What began as an aggressive phishing-based malware campaign against Turkish financial institutions earlier this year appears to have since burgeoned into a worldwide cyber-spying and data theft operation targeting a wide range of industry sectors with at least two malicious implants.
The campaign, named GhostSecret, is detailed in a McAfee threat analysis report and corresponding blog post, both released this week. According to the report, the operation convincingly bears the hallmarks of suspected North Korean APT threat actor Hidden Cobra (aka Lazarus Group) — including the presence of code and capabilities that have been found in other Hidden Cobra campaigns.
“The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators,” states researcher and blog post author Raj Samani. These malicious implants communicate with a control server using what’s known