# Threat Intelligence Report ##### OPERATION ‘Rocket Man’ 2018. 08 ###### ESRC-1808-TLP-White-IR002 Security Response Center 1 ----- ### INDEX ##### 01 RocketMan Report 3p ###### - The latest APT campaign of Geumseong121 Group – 'Operation Rocket Man' - Detailed Analysis ##### 02 Correlation Analysis 14p ###### - Similar Threat Case - Deep Analysis on Correlation - Time Series Analysis of Geumseong121 Group ##### 03 Conclusion 36p ###### - Persistent Threat Security Response Center 2 ###### - Similar Threat Case - Deep Analysis on Correlation - Time Series Analysis of Geumseong121 Group ###### - Persistent Threat ###### RocketMan Report - The latest APT campaign of Geumseong121 ###### 14p ###### 36p ----- # 01 ## RocketMan Report ###### - The latest APT campaign of Geumseong121 Group – 'Operation Rocket Man' - Detailed Analysis Security Response Center 3 ----- ###### Special Report #### RocketMan Report ###### 1. The latest APT campaign of Geumseong121 Group – 'Operation Rocket Man' ESTsecurity Security Response Center (ESRC) is a specialized organization of ESTsecurity Cyber Threat Intelligence (CTI). On March 20, ESRC released the report on a state-sponsored APT threat group Geumseong121, who had conducted infiltration cyber-attacks on major North Korean organizations and defense sectors, recently carried out the Android based mobile Spear Phishing attacks. [Figure 1] Attack Vector of Geumseong121 group The unknown attackers spread the CVE-2018-4878 Zero-Day vulnerability via KakaoTalk messenger and attempted the targeted attacks several times exploiting the malicious HWP document. In the mobile spear phishing (APK) discovered in March, malicious APK apps with the word "Secret" instead of "Illegal" were distributed. Security Response Center 4 ----- The Geumseong121 group is the suspected state-sponsored cyber military, who attacked Android mobile users by [disguising as a mobile vaccine app developed by the leading portal company in Korea. ESRC has posted the analysis](http://blog.alyac.co.kr/1587) [on the malicious app (Trojan.Android.Fakeav)](http://blog.alyac.co.kr/1587) in detail. [Figure 2] Tricking users to install APK disguised as the mobile security app [The additional threats related the issue has been posted on the Cisco](https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html) [Talos,](https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html) [Paloalto](https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/) [Unit 42 security blog in detail.](https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/) Security Response Center 5 ----- ###### 2. Malware Analysis 2.1. File Information **File Name** 111.hwp **File Format** HWP **File Size** 18,432 byte **Content Created** 2018. 08. 10 **File version** **Last Updated** 2018. 08. 10 **MD5** EDC1BDB2D70E36891826FDD58682B6C4 **SHA-256** 2CAF1E26A67760268648B0EC8EA66BE9D2E28BAC1B2A48E1E6F6E9A06BEB042C 12,214,272 **File Name** Ant_3.5.exe **File Format** PE EXE **File Size** byte **Content Created** 2018. 08. 10 **File version** **Last Updated** 2018. 08. 10 **MD5** B710E5A4CA00A52F6297A3CC7190393A **SHA-256** 32E98F39BCDE86885C527DDCF68FAD67D0A7E6C23877672EBFD4C2A6A3F545E5 368,128 **File Name** worldnews.doc **File Format** PE EXE **File Size** byte **Content Created** 2018. 08. 14 **File version** **Last Updated** 2018. 08. 14 **MD5** 1213E5A0BE1FBD9A7103AB08FE8EA5CB **SHA-256** dc827f7a1e5ee4600697d7d3efdeb8401b7a9af3d704d0462e7d3e0804a9069d \xed\x86\xb5\xec\xa7 173,056 **File Name** **File Format** HWP **File Size** \x80.hwp byte **Content Created** 2017. 10. 10 **File version** **Last Updated** 2017. 10. 10 **MD5** AF6721145079A05DA53C8D0F3656C65C **SHA-256** 8bb3d97a37a6c7612624a12f8ff60eb8dd130f9e8f9af4f4f2cf8fca4f1dd964 **File Name** desktops.ini **File Format** INI **File Size** 204 byte **Content Created** - **File version** **Last Updated** - **MD5** 05EEF00DE73498167B2D7EBDC492C429 **SHA-256** 4380769cdef6ed56c1290acfc98a26e029e887a3b4ebfc417bfd80408b4d9e90 Security Response Center 6 |File Name|111.hwp|File Format|HWP|File Size|18,432 byte| |---|---|---|---|---|---| |Content Created|2018. 