RIDING WITH THE CHOLLIMAS

OUR 100-DAY QUEST TO IDENTIFY A NORTH KOREAN STATE-SPONSORED THREAT ACTOR

Mauro Eldritch | Juan Brodersen

INTRO

RIDING WITH THE CHOLLIMAS

100 DAYS IN THE LABYRINTH

RIDING WITH THE CHOLLIMAS

About Us

About this talk

What’s a Chollima and why should we fear them?

The infection

Analyzing a homemade malware

IOCs, CTI, OSINT… and revenge

​

A State Sponsored Threat

Winged-horses, Corpo Espionage and Ballistic Missiles

A wonderful surprise

00

INTRO

About us | About this talk | What’s a Chollima? Why should we fear them?

whoami

MAURO ELDRITCH

JUAN BRODERSEN

Mauro Eldritch is an argentine hacker, founder of Birmingham Cyber Arms LTD and DC5411 (Argentina / Uruguay). He spoke at different events including DEF CON a couple of times in the past. Loves Threat Intelligence, Biohacking and OSINT.

Juan Brodersen is a journalist, bachelor's degree in Philosophy (UBA), covering cybersecurity beat for Clarín, Argentina's largest newspaper. He also teaches Journalism at two national universities and writes a Latin American-focused infosec newsletter, SecOps.

​

ABOUT THIS TALK

CHAPTER 1

CHAPTER 2

I stumbled upon an unusual malware sample that seemed quite homemade. Surprisingly simple, it evaded all existing antivirus software. Thus, I deemed it worthy of further investigation. After conducting CTI and OSINT, things took a much darker turn…

Almost 100 days later, we decided to team up with Juan, and so our journey to profile the malware developers (and their campaign) began. With new leads in hand, it was time to discreetly inquire within the scene to gather intel... And perhaps even uncover a surprise…

What’s a CHOLLIMA?

Why should we FEAR THEM?

Alias for North Korean Threat Actors

State Sponsored Attacks

Official financial support

State-provided legal impunity

Qianlima, Senrima

A mythical winged horse

Present in East Asian mythology

Japan, China, North Korea

Operation DarkSeoul, Sony Incident, Bangladesh Bank Incident, WannaCry outbreak, Ronin Bridge hack, Horizon Bridge hack.

This leads to reckless attacks

North Korea Chollima Movement

What’s a CHOLLIMA?

Why should we FEAR THEM?

Alias for North Korean Threat Actors

State Sponsored Attacks

Official financial support

State-provided legal impunity

Qianlima, Senrima

A mythical winged horse

Present in East Asian mythology

Japan, China, North Korea

Operation DarkSeoul, Sony Incident, [alleged] Bangladesh Bank Incident, [alleged] WannaCry outbreak, Ronin Bridge hack, Horizon Bridge hack.

This leads to reckless attacks

North Korea Chollima Movement

01

100 DAYS IN THE LABYRINTH

The Infection | Analyzing a homemade malware | IOCs, CTI, OSINT & Revenge

THE INFECTION

Malware deployed bundled inside a fake QR Generator.

Artifact was sandboxed and host was network contained. Multiple alerts from Crowdstrike issued.

Artifact acquired. Behavior monitored for IOC extraction.

2023-02-07, 13:01

2023-02-07, 12:25

2023-02-07, 12:25-13:01

Intelligence made publicly available thru AlienVault OTX. Write-Up published on Github.

2023-02-09, 12:07

Researcher “Daniel” points out the sample’s C2 is tied to DPRK.

2023-04-26, 08:44

Crowdstrike ties the C2 infrastructure to a DPRK sponsored Actor.

2023-04-28, 13:36

– MAURO ELDRITCH’S FIRST REPORT ON QRLOG

“This is a basic - seemingly homemade - RAT that attempts to open a reverse shell [...]

As of the time of writing, there is no public mention of this malware or its components.

I named it QRLOG.”

​

ANALYZING QRLOG

QRLOG hides in plain sight, base64-encoded inside a variable named QUIET_ZONE_DATA.

Its final objective is to open a reverse shell for the adversary to abuse.

Source: Birmingham Cyber Arms LTD.

ANALYZING QRLOG

Its simplicity eluded most antivirus detections, but in the end, its behavior was sufficient to reveal its true intention.

Source: VirusTotal.

ANALYZING QRLOG

Throughout the code, numerous indications point to its homemade nature, displaying carelessness and lack of attention to detail. This caused an interesting OPSEC fail, which we will discuss later.

Source: Birmingham Cyber Arms LTD.

– MAXIMILIANO FIRTMAN (@MAXIFIRTMAN | @FIRT), PROGRAMMER, PROFESSOR & AUTHOR

​

"It is the code of someone who does not have much experience and was copying and pasting things from the Internet. The malware is not so hidden; on a scale from 1 to 10 in concealment, I'd say it has a 3 [...]

It's all very haphazard, as if someone had made a script to hack their girlfriend."

EXTRACTING IOCS

With no further news at this point, we started sharing IOCs and intelligence publicly.

Source: AlienVault OTX.

THE INFECTION

QRLOG deployed bundled inside a fake QR Generator.

