#### kimdw777@kisa.or.kr kimbyeongjae@kisa.or.kr


**7 - 8 October, 2021 / vblocalhost.com**


-----

**ABSTRACT**

The Korea Internet & Security Agency (KISA) carried out a detailed analysis of various security incidents believed to be
the attacks of Lazarus Group. As we analysed security incidents that attacked a Korean company, we identified the
signature string ‘Bookcodes’ in the communication between the command server and the malicious codes. After monitoring
the communication process with C2 using this signature string, we found that dozens of companies and individuals were
chain infected and communicated schematically. Based on this finding, the group of attacks that the Lazarus Group has
carried out against South Korea since 2019 was named ‘Bookcodes’.

Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We
monitored the attacker’s C2 and confirmed that dozens of companies had been infected, so we informed those companies of
the infection and provided support to help them develop defence strategies. In this presentation, we will share when
Operation Bookcodes began, how the incident investigation was carried out, and what artifacts were found. Also, based on
the analysis results, we will describe the attacker’s tactics, techniques and procedures (TTPs), and thus share the
penetration method of the Operation Bookcodes attacks, information collection method, and internal propagation method.

In advance of an attack, the attacker takes control of a hosting server that operates a large number of websites to use it as a
stronghold to carry out the attack. In general, it targets bulletin boards on vulnerable websites, uploads web shells, and
takes control by exploiting the host server’s local privilege escalation. It attempts an initial penetration attack on a target
company from the hosting server under its control in two ways:

1. Attaching documents in Korean or sending a spear-phishing email attached with a malicious link.

2. Using a watering hole to induce access by inserting a code vulnerability into the stronghold it took control of in
advance.

Once it has successfully penetrated, it identifies the internal network structure while collecting system information to
determine whether or not to carry out further malicious behaviours. It also connects the remote attackers’ drive to the
infection system, making it faster and easier to install additional malicious codes and collect the results of each command.

Additionally installed malicious codes perform activities such as service registration and start up program registration to
secure continuity, and they use legitimate programs to avoid detection by anti-virus software, if necessary. The attacker also
accesses shared networks for internal spread, and if a network separation policy is in effect, it identifies and attacks
vulnerabilities by verifying contact points, such as network-linked solutions and DRM solutions.

During the analysis, we further examined the commands (packets) and command structures used by the real attacker, and
we learned how they operate organically in the C2 farm, an infrastructure built by the attacker; how the Bookcodes attacks
are carried out; and how to respond and reprocess them.

**1. INTRODUCTION**

The rise in hacking incidents have led to ever-more stringent security requirements and the continuous evolution of security
systems to the next level. Yet, cyber incidents that were reported in the past are still being repeated today, and organizations
with some of the most sophisticated cyber-defence systems are still falling victim to such attacks.

_Figure 1: The Pyramid of Pain, David J Bianco._


-----

The influential concept of ‘The Pyramid of Pain’ (see Figure 1) in the sphere of cybersecurity illustrates that the most
effective security systems depend on understanding the ‘tactics, techniques and procedures’ (TTPs) of the attackers. The
ultimate goal of cybersecurity is to make attacks more costly and more painful for perpetrators – in other words, elevated to
the ‘tough’ level shown at the top of the pyramid.

A cybersecurity system based on ‘indicators of compromise’ (IoCs) still remains very efficient. (IoCs would refer to
one-dimensioned indicators such as malicious IPs or domains.) However, it is also true that attackers can easily secure then
discard attack infrastructures using such simple indicators. TTPs are different. The attacker cannot easily obtain or discard
TTPs. An attacker who h as locked on a target needs to invest in learning and practising TTPs to neutralize the target’s
security system. When moving on to the next attack, the attacker will tend to select targets on which the same TTPs can be
applied.

By nature, the attacker’s TTPs are heavily influenced by the characteristics of the targeted defence environment. As such,
security practitioners must have an accurate understanding of their own defence environment. They must also approach the
process and flow of attack from the strategic and tactical levels rather than as patterns or methods. In short, the defender’s
security environment and the attacker’s TTPs must be scrutinized together.

A defender who understands the attacker’s TTPs should be able to answer two things:

1. Would the attacker’s TTPs be able to penetrate the defender’s environment?

2. If so, what defensive strategy can defeat the TTPs?

The Korea Internet & Security Agency (KISA) identifies cyber attack TTPs through its incident response process and
disseminates the process and countermeasures using the ATT&CK framework. The various artifacts related to TTPs
included in this report are merely tools to promote understanding.

**2. OVERVIEW**

The Korea Internet & Security Agency (KrCert/CC) conducted a detailed analysis of security incidents believed to be
conducted by a nation-based threat group.

As we analysed security incidents that attacked a Korean company, we identified the signature string ‘Bookcodes’ in the
communication between the command server and the malicious codes. After monitoring the communication process with
the C2 using this signature string, we found dozens of companies and individuals were chain infected and communicated
schematically. Based on this finding, the group of attacks that the nation-based threat group has carried out against South
Korea since 2019 was named ‘Bookcodes’.

Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We
monitored the attacker’s C2 and confirmed that dozens of companies had been infected, so we informed those companies of
the infection and provided support to help them develop defence strategies. In this presentation, we will share when
Operation Bookcodes began, how the incident investigation was carried out, and what artifacts were found. Also, based on
the analysis results, we will describe the attacker’s tactics, techniques, and procedures (TTPs), and thus share the
penetration method of the Operation Bookcodes attacks, information collection method, and internal propagation method.

_Figure 2: Two types of attacks using spear phishing._


-----

_Figure 3: Overall attack process._

**Attack preparation**

First, attackers take control of a hosting server that operates multiple websites to use as a base. They upload web shells
through vulnerable websites like those described in the TTPs#1 report [1] and attempt to escalate privileges by attacking
vulnerabilities in the host system. An attacker who succeeds in obtaining administrator privileges for the system can
execute all actions such as web source code tampering, database access, and more.

**Send spear-phishing emails to attack target**

Once they’ve gained a foothold, attackers will select their targets. They collect publicly disclosed email addresses and write
emails with content related to the victim’s work responsibilities. Attackers then sends authentic-looking emails to induce
the recipients to open attachments containing malware or to access compromised websites. Thus, employees in charge of
personnel and sales who have more contact with people outside the company are more exposed to attacks than, for
example, IT professionals.

**Initial access**

An attacker uses two methods when infecting an attack target. The first method is to attach malicious Hangul word
processor files, and the second is to insert vulnerability codes into the bases secured during the preparation of the attack
and induce access.

**System information collection**

Upon successful initial access, attackers collect basic system information such as network information, host name, etc.
They then identify the secured privileges and internal network structure and decide whether to perpetrate further malicious
action. Attackers can also connect their drive remotely to an infected system to install additional malware and collect
command results more easily.

**Privilege escalation**

An attacker has limited privileges upon initial access and requires administrator privileges to perform more operations.
Therefore, they use malware or tools that cause vulnerabilities to elevate privileges.

**Securing persistence**

Even if the initial access is successful, the malware may be terminated due to a reboot of the infected device or an
unexpected process crash, resulting in the loss of the intrusion path. To prevent this, an attacker registers the service, sets up
the startup program, registers the task scheduler, and inserts the web shell so that the malware can be executed again.

**Internal information collection**

An attacker will collect confidential internal documents, entire network structure, and account credentials of infected
devices through malware. Attackers also use legitimate programs to collect information efficiently and easily and avoid
detection by anti-virus software.