08. 10|File version|-||| |Last Updated|2018. 08. 10|MD5|EDC1BDB2D70E36891826FDD58682B6C4||| |SHA-256|2CAF1E26A67760268648B0EC8EA66BE9D2E28BAC1B2A48E1E6F6E9A06BEB042C||||| |File Name|Ant_3.5.exe|File Format|PE EXE|File Size|12,214,272 byte| |---|---|---|---|---|---| |Content Created|2018. 08. 10|File version|-||| |Last Updated|2018. 08. 10|MD5|B710E5A4CA00A52F6297A3CC7190393A||| |SHA-256|32E98F39BCDE86885C527DDCF68FAD67D0A7E6C23877672EBFD4C2A6A3F545E5||||| |File Name|worldnews.doc|File Format|PE EXE|File Size|368,128 byte| |---|---|---|---|---|---| |Content Created|2018. 08. 14|File version|-||| |Last Updated|2018. 08. 14|MD5|1213E5A0BE1FBD9A7103AB08FE8EA5CB||| |SHA-256|dc827f7a1e5ee4600697d7d3efdeb8401b7a9af3d704d0462e7d3e0804a9069d||||| |File Name|\xed\x86\xb5\xec\xa7 \x80.hwp|File Format|HWP|File Size|173,056 byte| |---|---|---|---|---|---| |Content Created|2017. 10. 10|File version|-||| |Last Updated|2017. 10. 10|MD5|AF6721145079A05DA53C8D0F3656C65C||| |SHA-256|8bb3d97a37a6c7612624a12f8ff60eb8dd130f9e8f9af4f4f2cf8fca4f1dd964||||| |File Name|desktops.ini|File Format|INI|File Size|204 byte| |---|---|---|---|---|---| |Content Created|-|File version|-||| |Last Updated|-|MD5|05EEF00DE73498167B2D7EBDC492C429||| |SHA-256|4380769cdef6ed56c1290acfc98a26e029e887a3b4ebfc417bfd80408b4d9e90||||| ----- ###### 2.2. Detailed Analysis ESRC has been investigating the cyber campaigns for several years, and found that the group has been conducting the cyber campaigns on and off Korea since 2013. The major threat vectors exploited by the group are Watering Hole, Spear Phishing, Social Network Phishing, Torrent Phishing attacks and so on. Meanwhile, the latest spear phishing targeting a specific Korean was discovered in August of 2018 and interesting facts are found while analyzing the attack. In addition, the attacker is disguised as a corporate HR representative in Korea for the attack. The following IoCs are identified in the attack. ESRC has promptly shared the information with Korea Internet & Security Agency (KISA), in order to prevent the distribution of the malware. - http://m.ssbw.co.kr/admin/form_doc/image/down/down[.]php (MD5 : af6721145079a05da53c8d0f3656c65c) - http://m.ssbw.co.kr/admin/form_doc/image/down/worldnews[.]doc (MD5 :1213e5a0be1fbd9a7103ab08fe8ea5cb) - http://m.ssbw.co.kr/admin/form_doc/image/img/111[.]hwp (MD5 : edc1bdb2d70e36891826fdd58682b6c4) - http://m.ssbw.co.kr/admin/form_doc/image/img/Ant_3.5[.]exe (MD5 : b710e5a4ca00a52f6297a3cc7190393a) - http://m.ssbw.co.kr/admin/form_doc/image/img/desktops[.]ini (MD5 : 05eef00de73498167b2d7ebdc492c429) The spear phishing strategy used by Geumseong121 contains the distinctive features. Instead of attaching a Lure or Decoy file, it adds the infected Korean website address and disguises as the attached file image. The sophisticated Hangul was observed in the attack, but some geographic expressions of the language were subtlety vague. The approach is utilized to analyze local characteristics based on the linguistic abilities of the attacker, and the professional analysts who are good at using the language can access to more in-depth data through. In addition, the metadata used in the attack is utilized as a key clue to the Correlations between traces of the past and the infringements. The malware disguised as the icon that seems the Korean security program is used in the newly discovered campaign in August. The tactic is similar to the one of the attack discovered in March, but this time it is disguised as security program for PC, not mobile. Security Response Center 7 ----- [Figure 3] Flow of Attack disguised as a security program The malware disguised as a security program depending on the attack vector installs