APT38, a North Korean-sponsored hacking gang infamous for targeting and stealing cash from financial institutions throughout the world, has been connected to many ransomware variants. They’re also renowned for using destructive malware on their victims’ networks in the last stages of their operations, obliterating all evidence of their presence.
According to Christiaan Beek, a lead threat analyst at cybersecurity company Trellix, the group’s operators (part of North Korea’s cyber-army Bureau 121) have also employed the Beaf, PXJ, ZZZZ, and ChiChi ransomware families to extort some of their victims. The linkages to APT38 were discovered when studying code and artifact resemblance with VHD ransomware, which was tied to the North Korean Lazarus APT organization, exactly like TFlower ransomware.
After detecting the two strains installed on victims’ networks using the cross-platform MATA malware framework, a malicious tool only employed by Lazarus operators, Kaspersky and Sygnia researchers discovered the link. According to Beek, who visualized the code using Hilbert curve mapping, PXJ, Beaf, and ZZZZ share a significant source code and functionality with VHD and TFlower ransomware. Beaf and ZZZZ are practically perfect clones of each other.
“You don’t have to be a malware specialist to immediately recognize that the ZZZ and BEAF Ransomware pictures are almost identical,” the Trellix researcher said. “It also becomes apparent that both Tflower and ChiChi are vastly different when compared to VHD.”
While ChiChi’s codebase has few commonalities, Beek discovered that both ChiChi and ZZZZ employed the Semenov[.]akkim@protonmail[.]com email address in their ransom notes. Because there were no negotiating conversations or leak sites to examine, attacks employing these ransomware families mainly targeted companies in Asia-Pacific (APAC). This made it more challenging to identify the victims’ identities.
Trellix also looked into the cryptocurrency transfers behind ransom payments to see if there were any overlaps in the crypto wallets used to collect ransoms but discovered none. However, they observed that the North Korean hackers could only acquire modest quantities of cryptocurrency (for example, a 2.2 BTC transfer in mid-2020, valued at $20,000 at the time).
“We suspect the ransomware families [..] are part of more organized attacks,” Beek added. ”Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence.”