**REPORT**

# North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

### By Juan Andres Guerrero-Saade and Priscilla Moriuchi Recorded Future


-----

#### CYBER THREAT ANALYSIS

## North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

#### Executive Summary

North Korea continued to target South Korea through late 2017 with a spear phishing
campaign against both cryptocurrency users and exchanges, as well as South Korean
college students interested in foreign affairs. The malware in this campaign utilizes a
known Ghostscript exploit (CVE-2017-8291— [​Intel Card​) and is tailored to target only users](https://app.recordedfuture.com/live/sc/48vGJPkGX3ZG)
of a Korean language word processor, Hancom’s Hangul Word Processor.

Key Judgments

  - [North Korean government actors, specifically Lazarus Group (​Intel Card​), continued](https://app.recordedfuture.com/live/sc/5W4y9iC1SkK6)
to target South Korean cryptocurrency exchanges and users in late 2017, before [​Kim](http://www.38north.org/2018/01/rfrank010318/)
[Jong Un’s New Year’s speech​ and subsequent](http://www.38north.org/2018/01/rfrank010318/) [​North-South dialogue​.](https://www.reuters.com/article/us-northkorea-southkorea/north-korea-agrees-to-talk-to-south-after-u-s-south-korea-postpone-drills-idUSKBN1EU06O)

  - This campaign also targeted South Korean college students interested in foreign
affairs and part of a group called “Friends of MOFA” (Ministry of Foreign Affairs).

  - [The malware employed shared code with Destover malware (​Intel Card​), which was](https://app.recordedfuture.com/live/sc/7pOtBabQCMdD)
used against [​Sony Pictures Entertainment​ in 2014 and the](https://www.operationblockbuster.com/) [​first WannaCry victim​ in](https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group?source=techstories.org)
February 2017.

  - The dropper in this campaign exploited a known Ghostscript vulnerability,
[CVE-2017-8291​. The exploit implementation includes Chinese terms possibly](https://app.recordedfuture.com/live/sc/48vGJPkGX3ZG)
signifying an attempted false flag or a Chinese exploit supplier.

Background


-----

#### CYBER THREAT ANALYSIS

North Korean state-sponsored cyber operations are largely clustered within the Lazarus
[Group (​Intel Card​) umbrella. Also known as](https://app.recordedfuture.com/live/sc/5W4y9iC1SkK6) [​HIDDEN COBRA​ by the U.S. government,](https://www.us-cert.gov/ncas/alerts/TA17-164A)
Lazarus Group has conducted operations since at least 2009, when they launched a [​DDoS](https://www.us-cert.gov/ncas/tips/ST04-015)
attack on [​U.S. and South Korean websites​ utilizing the MYDOOM worm. Until 2015, Lazarus](https://www.theguardian.com/technology/2009/jul/08/cyber-war-mydoom-virus-attack)
Group [​cyber activities​ primarily focused on South Korean and U.S.](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) [​governments​ and](https://securingtomorrow.mcafee.com/wp-content/uploads/2011/07/McAfee-Labs-10-Days-of-Rain-July-2011.pdf)
[financial organizations​, including destructive attacks on South Korean banking and](https://www.sans.org/reading-room/whitepapers/warfare/tracing-lineage-darkseoul-36787) [​media](http://english.chosun.com/site/data/html_dir/2013/01/17/2013011700661.html)
sectors in 2013 and the [​highly publicized attack on Sony Pictures Entertainment​ in 2014.](https://www.operationblockbuster.com/)

Beginning in 2016, researchers discovered a shift in North Korean operations toward
[attacks against financial institutions​ designed to steal money and generate funds for the](https://securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf)
Kim regime.