additional files through the multiple steps. It executes optional commands for each .Net version. The build data called 'Ant.pdb' is observed in malicious file distributed on the .Net basis. In particular, an attacker is constantly creating a series of malicious file variants in a project folder called 'Rocket'. ###### - E:\project\windows\Rocket\Ant\Api\PubnubApi\obj\Debug\net35\Pubnub.pdb ###### - E:\project\windows\Rocket\Ant_3.5\Ant\obj\Release\Ant.pdb Security Response Center 8 ----- [Figure 3-1] PDB path created in Rocket path We categorized the cyber campaigns using the main keywords and named it 'Operation Rocket Man'. ESRC found many False Flags to confuse Threat Intelligence (TI) while analyzing the code used in the attack. The [attacker used the word 'Haizi'](https://dictionary.hantrainerpro.com/chinese-english/translation-haizi_child.htm) [in English, which means a child in Chinese expression.](https://dictionary.hantrainerpro.com/chinese-english/translation-haizi_child.htm) The expression was identically used in the .Net based programs installed later. There is a word 'PAPA' in the .Net based [malware. However, 'BABA' is used as an English expression of Chinese, which means father.](https://dictionary.hantrainerpro.com/chinese-english/translation-baba_father.htm) The evidence revealed that the attacker's native language may not be Chinese. Security Response Center 9 ----- [Figure 4] English expression of Chinese in the malware The installed malware will download the encrypted ini configuration file and decrypt it. The configuration file is named 'desktops.ini' and receives the commands from the same C2 server exploiting the vulnerability attack. ###### public void SetPubnub(string[] strArr) ###### { ###### if (strArr.Length != 7) ###### { ###### return; ###### } ###### for (int i = 0; i < strArr.Length; i++) ###### { ###### strArr[i] = this.calcXor(strArr[i], 23); ###### } ###### this.m_strChannelNameTmp = strArr[1]; The configuration file encrypted according to the command is decrypted with the key value of XOR 0x17. When the Security Response Center 10 ----- decryption is completed, command communication (C2) communication is proceeded via PubNub channel, which is one of the Infrastructure as a Service. The attacker uses the 'LiuJin' account here as well, which is one of evidence to show the attack is originated from China. [There are many English expressions of 'LiuJin', it can be written as ‘刘劲 (LiuJin)’ in Chinese, or used for the name](https://baike.baidu.com/item/%E5%88%98%E5%8A%B2/6641414) of [Chinese actor](https://baike.baidu.com/item/%E5%88%98%E5%8A%B2/6641414) [and the online game.](http://www.liujin.cn/) The traces related to China are intentionally left behind in the code. ESRC believes there is a high possibility of Disturbance Strategy exposing the linguistic and geographic codes to confuse Threat Intelligence (TI). Security Response Center 11 ----- [Figure 5] IaaS-based PubNub command control (C2) server Security Response Center 12 ----- As such, an attacker uses a legitimate IaaS service for communication, so that it is quite difficult to detect the malicious traffic. Security Response Center 13 ----- # 02 ## Correlation Analysis ###### - Similar Threat Case - Deep Analysis on Correlation - Time Series Analysis of Geumseong121 Group Security Response Center 14 ----- ###### Special Report #### Correlation Analysis ###### ■ Similar Threat Case The spear phishing using the same technique has been identified in September 2017. The HWP vulnerability was also used for the attack, and the metadata is identical to the IOC of the attack on August 2018. The attacker’s account name and the OLE code are disguised as references and reply to the original message. [Figure 6] E-mail used in the attack The file name 'icloud.exe' is used for the malicious program and the following PDB (Program Data Base) code is inside. ###### - E:\))PROG\doc_exe\Release\down_doc.pdb