BAIJIU: New Malware Abuses Popular Japanese Web Hosting Service

Attack Analysis – Background and Lure

With international attention focused on the tinderbox of the Korean peninsula, Cylance is shedding new light on a threat we call BAIJIU, one that preys upon heightened interest into what’s going on inside the borders of the hermit kingdom of North Korea.

BAIJIU, which evades widespread detection, abuses global concern about the dire humanitarian situation in North Korea. It enters the target environment through an LNK file on the end of a phishing hook with the following bait:

 “2016 North Korea Hamgyung [sic] province flood insight.”

The lure is a reference to a natural disaster that took place in late August 2016, when Typhoon Lionrock triggered massive flooding that wiped out much of North Korea’s province of North Hamgyong, impacting more than half a million people, drawing world-wide notice, and commanding international news coverage for several months.

Despite the media attention, details were sparse regarding the extent and aftermath of the crisis. Reports surfaced of attempts at escape and defection to neighboring China, after border forces and fencing were washed away.

Drawing even more curiosity were statements from Pyongyang itself, which took the rare step of publicly declaring the flood the worst natural disaster since 1945. The dictatorship appealed to the UN and aid groups for help with relief efforts, and asked the international community for monetary support.

How the crisis was resolved, and what its lasting impact was on North Korea is anyone’s guess. Exactly how many people died or were displaced? Were North Korea’s official pronouncements to be believed? BAIJIU’s attackers bet that many of their phishing targets would click on their attachment to find out just that – in other words, they would take the bait.

Attack Analysis – Provenance and C2

BAIJIU’s goal in this attack was (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Jon Gross and Kevin Livelli. Read the original post at: Cylance Blog