**Lateral movement**

Attackers attempt to connect to the shared network using the previously collected account information. Subsequently, the
process from ‘system information collection’ to ‘internal information collection’ is repeated to reach the main system
containing critical information. If there is a network separation policy in place, the attacker may find a system (network
linkage solution, DRM solution, etc.) that connects the external and internal environment, and attempt an attack by
identifying vulnerabilities in the system.


-----

**Trace removal**

Malware and tools used in the attack are immediately deleted to remove traces. At this time, malware installed to secure
persistence is excluded.

**3. ATT&CK MATRIX**

_Figure 4: MITRE ATT&CK Matrix._

**A. Initial access**

**_A.1 Spear-phishing attachment: attach malware to email_**

The attacker infiltrated the target companies using spear-phishing emails with malicious Hangul word processor documents
(.hwp files) attached. The attacker attached files related to an actual seminar to make the emails appear legitimate. When
the attachment is opened, a remote-controlled malware is installed and communicates with the command-and-control server
(C&C).

_Figure 5: Spear-phishing email with malicious Hangul document attached._


-----

**_A.2 Spear-phishing link: insert a link to a malicious site_**

In this case the attacker uses spear-phishing emails that contain a link in the email to induce access to malicious sites.
Access to malicious sites can lead to malware infection due to browser vulnerabilities. An attacker prompts access to
_Internet Explorer, a browser that is no longer supported._

_Figure 6: Spear-phishing emails containing a link to induce access to a malicious site._

**_A.3 Drive-by compromise: malware infection when accessing a website_**

When accessing a malicious site by clicking on a link, a script inserted by the attacker redirects the victim to a site that
distributes malware, and the victim is infected. Because this works only when connected in a certain IP band, malware is
distributed only to certain targets.

_Figure 7: Drive-by compromise._

**_A.4 Exploiting a public-facing application_**

It was found that most servers that were abused as malware command-and-control sites were infiltrated through SQL
injection vulnerabilities or file upload vulnerabilities.

After obtaining website administrator privileges through SQL injection, the attacker uploaded the web shell as a file upload
vulnerability to secure access to the server. During file upload attacks, the .cer extension, which could run scripts on IIS,
was the most commonly used. Figure 8 shows an actual post by an attacker who uploaded a web shell by exploiting a file
upload vulnerability.


-----

_Figure 8: Post by an attacker who uploaded a web shell by exploiting a file upload vulnerability._

**B. Execution**

**_B.1 User execution_**

It is not easy to infiltrate a company that has a high level of security. For this reason, attackers use spear-phishing emails to
lead employees to watering hole sites or to directly execute malware. Attackers mainly send phishing emails to the sales
team or customer management team members whose email addresses are publicly disclosed on the company website.

_Figure 9: Attackers mainly send phishing emails to employees whose email addresses are publicly disclosed._


-----

**_B.2 Execution through API_**

Remote control malware executes additional processes by calling the CreateProcessAsUserW and CreateProcessW
functions after receiving commands from the C&C.

_Figure 10: Additional processes are executed by calling the CreateProcessAsUserW and CreateProcessW functions._

**_B.3 Execution through module load: load and execute DLL_**

Additionally, installed malware is registered as a DLL file and executed.

_Figure 11: The malware is registered as a DLL file and executed._

**_B.4 Service execution_**

Additionally, installed malware is registered as a service and executed.

_Figure 12: The malware is registered as a service and executed._

**_B.5 Windows Management Instrumentation_**

The attacker uses Windows Management Instrumentation (WMI) to collect a list of anti-virus software currently installed
on the system.


-----

_Figure 13: Use of Windows Management Instrumentation to collect a list of anti-virus software installed on the system._

**_B.6 Command-line interface_**

The attacker executes commands to the infected server mainly through remote-controlled malware. Below are the
commands that we saw being used, obtained through server analysis.

**Function** **Command**

Search for system account information query user
query session
net user administrator
whoami

Search for system information hostname
systeminfo
time /t
ver

Network sharing net use
net view

Check network information ipconfig /all
arp –a
netstat –ano | find “ESTA”
netstat –ano | find “LIST”
ping –a –n [IP]

Check service information sc queryex [Service Name]
sc query [Service Name]

Check process information tasklist /svc

Trace removal del [File Name]
rmdir [Directory Name]

Check IIS domain list C:\Windows\System32\inetsrv\
appcmd.exe list site

Check file and directory information dir [File or Directory Name]
dir /a /s [File or Directory Name]

_Table 1: Commands._

**C. Persistence**

**_C.1 Redundant access_**

**_C.2 Web shell_**

Web shells are inserted to secure redundant access to web servers that are being abused as C&Cs. The web shells used
primarily by attackers are ‘Redhat web’ shells, ‘WSO’ web shells, ‘Venus’ web shells and ‘Code Hunters’ web shells. The
password used to log in to the ‘Redhat’ web shell was ‘1234qwer’ and ‘venus’ for the ‘Venus’ web shell.

|Function|Command|
|---|---|
|Search for system account information|query user query session net user administrator whoami|
|Search for system information|hostname systeminfo time /t ver|
|Network sharing|net use net view|
|Check network information|ipconfig /all arp –a netstat –ano | find “ESTA” netstat –ano | find “LIST” ping –a –n [IP]|
|Check service information|sc queryex [Service Name] sc query [Service Name]|
|Check process information|tasklist /svc|
|Trace removal|del [File Name] rmdir [Directory Name]|
|Check IIS domain list|C:\Windows\System32\inetsrv\ appcmd.exe list site|
|Check file and directory information|dir [File or Directory Name] dir /a /s [File or Directory Name]|


-----

_Figure 14: Web shells inserted to secure redundant access to web servers that are being abused as C&C._

**_C.3 New service_**

If a piece of malware is registered as a service, the malware automatically executes upon reboot.

_Figure 15: Malware registered as a service._

**_C.4 Registry run keys / start folder_**

When a malware is created in the startup program path, the malware automatically executes at each reboot

**Command to check malware registered as a startup program**

cmd.exe /c dir "C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu

\Programs\Startup\javaw.exe"


-----

**D. Privilege escalation**

**_D.1 Exploitation for privilege escalation_**

The attacker attempts to escalate the privileges by executing a file created with a tool using CVE-2014-4113, which is a
_Windows privilege elevation vulnerability. The attacker remotely connects and copies malware to the infected system local_
drive. Based on the folder names classified on the attacker’s

**Attacker’s remote drive path Infected system’s local drive path**

Z:\Tools\2003_elevator\CVE-2014-4113.exe E:\...\board_9_files\image.tmp

**_D.2 Bypass User Account Control_**

The attacker attempts a User Access Control (UAC) bypass using an open tool called UACME.

**Attacker’s remote drive path Infected system’s local drive path**

Z:\Tools\UACME\LoaderW_x86.exe C:\Users\...\AppData\Local\dwm.exe

Z:\Tools\UACME\Akagi32_Enc-11-18.dll C:\Users\...\AppData\Local\ntuser.dat

**_D.3 New service_**

The malware has SYSTEM privileges when executed using the service.

_Figure 16: The malware has SYSTEM privileges when executed using the service._

**E. Defence evasion**

**_E.1 Masquerading_**

The attacker disguises the malware as system default files, Java programs, Windows update files, Windows default
programs, Sticky Notes, etc. to avoid being detected.