The PDB series is diverse depending on the variant malicious files, and it is also related to the 2013 versions using the AOL messenger (AIM). AOL Messenger was used for communicating in the early days before the infected Korean websites were used as a Security Response Center 15 ----- communication method. After that, it has evolved to use the Streamnation.com for Command and Control. The emails from Korea, USA, China, India and Russia can be used for subscribing the account for C2 Communication. The cloud services such as pcloud.com, yandex.com and Dropbox have been used before and a real-time networking platform PubNub service is currently used. The PubNub is infrastructure-as-a-service (IaaS) to provide the service to interconnect IoT cloud devices as one system. ###### - K:\))pick\ie\test.pdb ###### - D:\))pick\doc_exe\Release\down_doc.pdb ###### - E:\))PROG\doc_exe\Release\down_doc.pdb ###### - E:\))PROG\doc_exe\Release\drun.pdb ###### - E:\))PROG\ie\Release\drun.pdb ###### - E:\))PROG\Upload\Upload\thunder ###### - E:\))PROG\waoki\Release\runner.pdb ###### - E:\))PROG\waoki\Release\kltest.pdb [Figure 7] The analysis of PDB code in the malicious program The command control (C2) server of the attack is the 'endlesspaws.com' domain, which has been previously used for similar attacks several times. In terms of Threat Intelligence (TI), the identified server is useful to investigate similar threats carried out by the same attackers. Security Response Center 16 ----- ESRC also confirmed that the domain has connections to Watering Hole attack related to North Korea, which is discovered in South Korea in 2015, and gained the evidence that it is exploited in the spear phishing attack with attached executable file in 2017. The attack exploiting the CVE-2017-8759 vulnerability has been detected as well. Some of them have been posted on [the blog](https://s.tencent.com/research/report/274.html) [by Chinese security company Tencent.](https://s.tencent.com/research/report/274.html) ###### ■ Deep Analysis on Correlation A number of similar threat appeared in February of 2017. The domain endlesspaws.com was leveraged to distribute the malware by luring the users with the safety guideline for strengthening the protection of North Korean defectors. [Figure 8] Distributing the malware by disguising as the safety guideline Security Response Center 17 ----- It looks like it attaches a safety tips .zip file to an email, but it actually is linked to the endlesspaws.com domain to install a compressed file, and it contains malicious EXE executable files with a double extension disguised as an HWP document. It masquerades as a double extension, and the icon is disguised as a normal HWP file by utilizing the document file resource. The malicious file loads the code that is configured of the cryptographic function routines inside, and decodes certain hexadecimal codes into a logical XOR 0x55 key value. EXE executable malicious files will attempt to connect to the following addresses, same as the C2 domain used to distribute ZIP compressed files: ###### - http://endlesspaws.com/vog/tan[.]php?fuck=x ###### - http://endlesspaws.com/vog/denk[.]zip Security Response Center 18 ----- [Figure 9] Code for converting the encrypted C2 data The additionally downloaded 'denk.zip' file, which appears to be a seemingly zip compressed file, is actually a HWP format document file. The malware distributed in EXE format contains the normal HWP document inside. It shows users the normal document in the process of infecting the device or it can download the normal HWP document from the C2 server. However, this case is different from the common type of the malware. It downloads and install additional malicious HWP documents. This is an unusual case of installing the additional document-based malicious files on the already infected system. As the document file contains content that matches the email