Attacks like WannaCry and NotPetya were highly destructive on a scale never seen before. The disruption has still left some organisations suffering from the financial repercussions.
The reach of the attacks shocked many within the cyber industry and just this month, Ciaran Martin, the head of the National Cyber Security Centre, warned UK organisations to fear ‘reckless’ cyber attacks – like the WannaCry ransomware virus – where the perpetrator seemed to lose control.
WannaCry is strongly linked to Lazarus who operate out of North Korea and so security researchers at AlienVault have outlined new details of ‘reckless’ North Korean cyberattacks that have flooded uncontrollably into the wild, posing an ongoing security risk.
The Rivts virus is a piece of malware that is thought to have been leaked online after initially being created within North Korea as a test project. Its origins can be traced back to 2009 and is a file infecting worm which spreads through USB drives and hard drives which latches itself onto other uninfected files to spread.
According to AlienVault, the first file infected with Rivts was in 2011 – but the file meta-data indicates1 it was compiled two years earlier in February 2009. It is thought Rivts was circulating around infecting systems within DPRK (North Korea) for two years before escaping onto the Voice of Korea (similar to BBC World) website in 2011, which was its first public reference.
After examining the malware, the word ‘test’ has been located in multiple places which gives further evidence that Rivts could have been part of a prototype project. Despite not being considered a strong cyber threat, the original strain of the worm lasted a considerable amount of time.
The Lazarus SMB worms
When people think of Lazarus Server Message Block (SMB) worms, WannaCry is often the name that comes to mind. However, there are others that have also gained prominence. In 2014, Sony became the unfortunate target of an SMB attack which resulted in the Sony network being crippled for a matter of days with sensitive information on Sony and its employees leaked online. Then there’s the Brambul worm.
Brambul and WannaCry are essentially two peas from the same malware pod. In fact, earlier versions of WannaCry were seen performing the same SMB brute-forcing as Brambul. Considered an ancient worm, Brambul samples that are ten years old are still being discovered today. It was also found in 2015 that if you were to leave an insecure computer connected to the internet, Brambul came in at no.13 as being the most likely malware family to infect the computer.
The Infected USB
This again is another example of the durability within these strains of malware that originate in North Korea and spread further than originally intended.
Click here to read the full AlienVault blog