Artifact was sandboxed and host was network contained. Multiple alerts from Crowdstrike issued.

Artifact acquired. Behavior monitored for IOC extraction.

2023-02-07, 13:01

2023-02-07, 12:25

2023-02-07, 12:25-13:01

Intelligence made publicly available thru AlienVault OTX. Write-Up published on Github.

2023-02-09, 12:07

Researcher “Daniel” points out the sample’s C2 is tied to DPRK.

2023-04-26, 08:44

Crowdstrike ties the C2 infrastructure to a DPRK sponsored Actor.

2023-04-28, 13:36

EXTRACTING IOCS

Queried domains used SSL certificates issued by Let’s Encrypt.

Source: GrabbrApp.io.

EXTRACTING IOCS

The domain auth.pxaltonet.org points to an IP hosted on Vultr. Currently, both destinations are unresponsive and were linked to JokerSpy, Cobalt Strike and Log4j exploitation attempts, with 29 domains and 9 unique TLDs associated.

Sources: AlienVault OTX & VirusTotal.

EXTRACTING IOCS

The domain git-hub.me is now owned by PorkBun and all traffic is delegated to its Name Servers (provided by Cloudflare).

Source: Whois.

EXTRACTING IOCS

The same domain also points to an IP hosted on AWS. Currently, both destinations are unresponsive, but more than 500 domains and 102 unique TLDs remain associated.

This indicator caught the eye of another researcher, who got in touch with us.

Sources: IPInfo.io & AlienVault OTX.

THE INFECTION

QRLOG deployed bundled inside a fake QR Generator.

Artifact was sandboxed and host was network contained. Multiple alerts from Crowdstrike issued.

Artifact acquired. Behavior monitored for IOC extraction.

2023-02-07, 13:01

2023-02-07, 12:25

2023-02-07, 12:25-13:01

Intelligence made publicly available thru AlienVault OTX. Write-Up published on Github.

2023-02-09, 12:07

Researcher “Daniel” points out the sample’s C2 is tied to DPRK.

2023-04-26, 08:44

Crowdstrike ties the C2 infrastructure to a DPRK sponsored Actor.

2023-04-28, 13:36

– SPOKESPERSON, CROWDSTRIKE

​

​

”In early 2023, CrowdStrike Falcon OverWatch detected malicious activity in some environments of the financial sector [...] confirming that the activity related to QRLOG malware are attributed with high confidence to LABYRINTH CHOLLIMA based on the adversary’s scope and TTPs.”

EXTRACTING IOCS

Attribution was established with High Confidence, and we could finally put a name to the malware developers: Labyrinth Chollima.

Sources: Daniel & Crowdstrike.

EXTRACTING IOCS

We simulated an infection by interacting with the C2 as the malware would.

For journalistic purposes, we messaged the C2, requesting the Actors to chat via Telegram with us, sharing our alias. Their response was less than enthusiastic…

Source: Crowdstrike.

THE PAYBACK

From 2023-04-26 10:28 to 2023-05-02 16:10, we observed nearly 1500 attempts to brute-force an SSH instance running on the machine from where the original contact request was sent.

Unbeknownst to them they fell into a honeypot… which provided us with valuable intel.

Source: Birmingham Cyber Arms LTD.

THE PAYBACK

IP addresses and domains from around the world participated in the attack, with many belonging to VPS providers, including, once again, AWS.

Source: Birmingham Cyber Arms LTD.

– MARK RYLAND, CISO (AWS)

[INTERVIEW WITH DIARIO CLARÍN]

​

• ”We are aware that hackers are willing to pay for AWS. Someone who sends spam, for example, can pay a low amount to have a Linux server and send a million phishing emails”
• “We are very concerned about spam coming from our platform. It lowers our reputation, it causes problems for legit customers because they can't send emails”
• “We also know that there are more sophisticated actors that abuse AWS”

THE PAYBACK

Undetectable samples, well distributed botnets and a vengeful attitude.

As we bear witness to the Chollimas' capabilities, we are left wondering about the minds behind their operations…

Source: Birmingham Cyber Arms LTD.

02

RIDING WITH THE CHOLLIMAS

A State Sponsored Threat | Winged-horses, Corpo Espionage and Ballistic Missiles | A wonderful surprise

VELVET CHOLLIMA

A STATE SPONSORED THREAT: DPRK PROFILE

RICOCHET CHOLLIMA

DPRK RGB

RoK NGOs, Government, Media & DPRK Defectors.

PoorWeb, Fatfingers, ROKRAT.

Daily NK (South Korea) Spear Phishing Campaign, 2023.

US & RoK Critical Infrastructure, NGOs, Government, Media, Military.

CobraVenom, BabyShark.

Korean Hydro-Nuclear Power Plant (KHNP), 2014.

DPRK’s Reconnaissance General Bureau (RGB).

Bureau 121 & Bureau 180.

APT-38 A.K.A “ZINC”, “Hidden Cobra” or “Lazarus”.