_Lazarus Group in Recorded Future. Access the complete Intel Card_ _[​here​.](https://app.recordedfuture.com/live/sc/5W4y9iC1SkK6)_

By 2017, North Korean actors had jumped on the cryptocurrency bandwagon. The first
known North Korean cryptocurrency operation occurred in February 2017, with [​the theft of](https://www.express.co.uk/news/world/894026/north-korea-hackers-monitored-by-seoul-bitcoin-cryptocurrency-activity-bithumb-coinis-hack)
[$7 million​](https://www.express.co.uk/news/world/894026/north-korea-hackers-monitored-by-seoul-bitcoin-cryptocurrency-activity-bithumb-coinis-hack) [(​at the time​) in cryptocurrency from South Korean exchange](https://bitinfocharts.com/cryptocurrency-exchange-rates/) [​Bithumb​. By the end](https://www.bithumb.com/)
of 2017, several researchers had reported additional [​spear phishing​](https://www.fireeye.com/blog/threat-research/2017/09/north-korea-interested-in-bitcoin.html) [​campaigns​ against](https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf)
South Korean cryptocurrency exchanges, numerous [​successful thefts​, and even](https://gizmodo.com/north-korea-is-main-suspect-in-ruinous-hack-of-south-ko-1821498942) [​Bitcoin​ and](https://www.recordedfuture.com/north-korea-internet-activity/)
[Monero​ mining. North Korea also utilized Bitcoin for the global](https://www.bloomberg.com/news/articles/2018-01-02/north-korean-hackers-hijack-computers-to-mine-cryptocurrencies) [​WannaCry ransomware](https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/)
[attack​ in mid-May, forcing victims to pay ransom in Bitcoin.](https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/)

Threat Analysis

Insikt Group researchers regularly follow North Korean threat actors through a variety of
methods, one of which includes proactive monitoring of attack vectors based on software
disproportionately adopted in South Korea. Using this methodology, we identified a recent
Lazarus Group malware campaign, which likely began late Fall 2017. Lazarus Group


-----

#### CYBER THREAT ANALYSIS

operations target a wide swath of countries and verticals, with a particular interest in South
Korean targets.

Recent reporting regarding North Korean attacks [​against cryptocurrency exchanges​ and](https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf)
[using Pyeongchang Olympics as a lure​ describe techniques that are unusual for the Lazarus](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/)
Group. These include leveraging PowerShell, HTA, JavaScript, and Python, none of which
are common in Lazarus operations over the last eight years. The campaign we discovered
showcases [​a clear use of Lazarus TTPs​ to target cryptocurrency exchanges and social](https://www.operationblockbuster.com/)
institutions in South Korea.

This campaign leveraged four different lures and targeted Korean-speaking users of the
Hangul Word Processor (.hwp file extension), a Korean-language word processing program
utilized widely in South Korea. North Korean state-sponsored actors have used [​Hangul](https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf)
[exploits​ (CVE-2015-6585) and malicious .hwp files in the past, including during a](https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf) [​phishing](https://www.cyberscoop.com/wannacry-ransomware-intel-471-north-korea-south-korea/)
[campaign in early 2017​, to target South Korean users.](https://www.cyberscoop.com/wannacry-ransomware-intel-471-north-korea-south-korea/)

Beyond Korean-speaking HWP users, targets of this campaign appear to be users of the
[Coinlink ​cryptocurrency exchange, South Korean cryptocurrency exchanges at large (or at](https://coinlink.co.kr/)
least those that are hiring), and a group called “Friends of MOFA” (Ministry of Foreign
Affairs), which is a group of college students from around South Korea with [​“a keen interest](http://www.publicnow.com/view/6D2727CED612EC4814FE54E909DC7D731155B92E?2017-09-06-10:00:10+01:00-xxx8116)
[in foreign affairs.”](http://www.publicnow.com/view/6D2727CED612EC4814FE54E909DC7D731155B92E?2017-09-06-10:00:10+01:00-xxx8116)


-----

#### CYBER THREAT ANALYSIS

_[Payload shows two prompts from ​coinlink.co.kr, the first tells the user their password is incorrect, the second asks for ​](https://coinlink.co.kr/)_
_their email address._

The first cryptocurrency-focused lure appears designed to obtain the emails and
passwords of users of [​Coinlink​, a cryptocurrency exchange run by the South Korean](https://coinlink.co.kr/)
electronic stock exchange [​KOSDAQ​.](http://www.kosdaqca.or.kr/)

The second and third appear to be resumes stolen from two actual South Korean computer
scientists, both with work experience at South Korean cryptocurrency exchanges.

