New Malware Uses GeoCities, North Korea Interest to Trick Victims

  /     /     /  
Publicated : 22/11/2024   Category : security


New Malware Uses GeoCities, North Korea Interest to Trick Victims


A new threat called Baijiu leverages the GeoCities web service, and heightened interest in North Korea, to deceive victims.



Researchers at Cylance have discovered a new advanced threat, dubbed Baijiu, which uses heightened interest in North Korea and the GeoCities web service to prey on victims.
Baijiu abuses global concern about the humanitarian situation in North Korea, specifically with respect to the flooding related to last years Typhoon Lionrock. Victims click a malicious file with the expectation they will learn more about how the situation unfolded, which was largely hidden from the world.
The ultimate goal of this attack is to deploy a set of espionage tools through a downloader called Typhoon and set of backdoors called Lionrock. These are likely used to siphon data from victims, explains Kevin Livelli, Cylance director of threat intelligence.
Cylance researchers hunting new and existing threats discovered elements of this attack had been uploaded to VirusTotal and werent being detected by most solutions, Livelli says. The North Korea reference initially caught their attention, but several other factors set Baijiu apart.
It was a more complex piece of malware than we typically see, he continues. It took a rather circuitous route from the phishing attempt, all the way to the backdoor.
Along the way, Baijiu takes several steps to hide itself, which Cylance
reports
has helped it evade antimalware precautions. Researchers speculate this is also an attempt to throw off researchers and investigators who might be following it.
Livelli was most interested in the appropriation of Geocities to deliver Baijiu malware. The web hosting service, popular in the 1990s, is currently owned by Yahoo and based in Japan. Its free to use, has high bandwidth, and doesnt require user identification beyond a Yahoo email address.
The same things that make it appealing to ordinary citizens are making it appealing to hackers, he says, noting the anonymity GeoCities grants its users.
Baijiu isn’t the only threat using GeoCities as a launching pad for malware. The service was also used in March 2017 for targeted attacks to deliver Poison Ivy, which has been associated with Chinese APT groups. GeoCities is increasingly being used by advanced adversaries, says Livelli, and researchers found at least 10 other examples of attacks using it.
Cylance has not conducted an analysis of Baijiu targets. Livelli says its likely widespread, though the company did not discover specific geographies or organizations are at risk. It also cannot attribute a specific cybercriminal or cybercriminals to the threat.
Given the technical complexity of this attack and certain features in the way its coded, we can say its a sophisticated attacker thats employing this malware, Livelli says.
Cylance cannot definitively attribute a specific actor(s) to Baijiu, he continues. Researchers discovered Baijiu shares code similarities with the Egobot codebase, as described by
Symantec
, and the broader Darkhotel Operation, as discovered by
Kaspersky
.
Egobot was used in campaigns targeting Korean interests, and Darkhotels operators were based in Japan, Taiwan, and China. This could hint at the origin for Baijiu; however, Cylance cant say with certainty because it only analyzed one specific piece of malware and not a broader campaign.
Its one window into a larger campaign that probably has connections, he says. Given that Baijiu shares commonalities with other previously discovered cyberattacks, there may be other lures that could give a better idea of who the attackers are and what they seek.
Related Content
Jaff Ransomware Family Emerges In Force
APT28, Turla Nation-State Groups Deployed Multiple 0Days in Recent Attacks
Businesses Not Properly Securing Microsoft Active Directory


Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Malware Uses GeoCities, North Korea Interest to Trick Victims