Last month I published a blog post highlighting notable uploads made by the Intezer Analyze community during the month of February. In March community users have contributed many compelling samples, including malware employed by Leviathan, a cyber espionage group, and malware via a sophisticated North Korean APT, known for employing techniques such as zero-day vulnerabilities, wiper malware and data exfiltration mechanisms.
1) Leviathan Variant [Link to Analysis]
Leviathan, also known as TEMP.Periscope, is a cyber espionage group suspected to be of Chinese origin. The group has been active since at least 2014, targeting a wide range of organizations, including engineering firms, universities and government agencies across the world. This threat usually propagates through spear phishing campaigns, including vulnerable Microsoft word and excel documents, containing macros which install the malware on a compromised endpoint.
The sample uploaded to Intezer Analyze shows a strong connection to Leviathan based on code and string reuse, and as of this moment has only 10 VirusTotal detections. The sample also contains two Mimikatz genes, which potentially indicates usage of the popular credential stealer.
2) Mirai UPX-packed ELF Payload [Link to Analysis]
The Mirai botnet has been used for some of the largest DDoS attacks in the last few years, exploiting a wide range of IoT devices with weak security. Mirai’s source code was leaked in 2016 and is now being seen in a plethora of malware targeting IoT devices. By examining code reuse we can observe Mirai code in many other Linux-based threats.
This particular sample is a UPX packed ELF payload which shares 82% of code with Mirai. By viewing the Related Samples section of the analysis, you can see up to 100 other samples which use portions of Mirai code.
3) OceanLotus (APT32) [Link to Analysis]
OceanLotus, also known as APT32, is an espionage group which has been active since at least 2012 and has targeted government agencies, journalists and dissidents in southeast Asia. The group uses a variety of social engineering techniques in order to infect its victims’ devices, including complex phishing campaigns backed by a massive infrastructure.
The sample here demonstrates a strong code connection to OceanLotus. It does not have strong detection rates nor clear classification on other leading engines.
4) Muhstik Variant [Link to Analysis]
The Muhstik botnet was uncovered in 2018 while targeting GPON routers. My colleague, researcher Nacho Sanmillan, has since discovered it also takes control of web servers hosting PhpMyAdmin.
This sample contains code from Muhstik and Muhstik.PMA.Scan variants. We also observe that the file shares the majority of its code with libraries, which could indicate the file is statically linked. It is crucial in malware detection to highlight the malicious or unique code, rather than focusing on neutral or irrelevant code, like the libraries, in this example.
5) Group 123 (APT37) [Link to Analysis]
Group 123, also known as APT37 or Starcruft, is a threat actor believed to be working on behalf of the North Korean government. The group is known for employing sophisticated capabilities, including zero-day vulnerabilities, wiper malware and data exfiltration mechanisms. The group has targeted several industries in South Korea, Japan, Vietnam and the Middle East.
The sample demonstrates clear code reuse connections to Group 123, as well as 10 genes from the Lazarus Group. This further strengthens attribution to North Korea.
Not an Intezer Analyze community member? Sign up for free here: https://www.intezer.com/intezer-analyze/.