The fourth document was lifted from a blog run by the South Korean group “Friends of
MOFA” detailing a Korean Day celebration in late September 2017 during which [​President](http://m.yna.co.kr/kr/contents/?cid=AKR20170927061900001)
[Moon Jae-in spoke​ about the importance of the Korean diaspora and the upcoming](http://m.yna.co.kr/kr/contents/?cid=AKR20170927061900001) [​Winter](https://www.pyeongchang2018.com/en/index)
[Olympics in Pyeongchang​.](https://www.pyeongchang2018.com/en/index)


-----

#### CYBER THREAT ANALYSIS

_This document is from a blog post from the “Friends of MOFA” (Ministry of Foreign Affairs) detailing a Korean Day_
_celebration attended by President Moon Jae-in. 1_

Technical Analysis

[This campaign relies on a known Ghostscript exploit (​CVE-2017-8291​) that can be triggered](https://app.recordedfuture.com/live/sc/48vGJPkGX3ZG)
from within an embedded PostScript in a Hangul Word Processor document.

1 Note: All Korean language translations provided by Gerald Kim.


-----

#### CYBER THREAT ANALYSIS

_[Timeline​ of CVE-2017-8291 exploitation.](https://app.recordedfuture.com/live/sc/dGkLmo2OGbMq)_

_Screenshot of the function names utilized in the PostScript._

Our initial finding focused on “로그인 오류.hwp“ or “Korean Day” lure, but once we created a
signature for the particular implementation of the PostScript, we found three additional
lure documents in a public malware repository tied together by the use of this exploit: two
CVs and a cryptocurrency exchange-themed lure. All were created in the span of a month
from mid-October to late November. Despite a nearly identical delivery mechanism (with
the exception of altered 4-byte XOR keys), the payloads (when recoverable) were different
in each case.


-----

#### CYBER THREAT ANALYSIS

  - It’s worth noting that the function names used in the PostScript are transliterated
Chinese words. While “yima” (decode) and “yaoshi” (key) appear appropriate in their
functional context, the word “yinzi” (factor/money) does not. The latter may be
obscure technical slang or be a misuse signifying a potential false flag.

This would not be the first time the Lazarus Group used foreign-language terms to
misdirect attribution efforts; [​BAE researchers discovered​ transliterated Russian terms in](http://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html)
previous Lazarus operations. However, an alternate explanation may point to a Chinese
exploit supplier or the language competency of the developer.

The attack chain occurs in multiple stages with the PostScript deobfuscating a first stage
shellcode that’s been XORed with a hardcoded four-byte key. The shellcode in turn triggers
the GhostScript vulnerability in order to execute an embedded DLL that has also been
XORed. A [​PwnCode.Club​ blogpost details the deobfuscation of the shellcode and loading of](http://www.pwncode.club/2017/10/targeted-attack-on-south-korea-exploits.html)
the DLL into memory.

[Lazarus malware families (like Hangman (​Intel Card​), Duuzer (​Intel Card​), Volgmer (Intel​](https://app.recordedfuture.com/live/sc/7sEvori0kQwF)
[Card​), SpaSpe (​Intel Card​), etc.) overlap, likely as the result of the developers](https://app.recordedfuture.com/live/sc/1KsNpqaEhXIk#/?sc=k31dAqmAwboFwuP)
cutting-and-splicing an extensive codebase of malicious functionality to generate payloads
as needed. This erratic composition make the Lazarus intrusion malware [​difficult to identify](https://securelist.com/operation-blockbuster-revealed/73914/)
[and group or cluster​, unless they are analyzed at the level of code similarity.](https://securelist.com/operation-blockbuster-revealed/73914/)