– MARIO MICCUCI, RESEARCHER (ESET LATAM)

​

• ”LAZARUS is a highly sophisticated cybercriminal group that has carried out a number of high-profile cyber attacks”�
• “They are linked to the North Korean government and have been active since at least the early 2000s”

SILENT CHOLLIMA

WINGED HORSES: LAZARUS PROFILE

STARDUST CHOLLIMA

LABYRINTH CHOLLIMA

High-profile Currency Theft.

TwoPence Framework (probably based on KorDLL Framework), PDFUnfolder, RustBucket.��Strategic Web Compromise, Weaponized Documents.

​

High-profile Corporate and Economic Espionage.

XMRig, Valefor, GifStealer, BMPScriptRAT, AnanasRAT.

Papercut Campaign, 2023 (Cryptojacking).

Currency Theft, Economic Espionage.

QRLOG, RottenCoffee, SnakeBaker.

Sony Incident, WannaCry Outbreak, QRLOG Campaign.

– SPOKESPERSON, CROWDSTRIKE

​

​

​

• “CrowdStrike links this adversary with Bureau 121 of the DPRK’s RGB conducting espionage operations and revenue generation schemes”�
• “Recent activity includes intelligence gathering, financial gain, destruction and intellectual property theft”

CORPO ESPIONAGE

Sony Pictures Hack

November, 2014: NSA detected that “Guardians Of Peace” was copying Sony Pictures information for around 2 months.�Source: NYT��“Responsible for some of North Korea’s most notorious cyber operations, including the destructive attack 2014 attack on SONY Pictures Entertainment”�Source: Crowdstrike

CORPO ESPIONAGE

AstraZeneca

Suspected North Korean hackers have tried to break into the systems of British drugmaker AstraZeneca (spear phishing)

“The goal: intellectual property theft”

Sources: Reuters / Kaspersky

– INTELLIGENCE REPORT ON LABYRINTH CHOLLIMA, CROWDSTRIKE

​

​

​

• “[...] stolen assets are likely funding an array of state projects including North Korea’s nuclear and WMD programs.”

BALLISTIC MISSILES

“Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capabilities, along with nuclear weapons and missiles”

- Kim Jong-un (2013)

Sources: Health Sector Cybersecurity Coordination Center (HC3), Cybersecurity and Infrastructure Security Agency (CISA).

BALLISTIC MISSILES

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs”

- Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence (2019).

Source: U.S. Department of the Treasury.

A WONDERFUL SURPRISE

But… At times large organizations like APTs face challenges in managing their assets (human and technological), resulting in interesting OPSEC fails…

A WONDERFUL SURPRISE

The inputFiles.lst file (shipped with the sample) contains Maven build information.

Based on it, it's possible to ascertain that the author of the malware operates on a Windows system... and identifies themselves as Edward.

Source: Birmingham Cyber Arms LTD.

03

INIT 0

Media Strategy | Conclusions | Acknowledgements | Contact

MEDIA STRATEGY: HOW DO WE TELL THIS STORY IN CLARÍN?

100k

657k

~60

print

subs

age

TRANSLATE

MEDIA STRATEGY

GIVE VOICE

EXPLAIN

• RAT, IOC, APT, CTI
• Malware
• State-sponsored
• AV Heuristic

• Java Expert
• Malware Analyst
• Threat Intel Analyst
• Threat Hunter

• Why is this important?
• What does this means?
• What is DPRK doing?

MAIN GOAL OF THESE STORIES: SHIFT THE QUESTION

How is this new intel changing the global threat landscape?

How does threat analysis and reconnaissance contribute to understand the world?

IS A HACKER BAD?

CONCLUSIONS

Any suspicious activity must be investigated to the last consequences, regardless of its scale.

Always share intel, no matter how simple you think your research may be, it may help others -and yourself- to uncover something big.

Ask, ask, ask. Somebody has the answers you're looking for or at least, the same questions.

Befriend your local infosec journo.

LINKS

QRLOG Technical Analysis & IOCs (English, Spanish)

https://github.com/BirminghamCyberArms/QRLOG

QRLOG on Media (Diario Clarín, Spanish)

https://www.clarin.com/tecnologia/hecho-corea-norte-descubren-nuevo-virus-funciona-molotov-digital_0_fR36LRX5mj.html

​

​

ACKNOWLEDGEMENTS

Maximiliano Firtman (@maxifirtman, @firt) for aiding with the sample analysis.

Daniel, Merlo (@Merlax_), Crowdstrike, AWS, and ESET for their insight.

DC5411 / Birmingham Cyber Arms LTD members for all their support.

Edward for providing the sample and giving us one of the most enjoyable jobs we've ever done.

ACKNOWLEDGEMENTS

Maximiliano Firtman (@maxifirtman, @firt) for aiding with the sample analysis.

Daniel, Merlo (@Merlax_), Crowdstrike, AWS, and ESET for their insight.

DC5411 / Birmingham Cyber Arms LTD members for all their support.

Edward for providing the sample and giving us one of the most enjoyable jobs we've ever done.

Thank you!

CONTACT

MAURO ELDRITCH

JUAN BRODERSEN

@MauroEldritch | @BirminghamCyber

Github.com/MauroEldritch

​

@JuanBrodersen

JuanBrodersen.substack.com