**Type** **Malware name**

C:\Windows\SysNative\perfcon.dat
C:\Windows\System32\perfcon.dat
C:\Windows\SysNative\perf91nc.inf

Masquerading as system files

C:\Windows\System32\perf91nc.inf
C:\Windows\SysNative\nwsapagentmonsvc.dll
C:\Windows\System32\nwsapagentmonsvc.dll

C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu
Masquerading as Java files
\Programs\Startup\javaw.exe

Masquerading as Windows update files C:\Windows\SoftwareDistribution\Download\BIT[숫자4~5개].tmp

Masquerading as Themida packing program Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-64.exe

Masquerading as Sticky Notes program Z:\Tools\aDllMeloadTool1.0\dllmenloadtool64.exe

_Table 2: Malware masquerading as legitimate files._

|Attacker’s remote drive path Infected system’s local drive path|Col2|
|---|---|
|Z:\Tools\2003_elevator\CVE-2014-4113.exe|E:\...\board_9_files\image.tmp|

|Attacker’s remote drive path Infected system’s local drive path|Col2|
|---|---|
|Z:\Tools\UACME\LoaderW_x86.exe|C:\Users\...\AppData\Local\dwm.exe|
|Z:\Tools\UACME\Akagi32_Enc-11-18.dll|C:\Users\...\AppData\Local\ntuser.dat|

|Type|Malware name|
|---|---|
|Masquerading as system files|C:\Windows\SysNative\perfcon.dat C:\Windows\System32\perfcon.dat C:\Windows\SysNative\perf91nc.inf C:\Windows\System32\perf91nc.inf C:\Windows\SysNative\nwsapagentmonsvc.dll C:\Windows\System32\nwsapagentmonsvc.dll|
|Masquerading as Java files|C:\Users\[User Name]\AppData\Roaming\Microsoft\Windows\Start Menu \Programs\Startup\javaw.exe|
|Masquerading as Windows update files|C:\Windows\SoftwareDistribution\Download\BIT[숫자4~5개].tmp|
|Masquerading as Themida packing program|Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-64.exe|
|Masquerading as Sticky Notes program|Z:\Tools\aDllMeloadTool1.0\dllmenloadtool64.exe|


-----

_Figure 17: Malware masquerading as Sticky Notes program._

**_E.2 Indicator removal on host_**

_Windows stacks data called Prefetch to run applications effectively and quickly. This data records the application’s_
execution history, which the attacker attempts to delete in order to interrupt analysis. The web server identified traces of
deleting some of the web logs to hide the attack.

_Figure 18: Traces of deleting of web logs._

**Command for Prefetch removal**

cmd.exe /c "del C:\Windows\Prefetch\*.pf > "%s" 2>&1" edg173F.tmp

**_E.3 File deletion_**

The attacker included a self-delete function to prevent duplicate execution of malware, and deletes various log files to clear
their traces.

**Commands for file deletion**

del C:\Windows\Prefetch\*.pf

del C:\Windows\SoftwareDistribution\Download\logs\*.txt

del C:\Windows\SoftwareDistribution\Download\logs\*.log

rmdir C:\Windows\SoftwareDistribution\Download\logs

del C:\Users\THOR\AppData\Roaming\Microsoft\Windows\Start Menu

\Programs\Startup\OfficeC2RUpdate.lnk

**_E.4 Software packing_**

The attacker uses a commercial packing program called Themida to pack the malware in order to evade anti-virus software
detection. It was also used in the filenames of some unpacked malware.

_Figure 19: Themida is used to pack the malware._


-----

|Attacker’s remote drive path  Infected system’s local drive path|Col2|
|---|---|
|Z:\Tools\Installer-10-11\ New-2020-01-29-Installer\install-themida-x86.exe|C:\WINDOWS\SoftwareDistribution\Download\BIT3001. tmp|


**_E.5 Redundant access_**

Web shells were inserted to secure redundant access to web servers that are being abused as C&Cs. The web shells used
primarily by attackers are ‘Redhat web’ shells, ‘WSO’ web shells, ‘Venus’ web shells and ‘Code Hunters’ web shells. The
password used to log in to the ’Redhat’ web shell was ‘1234qwer’ and ‘venus’ for the ’Venus’ web shell.

_Figure 20: Web shells inserted to secure redundant access to web servers that are being abused as C&Cs._

**_E.6 Process injection: inject code in specific process_**

The attacker injects malware into the memory of the w3svc process in order to intercept all packets on the server-hosted
home page. If the target then accesses a specific home page path, it will be moved to a malware distribution site.

_Figure 21: Malware is injected into the w3svc process._


-----

**Command to query w3svc service information**

cmd.exe /c "sc query w3svc > "%s" 2>&1" edg173F.tmp

cmd.exe /c "sc queryex w3svc > "%s" 2>&1" edg173F.tmp

**_E.7 Obfuscated files or information_**

Remote control malware exists as encrypted files on the system.

_Figure 22: Encrypted files._

**F. Credential access**

**_F.1 Credentials in files: steal credential information saved in files_**

After taking over the infected system, the attacker steals the log-in information exposed in plain text on the DB setup file
and the server setup file, and accesses the DB to collect account information on the website. After collecting the account
information, the password pattern is identified and used to spread the malware internally.

**Infected system’s local drive path  Attacker’s remote drive path**

Z:\Object\Web_HTTP\Download\[ComputerName]
D:\htdocs\dbadmin\db_sql.php

[SYSTEM][C7348219B03D9B0E]\db_sql.php

Z:\Object\Web_HTTP\Download\[ComputerName]
D:\...\include\dbconn.asp

[NETWORK SERVICE][27559E258E485B0A]\dbconn.asp

Z:\Object\Web_HTTP\Download\[ComputerName]

D:\setup\00new_server_construction\

[SYSTEM][C7348219B03D9B0E]\0000 server_

00server_configuration.txt

configuration.txtt

Z:\Object\Web_HTTP\Download\[ComputerName]
D:\server\Tomcat 8.5_Agent00\conf\server.xml

[SYSTEM][C7348219B03D9B0E]\server.xml

**_F.2 Private key: steal a private key and certificate_**

In the case of a web server, the attacker steals the server’s SSL certificate.

**Infected system’s local drive path    Attacker’s remote drive path**

Z:\Object\Web_HTTP\Download\[ComputerName]
D:\server\Tomcat 8.5_Agent00\cert

[SYSTEM][C7348219B03D9B0E]\cert.zip

**_F.3 LLMNR/NBT-NS poisoning and relay_**

LLMNR and NBT-NS are components that help identify hosts among systems in the same subnet. LLMNR/NBT-NS
poisoning is a technology that can use this to intercept a user’s name and password (NTLM hash). The attacker uses a tool
called ‘Response’ to manipulate the name services and collect the credentials and hash information on the local network

|Infected system’s local drive path  Attacker’s remote drive path|Col2|
|---|---|
|D:\htdocs\dbadmin\db_sql.php|Z:\Object\Web_HTTP\Download\[ComputerName] [SYSTEM][C7348219B03D9B0E]\db_sql.php|
|D:\...\include\dbconn.asp|Z:\Object\Web_HTTP\Download\[ComputerName] [NETWORK SERVICE][27559E258E485B0A]\dbconn.asp|
|D:\setup\00new_server_construction\ 00server_configuration.txt|Z:\Object\Web_HTTP\Download\[ComputerName] [SYSTEM][C7348219B03D9B0E]\0000 server_ configuration.txtt|
|D:\server\Tomcat 8.5_Agent00\conf\server.xml|Z:\Object\Web_HTTP\Download\[ComputerName] [SYSTEM][C7348219B03D9B0E]\server.xml|

|Infected system’s local drive path  Attacker’s remote drive path|Col2|
|---|---|
|D:\server\Tomcat 8.5_Agent00\cert|Z:\Object\Web_HTTP\Download\[ComputerName] [SYSTEM][C7348219B03D9B0E]\cert.zip|


-----

_Figure 23: LLMNR/NBT-NS poisoning._

**Part of the responder session log**

03/17/2020 08:49:10 AM - [Proxy-Auth] Sending NTLM authentication request to [Target IP]

03/17/2020 08:49:10 AM - [Proxy-Auth] NTLMv2 Client : [Target IP]

03/17/2020 08:49:10 AM - [Proxy-Auth] NTLMv2 Username : RTNB088\[User Name]

03/17/2020 08:49:10 AM - [Proxy-Auth] NTLMv2 Hash : [User Name]::RTNB088:11223344556

**Attacker’s action to delete the response session log**

cmd.exe /c "del C:\Windows\SoftwareDistribution\Download\logs\*.txt

cmd.exe /c "del C:\Windows\SoftwareDistribution\Download\logs\*.log

cmd.exe /c "rmdir C:\Windows\SoftwareDistribution\Download\logs

**G. Discovery**

**_G.1 File and directory discovery_**

The attacker uses the search program ‘Everything’ to make navigating file and folder information easier and more efficient.

