Thailand seizes server linked to North Korean attack gang

A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT.

Thailand's infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called GhostSecret.

ThaiCERT said (you'll probably need a translation service Translate) GhostSecret kicked off in February this year.

Last Tuesday, McAfee reported the IP addresses it associated with Ghost Secret, as part of a report on malware attacks targeting infrastructure.

The McAfee report warned that GhostSecret was part of a “global reconnaissance campaign” scanning servers in various industries to find targets for an attack.

As well as identifying C&C servers, McAfee said it discovered a new Destover malware implant variant, and another which it's called Proxysvc that has “operated undetected since mid-2017”.

The new variant “resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack”, the McAfee research noted.

The IP addresses associated with Thai activity, McAfee said, were 203.131.222.95, 203.131.222.109, and 203.131.222.83, belonging to Thammasat University.

The last address, 203.131.222.83, “hosted the control server for the Sony Pictures implants,” McAfee said. It was also linked to an SSL certificate “used in Hidden Cobra operations since the Sony Pictures attack.”

Now the server is in its hands, ThaiCERT said it is working with authorities and with McAfee to analyse its contents and see what remediation it can offer to Thai victims of the campaign. ®