Image

Even when you think we are at peace, the World is at Cyber War!  

The famous computer security company- McAfee has discovered Operation Ghost Secret. Operation Ghost Secret is supposedly a hidden initiative by North Korea to target other countries through a number of cyber attack to acquire their military secrets and cyber provocations. It has targeted 17 countries so far including The United States of America.

The global cyber attacks where launched on March 14. Until March 26 the attacks targeted many infrastructures which include IT assets of healthcare organizations, higher education, telecommunications, and power companies. Though the cyber security firm did not name any of the companies, it did specify that the attacks were mostly from Asia-Pacific region.

The McAfee Advanced Threat Research team discovered a previously unknown data-gathering implant that surfaced in mid-February 2018. This implant appears to be a derivative of implants authored before by Hidden Cobra and contains functionality similar to that of Bankshot, with code overlaps from other Hidden Cobra implants. However, the variant is not based on Bankshot. The team stated:

“Our analysis of the portable executable’s rich-header data reveals that the two implants were compiled in different development environments.”

Similarities

  • Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions
  • Both variants contain a variety of functionalities based on command IDs issued by the control servers
  • Common capabilities of both malware:
  • Listing files in directory
  • Creating arbitrary processes
  • Writing data received from control servers to files on disk
  • Gathering information for all drives
  • Gathering process times for all processes
  • Sending the contents of a specific file to the control server
  • Wiping and deleting files on disk
  • Setting the current working directory for the implant
  • Sending disk space information to the control server
  • Both variants use a batch file mechanism to delete their binaries from the system
  • Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers

Differences

The following capabilities in the 2015 implant are missing from the 2018 variant:

  • Creating a process as a specific user
  • Terminating a specific process
  • Deleting a specific file
  • Setting file times for a specific file
  • Getting current system time and sending it to the control server
  • Reading the contents of a file on disk. If the filepath specified is a directory, then listing the directory’s contents.
  • Setting attributes on files

“When we compared the PE rich header data of the new February 2018 implant with a variant of Backdoor. Escad (Destover) from 2014 shortly before the Sony Pictures attack, we found the signatures to be identical. The Destover-like variant is 83% similar in code to a 2015 variant and contains the same rich PE header signature as the Backdoor. Escad variant we analyzed. Thus, the new implant is likely a derivative of components of Destover. We determined that the implant is not a direct copy of well-known previous samples of Destover; rather, Hidden Cobra created a new hybrid variant using functionality present in earlier versions.”

McAfee believes that Operation Ghost secret may be North Korea’s play to take down superpowers like USA that stand in its way. The country has been previously linked with the Hacking group named Lazarus. The malware does have similar spread and infrastructure compare to the ones created by Lazarus. The use of cyber warriors could be Kim Jong Un’s prime objective against enemy states.

McAfee had previously confirmed in an issue of the Wall Street Journal that North Korea was behind the attack on Turkish Bank last year and could launch similar attacks on financial entities of western countries in near future. The company stated:

“Fighting cyber crime is a global effort best undertaken through effective partnerships between the public and private sectors. We are working with Thai government authorities to take down the control server infrastructure of Operation Ghost Secret, while preserving the systems involved for further analysis by law enforcement authorities. By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together.”

There is new form of war being used and this war could be catastrophic if not dealt with the utmost priority by the world. Operation Ghost Secret could be the biggest threat to global peace. Today wars aren’t fought with ammunition or spears they are fought with malwares and computer viruses.