**Execution command**

Everything.exe –db [tmp file]

Everything.exe –exit

_Figure 24: Everything._

**_G.2 Browser bookmark discovery: discover browser bookmarks and access history_**

The attacker used a legitimate program called Browsing History View provided by NirSoft to collect browser bookmarks
and history information.


-----

**Execution command**

BrowsingHistoryView.exe /scomma [LogFile] /sort ~2 /VisitTimeFilterType 1

_Figure 25: The attacker used Browsing History View to collect browser bookmarks and history information._

**_G.3 System time discovery_**

Discovery the time of the current system.

**Command for gathering time**

time /t

**_G.4 Security software discovery_**

Attackers use Windows Management Instrumentation (WMI) to discover installed anti-virus software.

Name space : root\SecurityCenter2

Query : Select * From AntivirusProduct

Properties : displayName

**_G.5 Query registry_**

To install malware under normal service names, existing services lists and services lists in the netsvcs group are collected.

**Registry Search Path**

HKLM\SYSTEM\CurrentControlSet\Services, [Service Name]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, netsvcs

**_G.6 Process discovery_**

To verify that the installed registry and malware are registered properly, the process list is searched.

**Command for discovering service related process**

cmd.exe /c "tasklist /svc > "%s" 2>&1" edg173F.tmp

**_G.7 System owner/user discovery_**

Account information is collected for the system currently accessed by the attacker.

**Current user same discovery command**

cmd.exe /c "whoami > "%s" 2>&1" edg173F.tmp


-----

**_G.8 System information discovery_**

Information on the system currently being accessed by the attacker is collected.

**System information discovery command**

cmd.exe /c "systeminfo > "%s" 2>&1" edg173F.tmp

cmd.exe /c "hostname > "%s" 2>&1" edg173F.tmp

cmd.exe /c "ver > "%s" 2>&1" edg173F.tmp

**_G.9 System network configuration discovery_**

Network configuration information for the system currently being accessed by the attacker is collected.

**Network configuration discovery command**

cmd.exe /c "ipconfig /all > "%s" 2>&1" edg173F.tmp

cmd.exe /c "arp -a > "%s" 2>&1" edg173F.tmp

cmd.exe /c "C:\Windows\System32\inetsrv\appcmd.exe list site > "%s" 2>&1" edg173F.tmp

(Discovery of list of domains being hosted)

**_G.10 Account discovery_**

A complete list of accounts in the system and account information details is collected.

**Account information discovery command**

cmd.exe /c "net user > "%s" 2>&1" edg173F.tmp

cmd.exe /c "net user Administrator > "%s" 2>&1" edg173F.tmp

cmd.exe /c "query user Administrator > "%s" 2>&1" edg173F.tmp

**_G.11 Remote system discovery: discover different systems in the network_**

A list of different systems on the same network is collected.

**Network discovery command**

cmd.exe /c "net view > "%s" 2>&1" edg173F.tmp

**_G.12 System service discovery_**

Detailed information of the services currently installed in the system is collected.

**Service detailed information discovery command**

cmd.exe /c "sc query nwsapagent > "%s" 2>&1" edg173F.tmp

cmd.exe /c "sc query w3svc > "%s" 2>&1" edg173F.tmp

cmd.exe /c "sc queryex w3svc > "%s" 2>&1" edg173F.tmp

cmd.exe /c "sc query [Service Name] > "%s" 2>&1" edg173F.tmp

**_G.13 System network connections discovery_**

Network connection status and session information of the current system are collected.


-----

**H. Lateral movement**

**_H.1 Windows admin shares: default sharing on Windows_**

Moves to other systems on the same network through internal information collected by infected systems

**Attempt to access other systems command**

cmd.exe /c "net use \\[Target IP or Domain] **[Password] /u:[Account] > "%s" 2>&1" edg173F.tmp**

**I. Collection**

**_I.1 Data from local system_**

Below is a list of information taken from companies the attacker has infiltrated successfully.

**Category** **Information stolen**

DB settings (ID, password, port, DB name)

System configuration

System information

Web server settings file

Website certificate

Organizational chart

Employee contact information

Duties log

Replacement training

Organization information Outcomes information

Personnel information

Business plans

Records of arriving/leaving work

Client list

Recent documents list

Covid-19 related documents

Recent issues

Favourites list

Outlook SendTo file list

Malware C2 server discovery list
Security-related information Documents on actions in case of unauthorized insertion

of Iframe

Web log

Browser log

Log information

File search log

Responder attack log

_Table 3: information taken from companies the attacker has infiltrated successfully._

**_I.2 Data from network shared drive_**

The attacker collects information from an infected system with the attacker’s drive connected as a network drive. The drive
volume name is ‘Z’, and folders for companies that were successfully infiltrated are managed separately.

|Category|Information stolen|
|---|---|
|System information|DB settings (ID, password, port, DB name) System configuration Web server settings file Website certificate|
|Organization information|Organizational chart Employee contact information Duties log Replacement training Outcomes information Personnel information Business plans Records of arriving/leaving work Client list|
|Recent issues|Recent documents list Covid-19 related documents Favourites list Outlook SendTo file list|
|Security-related information|Malware C2 server discovery list Documents on actions in case of unauthorized insertion of Iframe|
|Log information|Web log Browser log File search log Responder attack log|


-----

**_I.3 Data staged: stage collected data in a file_**

Stage the result of executing the malware command to a file.

**Command example**

cmd.exe /c [Command to execute] > edg173F.tmp

**J. Command and control**

**_J.1 Standard cryptographic protocol: remote control malware uses RC4 algorithm to encrypt data_**

**_J.2 Multi-stage channels: attackers use various C2 points to deliver commands to malware_**

**_J.3 Connection proxy: the C2 server of malware acts as a proxy to perform remote control_**

**_J.4 Remote file copy: remote control create and exfiltrates files from C2 through command_**

**_J.5 Custom cryptographic protocol: downloaders encrypt data using custom encryption_**
**_algorithms_**

**_J.6 Multilayer encryption: downloaders use HTTPS and custom encryption algorithms_**

**_J.7 Data encoding: Base64 and XOR for remote control, and custom encoding for downloaders_**

**_J.8 Data obfuscation: malware obfuscates data in ways such as encoding, encryption, and custom_**

**_J.9 Commonly used port: malware attempts to control commands using HTTP(80) and HTTPS(443)_**

**_J.10 Standard Application Layer Protocol: malware attempts to control using HTTP, HTTPS_**

Malware uses normal protocols and attempt malicious behaviour across various points and stages without
exposing malicious traffic in ways such as encoding, encryption, and obfuscation

**Refer to Section 4 (Malware Analysis)**

**K. Exfiltration**

**_K.1 Data encryption: remote control encrypts data with RC4 and downloaders encrypt with custom_**
**_algorithm_**

**_K.2 Data transfer size limits: remote control divides data into 90KB chunks_**

**_K.3 Data compressed: remote control compresses certain files into the INFO-ZIP library and exfiltrates_**

**_K.4 Extensions over command-and-control channel: malware exfiltrates files to C2 channels_**

**_K.5 Extensions over alternative protocol: malware attempts to collect files through network shares_**


-----

**L. Impact**

**_L.1 Data destruction: remote control overwrites and deletes certain files through command so that_**
**_they cannot be recovered_**

The remote control command deletes the malware used and command execution results in the file being beyond
recovery, as a means to interfere with analysis and evade detection.

