Dark Reading on North Korea’s surprising use of a recent Adobe Flash zero-day exploit even though they rarely employ such techniques in their cyber operations:
The recent attack campaign against South Korean diplomatic targets appears to have concluded on January 31, according to Kaspersky’s telemetry. That’s the same day that South Korea’s Computer Emergency Response Team (KrCERT/CC) first issued an advisory on the zero-day vulnerability in Flash Player ActiveX 126.96.36.199 and earlier versions. The bug (CVE-2018-4878) abused in the attacks is a use-after-free vulnerability that allows remote code execution, according to Adobe’s advisory.
Researchers at Cisco Talos found that the attack came via a rigged Microsoft Excel document that, once opened, downloaded the ROKRAT, a popular remote administration tool (RAT) used by advanced cybercrime gangs.
Raiu believes the attack group most likely purchased the Flash exploit and didn’t discover the vulnerability itself. “I don’t believe they could develop a zero day by themselves. My suspicion is that more likely, they were able to purchase it,” he says. “They have access to cryptocurrency, which allows them to purchase zero days on the dark market.”
He and other researchers say ScarCruft is not part of the infamous and prolific Lazarus Group, which was behind the destructive Sony attack and WannaCry. A spinoff group of Lazarus that Kaspersky Lab calls Bluenoroff is believed to be behind the SWIFT banking attacks. “Lazarus Group has hundreds of different malware variants, and they are incredibly resourceful,” he says. “These guys [ScarCruft] are high-school level. I’m surprised they were able to acquire a zero day.”
It should really come as no surprise to see North Korea purchasing zero-day vulnerabilities for use in their cyber attack operations. ScarCruft is not a well known attack group outside security circles, and often times even within them. There may have been some motivation to conduct an attack for publicity involved in this operation rather than for standard North Korean incentives.