According to Christiaan Beek from the security company Trellix, a North Korea-backed gang, named APT38, is seeking funds to steal from financial institutions. The gang is utilizing Beaf, PXJ, ZZZZ, and ChiChi ransomware families to extract the data from the targets.
Similarities in codes
Trellix discovered the connection with the APT38 group while analyzing the codes of the ransomware, which are pretty similar to VHD. They used Hilbert curve mapping to visualize the code; noticing source code and functional similarities of PXJ, Beaf, and ZZZZ ransomware with VHD and flower, which is linked to another North Korean APT group, Lazarus. As you can the see from the Hilbert curve mapping below, Beaf and ZZZZ are almost the same:
ChiChi’s codebase looks vastly different from VHD. However, Beek from Trellix has noticed the e-mail address in the ransom notes in ChiChi and ZZZZ were the same. Those ransomware strains were utilized in targeting APAC (Asia-Pacific) regions. According to Trellix, the hackers have managed to collect only small amounts of funds.
« Besides global banks, blockchain providers and users from South Korea were also attacked and infiltrated using spear-phishing emails, fake mobile applications, and even fake companies. Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income »