Upon deobfuscating the payloads, we found 32-bit DLLs built in part on the Destover
[malware (​Intel Card​) code. Destover has been used in a number of North Korea-attributed](https://app.recordedfuture.com/live/sc/7pOtBabQCMdD)
operations: most infamously against [​Sony Pictures Entertainment​ in 2014, the](https://www.operationblockbuster.com/) [​Polish](https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0)
[banking attacks​ in January 2017, and the](https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0) [​first WannaCry victim​ in February 2017.](https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group?source=techstories.org)

This campaign relies on multiple payloads fashioned out of the Destover infostealer code
to collect information about the victim system and exfiltrate files. Each payload contains an
embedded 64-bit version of itself. The payloads accompanying the newer cryptocurrency
exchange-themed lure docs compiled a month after the Korean Day payload further
obfuscate their functionality by resolving imports at runtime.

This type of obfuscation is common in the Lazarus Hangman malware family. They also rely
entirely on IPs (rather than domains) for their command-and-control infrastructure, a tactic
likely borne of the use of hacked servers for infrastructure.

Outlook

This late 2017 campaign is a continuation of North Korea’s interest in cryptocurrency, which
we now know encompasses a broad range of activities including mining, ransomware, and


-----

#### CYBER THREAT ANALYSIS

outright theft. Outside of the May WannaCry attack, the majority of North Korean
cryptocurrency operations have targeted South Korean users and exchanges, but we
expect this trend to change in 2018. We assess that as South Korea responds to these
attempted thefts by increasing security (and [​possibly banning cryptocurrency trading​) they](https://www.reuters.com/article/uk-southkorea-bitcoin/south-korea-plans-to-ban-cryptocurrency-trading-rattles-market-idUSKBN1F002A)
will become harder targets, forcing North Korean actors to look to exchanges and users in
other countries as well.

Further, while this campaign and toolset are specific to the Hangul Word Processor, the
[vulnerability it exploited (​CVE-2017-8291​) is not. This vulnerability is for the Ghostscript](https://app.recordedfuture.com/live/sc/48vGJPkGX3ZG)
suite and affects a wide range of products, and while this particular version is triggered
from within an embedded PostScript in an HWP document, it could easily be adapted to
other software.

As South Korean exchanges harden their networks and the government imposes [​stricter](https://www.nytimes.com/2017/12/28/business/south-korea-bitcoin.html)
[regulatory controls on cryptocurrencies​, exchanges and users in other countries should be](https://www.nytimes.com/2017/12/28/business/south-korea-bitcoin.html)
aware of the increased threat level from North Korean actors.


-----

#### CYBER THREAT ANALYSIS

Appendix A

Indicators of Compromise

**Lures**

**MD5**

[da02193fc7f2a628770382d9b39fe8e0](https://app.recordedfuture.com/live/sc/2BZxIULajzVz)

[3d0d71fdedfd8945d78b64cdf0fb11ed](https://app.recordedfuture.com/live/sc/7ySjEaKoevka)

[63069c9bcc4f8e16412ea1a25f3edf14](https://app.recordedfuture.com/live/sc/1dQaMrHPSmqS)

[8152e241b3f1fdb85d21bfcf2aa8ab1d](https://app.recordedfuture.com/live/sc/39I5Q4vMX4Iv)

**Payloads**

|Lures|Col2|
|---|---|
|MD5|SHA256|
|da02193fc7f2a628770382d9b39fe8e0|3cfc7666c97c38f38a3b3ec1d132f2836ade7e 6e6e3cddb30b0d7d81682de0b2|
|3d0d71fdedfd8945d78b64cdf0fb11ed|3e9eab029c52ac34b91f906c8f92ad9059531f 825905260023764f8a069edbbf|
|63069c9bcc4f8e16412ea1a25f3edf14|396a684949c96815b54c8e4c2fafbe6324d8c 4dde2c9294411658fb5209cd70c|
|8152e241b3f1fdb85d21bfcf2aa8ab1d|1cc7ad407fc87acb9c961105943c87a7bd77c 4d4cc90b84b46fb5dcf779b50fd|