**Refer to Section 4 (Malware Analysis)**

**4. MALWARE ANALYSIS**

The types of malware and normal programs that the attacker uses to carry out an attack are as follows. The attacker used the
‘net use’ to copy and execute files with the attacker drive connected remotely.

**Type** **Role** **File path by file saved on attacker’s remote drive**

HWP file malware Initial intrusion 
Spear phishing Watering hole 
Watering hole
Check IP and redirect Z:\Target Information\[Victim]\EK_Modify\main_head_modify.asp
website

Z:\Tools\Installers\install_x86_online_0723_01-hyoju.exe

Z:\Tools\Installers\[Victim]\install.exe

Dropper malware Maintain persistence Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-x86.exe

Z:\Tools\Installers\x64\Outcome\install_HKDB-10-11.exe

Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-64.exe

Z:\Tools\LPEClient_x64.exe

Downloader Download additional Z:\Tools\LPEClient_x86.exe
malware malware Z:\Object\Web_HTTP\Download\[Victim][[Victim]$]

[FB3F7A0EE57CBC2C]\LPEClient_x86.exe

Remote control Execute command 
Tool DLL injector Z:\Tools\aDllMeloadTool1.0\dllmenloadtool64.exe

Tool Query check Z:\Target Information\[Victim]\EK-2020-03-\Edward\Proxy64.dll

Tool Escalate privilege Z:\Tools\2003_elevator\CVE-2014-4113.exe

Tool Escalate privilege Z:\Tools\UACME\LoaderW_x86.exe

Tool Key logger 
Z:\Object\Web_HTTP\Download\[Victim][SYSTEM]
Web shell Web shell

[840E3A53C168637C]\726_71112.cer

Everything File search Z:\Tools-Kaspersky\Hardindexing\Everything.exe

Z:\Tools-Kaspersky\NTLM_Responder\Responder.exe
Responder Collect credentials

Z:\Tools-Kaspersky\NTLM_Responder\Responder.conf

Browsing Z:\Tools-Kaspersky\_Browsinghistory\browsinghistoryview-x64\
Browser access history
HistoryView BrowsingHistoryView.exe

_Table 4: Types of malware and normal programs that the attacker uses to carry out an attack._

**4.1. Initial infiltration**

**_A. HWP (Hangul Word Processor) malware_**

When a user of a Hangul word processor program which has not been updated since February 2017 opens a HWP file
containing malware, the recipient is immediately infected with malware and can be remotely controlled. To this end,
attackers evade suspicion by including a message in the email body and planting malware in HWP files disguised as
applications, additional documents, etc.

|Type|Role|File path by file saved on attacker’s remote drive|
|---|---|---|
|HWP file malware|Initial intrusion|-|
|Spear phishing|Watering hole|-|
|Watering hole website|Check IP and redirect|Z:\Target Information\[Victim]\EK_Modify\main_head_modify.asp|
|Dropper malware|Maintain persistence|Z:\Tools\Installers\install_x86_online_0723_01-hyoju.exe Z:\Tools\Installers\[Victim]\install.exe Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-x86.exe Z:\Tools\Installers\x64\Outcome\install_HKDB-10-11.exe Z:\Tools\Installer-10-11\New-2020-01-29-Installer\install-themida-64.exe|
|Downloader malware|Download additional malware|Z:\Tools\LPEClient_x64.exe Z:\Tools\LPEClient_x86.exe Z:\Object\Web_HTTP\Download\[Victim][[Victim]$] [FB3F7A0EE57CBC2C]\LPEClient_x86.exe|
|Remote control|Execute command|-|
|Tool|DLL injector|Z:\Tools\aDllMeloadTool1.0\dllmenloadtool64.exe|
|Tool|Query check|Z:\Target Information\[Victim]\EK-2020-03-\Edward\Proxy64.dll|
|Tool|Escalate privilege|Z:\Tools\2003_elevator\CVE-2014-4113.exe|
|Tool|Escalate privilege|Z:\Tools\UACME\LoaderW_x86.exe|
|Tool|Key logger|-|
|Web shell|Web shell|Z:\Object\Web_HTTP\Download\[Victim][SYSTEM] [840E3A53C168637C]\726_71112.cer|
|Everything|File search|Z:\Tools-Kaspersky\Hardindexing\Everything.exe|
|Responder|Collect credentials|Z:\Tools-Kaspersky\NTLM_Responder\Responder.exe Z:\Tools-Kaspersky\NTLM_Responder\Responder.conf|
|Browsing HistoryView|Browser access history|Z:\Tools-Kaspersky\_Browsinghistory\browsinghistoryview-x64\ BrowsingHistoryView.exe|


-----

When malicious HWP documents are opened, malicious behaviour begins from the exploit codecode at BIN0001.ps in the
BinData area of the HWP document. The remotely controlled malware is then injected into the ‘explorer.exe’ process and
operates in memory.

_Figure 26: HWP malware execution process._

BIN0001.ps reads the memory of the hwp.exe process and searches for two specific pieces of data
(0x8B68B727AEBDD87E and ‘F0und3q9’) within the BIN0002.bmp file. Based on this value, 32-bit and 64-bit remote
control malware data encrypted with AES128 are then read, decrypted and executed according to each operating system
environment.

_Figure 27: HWP malware detailed process._

**_B. Watering hole_**

The attacker disguises the body of the email as a request for a quote on a product and sends a spear-phishing email to a
sales representative. In order to carry out the attack, the attacker encourages the victim to access certain home pages using
_Internet Explorer, presumably because Internet Explorer is no longer updated, and the attacker is taking advantage of_
already disclosed vulnerabilities.


-----

It was confirmed that the final remote control malware was downloaded due to the watering hole attack over four stages.
The roles, purpose and URLs for each stage are shown in Table 5.

**Stage** **Type** **Purpose** **Access attempt URL**

Direct to watering
1 Spear phishing http://www.[Normal site].com
hole

[Normal site]’s Verify IP and
2 https://[Normal site2].com/product/sublist3.asp?id=9876
modified main page redirect

Verify URL and

Malware installed on https://www.[Attacker‘ server].com:443/uploads/index.
3 download

[Normal site2] asp?id=9876

additional malware

4 [Attacker‘s server] Distribute malware 
_Table 5: Roles, purpose and URLs for each stage._

In the first stage, spear phishing leads to access to the modified main page in stage 2. Subsequent IPs are then redirected to
the page in stage 3 only if they are accessed from the target IP band. The malware that injected into the IIS-related service,
w3svc, to control HTTP packets is running on the server hosting the home page in stage 3. The ‘sublist3.asp’ does not
actually exist and the malware receives it instead, which is used for protocol, domain, port, page, and parameter
verification. If verification is successful, additional malware will be downloaded from the server deployed by the attacker.
It was confirmed that at the time of the actual attack, the attacker maintained the modified main page in stage 2 for only
three hours after sending the email.

