Threat actors such as the notorious group are continuing to use ongoing COVID-19 vaccine research to steal sensitive information in order to accelerate the pace of vaccine development in their country.

Cybersecurity company Kaspersky used different tools and technologies of a company to describe in detail two incidents of two pharmaceutical companies and government departments in September and October, but they showed similarities in the process after the use. Sex, leading researchers to link these two attacks with hackers associated with the North Korean government.

Kaspersky’s senior security researcher Park Sung-soo said: “These two incidents show that the Group is interested in intelligence related to COVID-19.” “Although the group is known for its financial activities, it does a good job. Remind that it can also conduct strategic research.”

Kaspersky did not disclose the specific target entity, but said that the pharmaceutical company was violated on September 25, 2020, and an attack on the government’s Ministry of Health occurred on October 27, one month later.

It is worth noting that the pharmaceutical company’s incident-involving the development and distribution of a COVID-19 vaccine- team deployed the “BookCodes” malware, which was recently used to install targets in a supply chain attack by the Korean software company WIZVERA The remote management tool (RAT) on the system.

malware attack

The initial access vector used in the attack is still unknown, but the researchers allegedly identified a malware loader to load the encrypted BookCode RAT, which has the ability to collect system information, receive remote commands, and transmit execution results to commands and commands located in South Korea. Control (C2) server.

malware attack

In another campaign against the Ministry of Health, hackers hacked into two Windows servers to install a piece of malware called “wAgent”, which was then used to retrieve other malicious payloads from servers controlled by the attacker.

As in the previous case, the researchers stated that they could not find the launcher module used in the attack, but suspected that it had the “trivial effect” of running malware with specific parameters, and then wAgent directly loaded the Windows DLL containing the function. Into memory.

Parker said: “Using this memory backdoor, malware operators executed many shell commands to collect victim information.”

Kaspersky stated that regardless of the two malware clusters used in the attack, the wAgent malware used in October has the same infection scheme as the malware used by the team for cryptocurrency business attacks. The reason is that the malware naming scheme and There is overlap in debug messages and the use of security support providers as persistence mechanisms.

This development is the latest in a long series of attacks that took advantage of the coronavirus pandemic. In the past year, this trend has been observed in various phishing decoys and malware campaigns. The North Korean hackers allegedly attacked AstraZeneca’s pharmaceutical companies in India, France, Canada and the United Kingdom.