The Baijiu trojan is used to target victims by convincing them to clicking a LNK file in a phishing email, seemingly to provide the victim with information on a devastating flood that occurred in North Korea in late summer 2016 after Typhoon Lionrock struck the nation. Once a victim has opened the malicious file, a set of espionage tools used to exfiltrate data is deployed through the Typhoon downloader and Lionrock backdoors. The trojan is routed through multiple DLL files and PowerShell scripts to access the Lionrock backdoor, obfuscating itself along the way. This is another example of threat actors employing fileless attacks to avoid detection. Additionally, these actors use the GeoCities web hosting service to deliver the trojan, requiring only a Yahoo email address for user identification, increasing anonymity. Cylance researchers who discovered Baijiu believe the threat actors are sophisticated based on the technical complexity of the attack, but stop short of attributing the activity to a particular Nation State or threat group.

Technical Details

  • Cylance provides technical analysis of the Baijiu trojan, available here.