_Figure 28: Watering hole process._

|Stage|Type|Purpose|Access attempt URL|
|---|---|---|---|
|1|Spear phishing|Direct to watering hole|http://www.[Normal site].com|
|2|[Normal site]’s modified main page|Verify IP and redirect|https://[Normal site2].com/product/sublist3.asp?id=9876|
|3|Malware installed on [Normal site2]|Verify URL and download additional malware|https://www.[Attacker‘ server].com:443/uploads/index. asp?id=9876|
|4|[Attacker‘s server]|Distribute malware|-|


-----

The main page or JavaScript files shown below were modified and a malicious script inserted in the normal sites exploited
in watering hole attacks. There are three types of malicious scripts obtained through analysis.

**Type** **Modified source code**

Watering hole page type 1 (run
additional script)

Watering hole page type 2
(verify IP and redirect)

Watering hole page type 3
(redirect)

_Table 6: Page types and modified source code._

**4.2. Maintaining persistence**

The malicious code used for the initial compromise installs additional malware through a command so that the malware is
executed even when the computer reboots. The additional malware can be executed even after through the startup program,
registry, and service registration.

**_A. Dropper_**

Dropper malware performs two functions depending on the execution options. Options [–s] and [–g] have two functions:
collecting/transmitting the service list and dropping and executing remote-controlled malware. The [–g] option receives two
parameters and the [–s] option receives five parameters.

_Figure 29: Dropper malware execution options._

**_A.1 [–g] option: gather registry information_**

The [–g] option gathers a complete list of services from the netsvcs group within the infected system. Then, the malware
returns a list of services that are not currently used in the system, and the attacker selects one of these service names and
uses it as a parameter in the –s option.

|Type|Modified source code|
|---|---|
|Watering hole page type 1 (run additional script)||
|Watering hole page type 2 (verify IP and redirect)||
|Watering hole page type 3 (redirect)||


-----

_Figure 30: Dropper malware [–g] option._

The [–g] option is executed by the initially installed remote control, the actual command executed by the attacker is shown
below.

_Figure 31: Dropper malware –g option execution command._

The malware collects a complete list of services existing in the netsvcs group, compares them with the list of services
registered in the current system, selects a service name that is not in use and then uses it as the service name of the
malware. The list of netsvcs group service names varies by system, and each registry location is as follows.

**Role** **Path**

List of services registered in current system HKLM\SYSTEM\CurrentControlSet\Services, [ServiceName]

List of all services on netsvcs group HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, netsvcs

_Table 7: Registry locations._

**_A.2 [-s] Option: drop and execute remotely controlled malware_**

Dropper malware has three types of resources encrypted with RC4. First, using the RC4 key received as the fifth parameter,
the C2 List resource is decrypted and created into a file. Subsequently, the injector resources are decrypted and registered
as a service using the third and fourth parameters. The remote control resource is saved as a file in an encrypted state,
which is decrypted and injected into the ‘svchost.exe’ process when the injector is run. Finally, remote-controlled malware
attempts command control by reading the C2 List file.

**Resource ID** **Filename** **Type** **Role**

160 perf91nc.inf C2 List C&C address list and execution-related option

161 [4[th] Parameter].dll Injector Decrypt and load perfcon.dat file

162 perfcon.dat Remote control Reference perf91nc.inf file and connect to C2 server

_Table 8: The three types of resources._

_Figure 32: Dropper malware [–s] option execution command._

|Role|Path|
|---|---|
|List of services registered in current system|HKLM\SYSTEM\CurrentControlSet\Services, [ServiceName]|
|List of all services on netsvcs group|HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost, netsvcs|

|Resource ID|Filename|Type|Role|
|---|---|---|---|
|160|perf91nc.inf|C2 List|C&C address list and execution-related option|
|161|[4th Parameter].dll|Injector|Decrypt and load perfcon.dat file|
|162|perfcon.dat|Remote control|Reference perf91nc.inf file and connect to C2 server|


-----

**_A.3 Resource 160: perf91nc.inf (C2 List)_**

Resource 160 is a file that has a C2 server list and set values required for execution. Remote-controlled malware reads this
file and attempts to connect. The file size is fixed at 0x2EE0.

**Offset** **Value** **Role**

0x0~0x7 ID Infected device’s ID

0x620~0x1A6F C2 page list Command & control page (max 10)

0x1A70~0x2EBF Process, command or file Default execution process or library (max 10)

0x2EC0 Flag Command or additional file execution Flag

0x2ECC Time (Second) Malware start time or executed time

0x2ED0 Time (Minute) Malware execution cycle

0x2ED4 Time (Minute) Malware start time

0x2ED8 Flag Flag to mark malware start time

_Table 9: Resource 160._

**_A.4 Resource 161 : [4[th] Parameter].dll (injector)_**

The malware takes the fourth parameter of the file name associated with the service name of the unused netsvcs group
found through the [–g] option and uses it as a file name. To disguise itself further, the malware finds ‘svchost.exe’ where
the netsvcs service is running and injects data decrypted from the perfcon.dat file.

**Stage** **Description**

Log file path C:\Windows\Temp\services_dll.log

Malicious activity start log Start ...

Remote-controlled malware injection GetReflectiveLoaderOffset : 1:1

_Table 10: Injector malware stages._

_Figure 33: Detailed process of injector malware action._

**_A.5 Resource 162: perfcon.dat (remote-controlled malware)_**

The remote-controlled malware is described in detail in Section 3.

|Offset|Value|Role|
|---|---|---|
|0x0~0x7|ID|Infected device’s ID|
|0x620~0x1A6F|C2 page list|Command & control page (max 10)|
|0x1A70~0x2EBF|Process, command or file|Default execution process or library (max 10)|
|0x2EC0|Flag|Command or additional file execution Flag|
|0x2ECC|Time (Second)|Malware start time or executed time|
|0x2ED0|Time (Minute)|Malware execution cycle|
|0x2ED4|Time (Minute)|Malware start time|
|0x2ED8|Flag|Flag to mark malware start time|

|Stage|Description|
|---|---|
|Log file path|C:\Windows\Temp\services_dll.log|
|Malicious activity start log|Start ...|
|Remote-controlled malware injection|GetReflectiveLoaderOffset : 1:1|


-----

**_B. Downloader_**

When the attacker executes a downloader, the attacker executes it by giving the encrypted download address and the path to
save the downloaded file as a parameter. Although KISA did not obtain the malware that ultimately was downloaded, it is
assumed that it is the same remote-controlled malware as dropped by the dropper malware. An attacker can select or mix
one of the droppers or downloads to maintain persistence.

_Figure 34: Downloader malware execution option._

**_B.1 Data encryption and decryption approach_**

Decrypting an encrypted string given as a second parameter extracts the primary and secondary download sites to be
accessed by the malware. The attacker then collects information from the infected device and proceeds with encryption in
the same way. Encryption keys are generated randomly each time, and S-box borrowed some tables from existing DES
encryption algorithms. It is estimated that certain algorithms are used through customizing, and overall there is a general
symmetric-key algorithm structure.

_Figure 35: Downloader malware encryption approach._

**_B.2 Sending device information and downloading additional malware_**

The downloader malware first connects to the primary download site and sends information about the infected device
along with the address of the secondary download site. Both the first and second download sites consist of specific ASP
pages. The primary download site connects to the secondary download site received from the malware and transmits
information about the infected device. In the secondary download site, the malware checks the target based on the
information of the infected device and sends malware encrypted by the ID and computer name of the infected device. If


-----

it succeeds in downloading the final malware normally, the malware executes by giving a string called CloseEnv as a
parameter.

