Researchers from the Microsoft Threat Intelligence Center (MSTIC) say they have linked the H0lyGh0st ransomware operation to North Korean hackers after tracking the group’s activity for more than a year.
In a recent report, Microsoft security experts said the perpetrators, tracked as DEV-0530, started developing and deploying their payloads in June last year. The malicious group uses the same name (i.e., H0lyGh0st) for ransomware payloads in its campaigns and has compromised several small businesses in various countries since September 2021.
DEV-0530’s first malicious payload, BLTC_C.exe, was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language.
MSTIC classified all of H0lyGh0st’s variants, including BLTC.exe, HolyRS.exe and HolyLocker.exe, as SiennaBlue, as they all shared the “same core Go functions.”
Upon further analysis of the malware’s Go functions, researchers discovered that its functionality has broadened to include advanced features, such as:
- Internet and Intranet support
- String obfuscation to prevent reverse-engineering
- Public key management
- Multiple encryption options
- Scheduled task management
- Self-deletion to erase traces
- Avoiding detection from security software solutions
H0lyGh0st mainly targeted small businesses such as schools, banks, event and meeting planning companies, and manufacturers.
“The victimology indicates that these victims are most likely targets of opportunity,” says Microsoft’s security advisory. “MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems to gain initial access into target networks. The SiennaBlue malware variants were then dropped and executed. To date, MSTIC has not observed DEV-0530 using any 0-day exploits in their attacks.”
MSTIC believes the North Korean government does not control the H0lyGh0st ransomware operation. However, researchers believe the two cybercrime groups have ties, based on communications between H0lyGh0st and Andariel (part of the North Korean-backed Lazarus Group).
“MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the advisory said.