North Korean Cyber-Attacks and Collateral Damage
2018-02-15 • Alienvault •
WannaCry is presented as a highly destructive ransomware outbreak with strong evidence linking it to Lazarus, reportedly operating from North Korea, and the source uses it to examine wider collateral damage from worm-like malware connected to DPRK cyber activity. AlienVault details Rivts, a USB and hard-drive file-infecting worm first publicly seen from the Voice of Korea site, whose infection logic references DPRK Korea Computer Center software such as Nnr60.exe and Hana80.exe. The report assesses several explanations for Rivts and says the most likely is that it was developed inside the DPRK, while noting it may have been a prototype or learning project without an identified backdoor component. It also contrasts Rivts with Faedevour, a worm served through a compromised KCNA site and later found on IBM and Lenovo installation USB media, showing how worms can keep spreading long after their original operation or accidental release.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| [email protected] | 2018-02-15 | 2020-02-26 | |
| [email protected] | 2018-02-15 | 2020-02-26 | |
| HASH | f024ff4176f0036f97ebc95decfd1d5e | 2018-02-15 | 2020-02-25 |
| YARA | rivts_pdb | 2018-02-15 | 2018-02-15 |
| HASH | ff4721e6edad7d3bec8e0c4d4a8c1d26 | 2018-02-15 | 2018-02-15 |
| HASH | 78d3c8705f8baf7d34e6a6737d1cfa18 | 2018-02-15 | 2018-02-15 |
| HASH | fffa05401511ad2a89283c52d0c86472 | 2018-02-15 | 2018-02-15 |
| HASH | 4b584695ba08e680452be6016886637a | 2018-02-15 | 2018-02-15 |
| HASH | 344d3ec0d84d2853e416c664dd577f44 | 2018-02-15 | 2018-02-15 |
| [email protected] | 2018-02-15 | 2018-02-15 | |
| URL | http://www.vok.rep.kp/CBC/CBC_d… | 2018-02-15 | 2018-02-15 |
| DOMAIN | a-gwas-01.slyip.net | 2018-02-15 | 2018-02-15 |
| DOMAIN | a-gwas-01.dyndns.org | 2018-02-15 | 2018-02-15 |
| HASH | 3844ec6ec70347913bd1156f8cd159b8 | 2015-10-26 | 2018-02-15 |