_Figure 36: Additional malware download process._

Each time data is sent to the primary download site, it is delivered in JSON format, and the structure is as shown in Figure
37. Encoded secondary download address, randomly generated key, and encrypted data are always sent.

_Figure 37: Structure of sending downloader malware data._

The encoding methods used by the malware to transmit secondary download sites are as follows. Using a specific table, the
malware is exchanged with letters in a random location, and added together to produce a string.

_Figure 38: Example of secondary download site encoding method._

Information on infected devices collected and leaked by malware is as follows. It collects more information than general
malware, such as available memory, product type, etc. The unique ID values given at each stage of malicious behaviour are
added first, and the hash values calculated as XOR are added last and then sent.


-----

|Type|Data|Col3|Col4|Col5|Col6|Col7|Col8|Col9|
|---|---|---|---|---|---|---|---|---|
|ID|ID by malicious activity stage||||Infected device 16-byte random ID||||
|System information|Computer name||Processor name||||Number of processors||
||System manufacturer||||System product name||||
|OS information|Major version|Minor version||Build version||Product type||Is64bit|
|Memory information|Size of currently installed memory||||Size of total memory including available memory||||
|Other information|Name of installed anti-virus software||||Normal ntoskrnl.exe file version||||
|Hash|Data XOR hash||||||||


_Table 11: Information on infected devices collected and leaked by the malware._

The malware uses specific hexadecimal values to distinguish between the malicious activity stage and execution mode. One
of the characteristics of the malware is that it supports two modes to connect: first it connects through WinHTTP, and in the
event of failure it connects through WinINet.

**Value** **Use** **Meaning**

Sends infected device information, encryption key, secondary
0xF07D6B34 Send infected device information
download site

0xEF8C0D51 Request malware

0xCB790A25 Confirm malware reception Sends infected device ID, encryption key, secondary download site

0xD7B20A96 Confirm malware execution

Faster speed than WinINet, simultaneous access function without
0x59863F09 WinHTTP API mode
performance limitation, doesn’t support compression

Includes more functions and supports compression as a higher-level
0xA9348B57 WinINet API mode
API than WinHTTP

_Table 12: Hexadecimal values._

**_B.3 Download site_**

Both the first and second download sites work as ASP pages. Although the first download page was successfully secured,
the second download page had already been deleted at the time of analysis so was not available. The first download page
has two modes: the mode used by malware is translate; redirect mode has a simple function of redirecting to the URL
received as a query.

**Mode** **Function** **Method** **Requester**

Translate Leak data and download malware POST Malware

Redirect Page redirect GET N/A

_Table 13: The two modes._

Translate mode decodes the value received from the malware, obtains the secondary download site address, and attempts to
access it. It sends information about the infected device to the secondary download site and returns malware to the
downloader malware. On this page, the same table as the one the downloader malware has is used for decoding.

_Figure 39: Primary download site code (partial)._

**4.3 Final remote control**

We named the final remote control malware used to control the infected system ‘Bookcodes’. This is a string that is mainly
used to check the status as the malware communicates with the C2 server.

|Value|Use|Meaning|
|---|---|---|
|0xF07D6B34|Send infected device information|Sends infected device information, encryption key, secondary download site|
|0xEF8C0D51|Request malware|Sends infected device ID, encryption key, secondary download site|
|0xCB790A25|Confirm malware reception||
|0xD7B20A96|Confirm malware execution||
|0x59863F09|WinHTTP API mode|Faster speed than WinINet, simultaneous access function without performance limitation, doesn’t support compression|
|0xA9348B57|WinINet API mode|Includes more functions and supports compression as a higher-level API than WinHTTP|

|Mode|Function|Method|Requester|
|---|---|---|---|
|Translate|Leak data and download malware|POST|Malware|
|Redirect|Page redirect|GET|N/A|


-----

**_A. Remote-controlled malware ‘Bookcodes’_**

**_A.1 Types to manage C2 list_**

Although the way C2 information is held varies depending on how it is executed, the malware has the same update
function.

**Stage** **Parent** **Initial C2 reference** **Subsequent C2 update method**

Malicious HWP
Initial infection Save hard-coded C2 to memory
document
Update in memory
Maintain
Dropper Read perf91nc.inf and save to memory
persistence

_Table 14: C2 update methods._

**_A.2 Save log_**

Unlike remote-controlled malware installed by droppers, when installed for the first time by HWP documents, logs for each
stage of malicious behaviour are stored in a specific file to determine whether it has been executed properly.

**Stage** **Description**

Log file path C:\Windows\Temp\server_dll.log

Malware start log Start...

System information collection log After GetOwnInfo...

_Table 15: Storage of logs._

**_A.3 String encoding_**

Some strings used in the malware are all XOR encoded. The source and offset value and 0x33 are XORed to extract the
source string while repeating the entire length of the string.

_Figure 40: Bookcodes malware string encoding method._

**_A.4 Data encryption_**

RC4 encryption and Base64 encoding is applied to data used in all communications, such as the system information list
collected by the malware or the results of commands, and commands received from C2 servers.

_Figure 41: Examples of Bookcodes malware data encryption methods._

**_A.5 Collect and send information on infected devices_**

Upon initial execution, the malware collects information on the infected system and sends it to the C2 server as follows.
The attacker receives the information and identifies the infected system environment. The value 0x20001 is believed to be a
value to distinguish between versions of malware.

|Stage|Parent|Initial C2 reference|Subsequent C2 update method|
|---|---|---|---|
|Initial infection|Malicious HWP document|Save hard-coded C2 to memory|Update in memory|
|Maintain persistence|Dropper|Read perf91nc.inf and save to memory||

|Stage|Description|
|---|---|
|Log file path|C:\Windows\Temp\server_dll.log|
|Malware start log|Start...|
|System information collection log|After GetOwnInfo...|


-----

|Type|Data|Col3|Col4|Col5|Col6|Col7|
|---|---|---|---|---|---|---|
|Length|Total data length||||||
|Identifier|Infected device 8-byte random ID||||||
|Timer setting|Check timer setting and execution||||||
|System information|Local IP|Computer name|User name|Country|Processor name|Text set|
|OS information|OS type||OS version||Service pack version||
|Memory information|Size of currently installed memory||||||
|Malware version|0x20001||||||


_Table 16: Information collected by the malware and sent to the C2 server._

The data structure for sending information on infected devices is as follows.

_Figure 42: Data structure for sending information on infected devices._

**_A.6 Receive commands and send results_**

Figure 43 shows the command structure that an attacker sends to gather additional information through malware and to
inflict additional malware infection.

_Figure 43: Data structure when sending commands._


-----

**_A.7 Remote control full commands_**

The remote control behaviour by the commands used by the malware is as follows.

**Command** **Description** **Command** **Description**

0x97853646 Collect information on connected drive 0x97863654 Terminate behaviour

Collect information on process
0x97853647 Directory listing 0x97853655
being run

0x97853648 Copy file then upload 0x97853656 Send system information

Send current status (C2 information,
0x97853649 Delete file 0x97853657
service name, etc.)

0x9785364A Secure delete 0x97853658 C2 address update

0x9785364B Download file 0x97853659 Confirm current malware status

0x9785364D Upload file 0x9785365B Create process with user privilege

0x9785364E Temporary file compression and upload 0x9785365C Command fail

0x9785364F Create process 0x9785365D Command success

0x97853651 Change file timestamp 0x97853660 Confirm local system time

Attempt communication with address
0x97853652 0x97853661 Confirm working directory
received from server

0x97853653 Execute received command 0x97853662 Change working directory

_Table 17: Commands and behaviours._

**_B. C2 server_**

The C2 server of the Bookcodes remote-controlled malware also operates as an ASP page. The page attempts to
communicate with POST, where transmission data does not remain in the web log, and is located between malware and
attackers, acting as a proxy.