|Payloads|Col2|
|---|---|
|46d1d1f6e396a1908471e8a8d8b38417|3368b6060d181e39a57759ab9b7f01221e0cd 3a397000977aa8bb07a0e6a94ca|
|6b061267c7ddeb160368128a933d38be|ca70aa2f89bee0c22ebc18bd5569e542f09d3 c4a060b094ec6abeeeb4768a143|
|afa40517d264d1b03ac5c4d2fef8fc32|f94fb5028a81177bb5ea3428349da4d9b125f8 1adb658df40d6e8f3ea0e0e3e7|
|c270eb96deaf27dd2598bc4e9afd99da|cf065e50a5bef24099599af6a60a78c1607a04 b21d3573a25ab26bf044a119d6|
|d897b4b8e729a408f64911524e8647db|5afa8329c0a159811b55c92303f0d0b9b8834 843c76f51777593d414bda5191b|
|e1cc2dcb40e729b2b61cf436d20d8ee5|77cee0ccc739d3d420e95460c72f7ad2a9846f 06e4a7089fb92b8fca4a52ce3f|


-----

#### CYBER THREAT ANALYSIS

**Command-and-Control**

110.173.188.53:443
70.60.36.183:443
72.10.122.70:443
112.160.75.159:5443
125.142.192.81:443
175.213.42.234:443

Yara Rules

rule apt_NK_Lazarus_SKOlympics_EPS
{

meta:

author =​ ​ "JAG-S, Insikt Group, RF"​
desc =​ ​ "CN terms in PostScript loader" ​
TLP =​ ​ "Green"​
version =​ ​ "1.0"​
md5 =​ ​ "231fe349faa7342f33402c562f93a270"​

strings:

$eps_strings1​ =​ ​ "/yinzi { token pop exch pop } bind def"​ ascii wide ​
$eps_strings2​ =​ ​ "/yaoshi <A3E6E7BB> def"​ ascii wide ​
$eps_strings8​ =​ ​ /\/​ yaoshi ​ <​ [A​ -F0​ -9​ ]​ {8}> def/ ascii wide ​
$eps_strings3 = "/yima{" ascii wide
$eps_strings4 = "/funcA exch def" ascii wide
$eps_strings5 = "0 1 funcA length 1 sub {" ascii wide
$eps_strings6 = "/funcB exch def" ascii wide
$eps_strings7 = "funcA funcB 2 copy get yaoshi funcB 4 mod get xor put"
ascii wide

condition:

6 of them
}

rule apt_NK_Lazarus_Fall2017_payload_minCondition
{
meta:​
desc =​ ​ "Minimal condition set to detect payloads from Fall 2017 Lazarus ​
Campaign against Cryptocurrency Exchanges and Friends of MOFA 11"
author =​ ​ "JAGS, Insikt Group, Recorded Future"​
version =​ ​ "2.0"​


-----

#### CYBER THREAT ANALYSIS

TLP =​ ​ "Green"​
md5 =​ ​ "46d1d1f6e396a1908471e8a8d8b38417"​
md5 =​ ​ "6b061267c7ddeb160368128a933d38be"​
md5 =​ ​ "afa40517d264d1b03ac5c4d2fef8fc32"​
md5 =​ ​ "c270eb96deaf27dd2598bc4e9afd99da"​
md5 =​ ​ "d897b4b8e729a408f64911524e8647db"​
md5 =​ ​ "e1cc2dcb40e729b2b61cf436d20d8ee5"​

strings:​
$sub1800115A0 =​
{488​ D542460488D8DB005000041FF9424882000004C8BE84883F8FF0F84EA010000488D8DC007000033D​
241B800400000E8}
$sub18000A720 =​ {​ 33​ C0488BBC2498020000488B9C2490020000488B8D600100004833CCE8} ​

condition:​
uint16(0​ ) ​ ==​ ​ 0x5A4D​ and filesize ​ <​ ​ 5​ MB ​
and
any of them
}


-----