and implants,” a McAfee spokesperson told Threatpost. “We also suspect this may be the tip of the iceberg and there may be more hidden infrastructure yet to be discovered.”

The offensive uses multiple implants, tools and malware variants associated with Hidden Cobra, which together have established a covert network to gather data and create the capability to launch further attacks. The malware in play includes Bankshot, which is a remote access tool that gives an attacker full capability on a victim’s system (with the functionality to wipe files and content, and gather data). Hidden Cobra has used Bankshot in the past to target finance and other industries, including attacking a major Korean bank. Bankshot also can search for hosts related to the SWIFT network, researchers said, which Hidden Cobra has been known to go after, as in the case of the Bangladesh Central Bank heist in 2016 that saw the attackers make off with $81 million.

Researchers also uncovered two previously unknown malware variants. One has capabilities that resemble the Destover malware, which also was used in the Sony attack; and another, dubbed Proxysvc, is a unique data-gathering and implant-installation component that listens on port 443 for inbound control server connections. McAfee said that Proxysvc is part of a covert network of Secure Sockets Layer listeners that allow the attackers to gather data and install more complex implants or additional infrastructure; it essentially lets attackers know which systems were infected in order to connect to them.

“Our analysis of the code…indicates that Bankshot, Proxysvc, and the Destover-like implant are distinct families, but also contain overlapping code and functionality with current tools of Hidden Cobra,” McAfee researchers said. They added, “the evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools.”

Operation GhostSecret kicked off in February 2018, when the actors targeted the Turkish financial system via spear-phishing emails containing malicious Microsoft Word documents and the Bankshot payload. It started with a major government-controlled financial organization, next appeared in another Turkish government organization involved in finance and trade, and then victimized a further three large financial institutions in the country.

ThaiCERT said that it’s in the process of accessing the information on the seized server, and that once analyzed, it will then assist Thai victims with remediation. McAfee is continuing to investigate as well.