**_B.1 C2 page function list_**

C2 page functions are largely divided into data transfer and log save. The biggest role is to receive or transmit data to
attackers, and other functions include saving the ID values of infected devices. In addition, there is the MID that manages
these C2 pages, and when a victim accesses the C2 page, the IP of the infected device and the C2 page address is sent to the
MID.

**Mode** **Function** **Requester by mode**

Information File update with MID address saved

Savec Send commands to C2 server by each infected device
Attacker

Read Receive command results by each infected device from C2 server

Restore Collect infected device ID log file

Communication Save infected device ID and transfer to MID

Load Receive command from C2 server Malware

Saves Send infection information and command results to C2 server

_Table 18: C2 page functions._

|Command|Description|Command|Description|
|---|---|---|---|
|0x97853646|Collect information on connected drive|0x97863654|Terminate behaviour|
|0x97853647|Directory listing|0x97853655|Collect information on process being run|
|0x97853648|Copy file then upload|0x97853656|Send system information|
|0x97853649|Delete file|0x97853657|Send current status (C2 information, service name, etc.)|
|0x9785364A|Secure delete|0x97853658|C2 address update|
|0x9785364B|Download file|0x97853659|Confirm current malware status|
|0x9785364D|Upload file|0x9785365B|Create process with user privilege|
|0x9785364E|Temporary file compression and upload|0x9785365C|Command fail|
|0x9785364F|Create process|0x9785365D|Command success|
|0x97853651|Change file timestamp|0x97853660|Confirm local system time|
|0x97853652|Attempt communication with address received from server|0x97853661|Confirm working directory|
|0x97853653|Execute received command|0x97853662|Change working directory|

|Mode|Function|Requester by mode|
|---|---|---|
|Information|File update with MID address saved|Attacker|
|Savec|Send commands to C2 server by each infected device||
|Read|Receive command results by each infected device from C2 server||
|Restore|Collect infected device ID log file||
|Communication|Save infected device ID and transfer to MID|Malware|
|Load|Receive command from C2 server||
|Saves|Send infection information and command results to C2 server||


-----

The function of the MID page below allows an attacker to collect all the information on C2 pages and identify which
infected devices are connected on which C2 pages. An attacker periodically gathers information on MID pages. An
attacker can enable logging by sending 1 to the tableno parameter on initial use of the freeboard function, and only the
device that is connected for 60 seconds following the attacker’s request is saved. In other words, the attacker collects and
confirms the IP of the infected device and C2 information only when the attacker wishes to, and issues commands
through C2.

**Mode** **Function** **Requester**

qnaboard Send and save accessed C2 page and infected device information C2 page

freeboard Enable function or request data stored through qnaboard Attacker

_Table 19: Page functions._

_Figure 44: MID page partial code (infected device ID, infected device IP, C2 page address save)._

**_B.2 Response value when connecting to C2 server_**

The Bookcodes malware communicates with the C2 page and checks the connection status through the following values.

**Mode** **C2 page** **MID**

bookcodes:200 200 Success 200 Success

bookcodes:300 Failed to read and set file     
bookcodes:400 MID page 404 Not Found Exceed request time

bookcodes:500 Failed to access MID page     
bookcodes:600     - Failed to read log file

_Table 20: Values used to communicate with the C2 page and check the connection status._

**_C. Remote control framework_**

The entire communication structure of remote control consists of the remote-controlled malware, C2 page, MID page, and
the attacker. The overall flow is shown in Figure 45.

|Mode|Function|Requester|
|---|---|---|
|qnaboard|Send and save accessed C2 page and infected device information|C2 page|
|freeboard|Enable function or request data stored through qnaboard|Attacker|

|Mode|C2 page|MID|
|---|---|---|
|bookcodes:200|200 Success|200 Success|
|bookcodes:300|Failed to read and set file|-|
|bookcodes:400|MID page 404 Not Found|Exceed request time|
|bookcodes:500|Failed to access MID page|-|
|bookcodes:600|-|Failed to read log file|


-----

_Figure 45: Overview of remote-control communications._

**_C.1 Process during malware infection_**

When infected with malware, the actual remote control framework operates as shown in Figure 46.

_Figure 46: Remote control communication order._


-----

**_C.2 Overall framework structure_**

Analysis of a number of infected victims, C2 pages, and MID servers confirmed that the remote control framework consists
of the structure shown in Figure 47.

_Figure 47: Overall remote control framework structure._

**4.4 Tool**

**_A. DLL injector_**

Using the injector tool, the ID value of the currently running process is checked and an attempt is made to inject malware
into that process. Used to inject the following Proxy tool.

_Figure 48: DLL injector malware execution option._

Referring to the pre-collected process ID received from the second parameter, the malware received is injected as the third
parameter into the process with that PID. The process is as shown in Figure 49.

_Figure 49: DLL injector method._


-----

**_B. Proxy tools_**

When attempting a watering hole attack, the attacker used a DLL injector to the hosting server to inject the Proxy tool into
the w3svc service. The malware injected into the w3svc service uses the server API because it operates on the web server,
and it creates a URL group to monitor all packets and downloads the malware from the attacker’s server when the request
value for a specific condition enters request query.

_Figure 50: Proxy tool operation method._

**5. CONCLUSION**

In this report, the Korea Internet & Security Agency (KISA) looked at the types of attacks that collect internal information
using various malware and tools after initial access through spear-phishing emails.

Attackers used spear phishing for initial access, exploiting human error rather than risking a direct attack on a highly
secured system. Once an attacker successfully infiltrates a company, an attacker secures persistence with remote-controlled
malware, collects information and spreads malware.

Normal tools were also used when collecting information to avoid detection by anti-virus software. With these offensive
tactics in mind, it is necessary to avoid accessing external sites through Internet Explorer (which is no longer supported),
refrain from opening attachments or clicking links in any suspicious emails, and to contact the in-house information
security team in any such cases.

To prevent infection through attachments, users should make sure that the extension is not used twice or is not hidden at the
end of a very long file name. Avoid opening executable extensions (exe, msi, scr, vbs, bat, ps1, etc.).

Additionally, the Hangul word processor and Microsoft Office programs should always be kept up to date. Do not click any
suspicious links within the body of a document. For Microsoft Office files, do not open any documents that encourage
enabling macro options.

It can be difficult to prevent initial access attacks such as spear phishing, which target human error, with only a limited
number of security personnel dedicated to protect a firm’s employees and assets. Therefore, it is important to have
measures to minimize damage and slow the pace of an attack in case of infiltration. Defenders should be able to monitor
the minimum of important systems based on their understanding of the network structure. Additionally, unnecessary
network sharing among systems should be terminated and access privileges to accounts should be separated by systems.

**REFERENCE**

[1] KrCERT/CC. [TECHNICAL REPORT] TTPs#1 Controlling local network through vulnerable websites.
June 2020. https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35464&queryString=
[cGFnZT0zJnNvcnRfY29kZT0mc29ydF9jb2RlX25hbWU9JnNlYXJjaF9zb3J0PXRpdGxlX25hbWUmc2Vhcm](https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35464&queryString=cGFnZT0zJnNvcnRfY29kZT0mc29ydF9jb2RlX25hbWU9JnNlYXJjaF9zb3J0PXRpdGxlX25hbWUmc2VhcmNoX3dvcmQ9)
NoX3dvcmQ9.


-----