STE WILLIAMS

North Korea’s finest spent 2017 distributing RATs, wipers, and phish

North Korea’s black hats launched at least six extensive malware campaigns mostly against South Korean targets during 2017.

That’s the conclusion of Cisco’s Talos Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An), who spent the year watching goings-on on the Korean peninsula.

The researchers focussed on one North Korean organisation, which they dub Group 123, and its continuing campaigns against the South.

Remote Access Trojans – RATs – are Group 123’s favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.

At least two of those campaigns were published by Talos at the time, but without a firm attribution to North Korea.

The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea’s market leader, exploiting vulnerabilities such as the CVE-2013-0808 EPS viewer bug to pull down the RAT.

That’s a rather old vulnerability, so when CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.

A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.

Finally, the “Are You Happy” campaign [surely you didn’t really fall for that in the e-mail subject line? – Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim’s hard drive.

Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/18/north_korean_2017_hacking_campaign/

Comments are closed.