content used in the attack, it is not likely that the file is improperly linked due to confusion with other cyber operations. Security Response Center 19 ----- The malicious script code is injected in the DefaultJScript area in the denk.zip file. The malicious DLL file encoded in BASE64 code in the embedded format will be decoded when the script runs. [Figure 10] The malicious script code included in the document file The malicious DLL file that is decoded by BASE64 code contains the following PDB path, and connect to the six Korean command control (C2) servers. The code 'srvrlyscss', which has been detected in many IOCs in Korea, is used for communication. Security Response Center 20 ----- [Figure 11] Code with 'srvrlyscss' string for communication ###### - seline.co.kr/datafiles/CNOOC[.]php ###### - www.causwc.or.kr/board_community01/board_community01/index2[.]php ###### - www.kumdo.org/admin/noti/files/iindex[.]php ###### - www.icare.or.kr/upload/board/index1[.]php ###### - cnjob.co.kr/data/blog/iindex[.]php ###### - notac.co.kr/admin/case/iindex[.]php [The string 'taihaole9366' was used as the mutex code to prevent Duplicate Execution. 'Taihaole' matches the English](https://chinese.pandarow.com/dict/%E5%A4%AA%E5%A5%BD%E4%BA%86-taihaole) [expresion of Chinese (太好了) and the meaning is 'very good'.](https://chinese.pandarow.com/dict/%E5%A4%AA%E5%A5%BD%E4%BA%86-taihaole) The attacker has used the English expression of Chinese very often from the past, and there are a lot of other expressions. Security Response Center 21 ----- [Figure 12] Encoded C2 and Mutex in English expression of Chinese The malware disguised as a popular Chinese security program has been identified in January of 2018. It is a different case from the one disguising as an existing Korean security program. The attacker added a fake screen to the Korean website 'ebsmpi.com' as if it were a 360 TOTAL SECURITY security program web page in China. It copied the source code of the website operated in China and replaced the downloaded file with the malicious files. The linked addresses are as follows, and when clicking the 'Free Download' link, the file '360TS_Setup_Mini.exe' is downloaded. ###### - http://ebsmpi.com/ipin/360/down[.]php Security Response Center 22 ----- [Figure 13] Infecting 'ebsmpi.com' website in Korea and adding the screen It disguises the file name (360TS_Setup_Mini.exe) like the security program in China, and the icon also camouflages Security Response Center 23 ----- the normal program. The additional .Net-based malicious file is installed depending no environmental conditions. ESRC identified in August 2018 that the encryption algorithm is 100% identical to the vector technique of the attack disguising as the Korean portal program [Figure 14] Comparison of malicious files disguised as a Chinese security program and normal file ###### - http://ebsmpi.com/ipin/360/Ant_3.5[.]exe (MD5 : ff32383f207b6cdd8ab6cbcba26b1430) ###### - http://ebsmpi.com/ipin/360/Ant_4.5[.]exe (MD5 : 84cbbb8cdad90fba8b964297dd5c648a) ###### - http://ebsmpi.com/ipin/360/desktops[.]ini (MD5 : ab2a4537c9d6761b36ae8935d1e5ed8a) ###### - http://cgalim.com/admin/hr/temp[.]set (MD5 : fa39b3b422dc4232ef24e3f27fa8d69e) The normal '360TS_Setup_Mini.exe' file is installed in the domain 'cgalim.com' with the file name 'temp.set', which is also used for a similar infringement attack discovered in Second half of the year. Security Response Center 24 ----- [Figure 14-1] '360TS_Setup_Mini.exe' installing the normal file Initial malicious files based on .Net include the following PDB paths, some of which are omitted from the latest variants. ###### - E:\project\windows\Rocket\Ant\Api\PubnubApi\obj\Debug\net35\Pubnub.pdb ###### - E:\project\windows\Rocket\Sys-Guard\Servlet-standalone_Guard\Release\Servlet.pdb ###### - E:\project\windows\Rocket\Sys-Guard\Chutty_Guard\Release\Chutty.pdb ###### - E:\project\windows\Rocket\Servlet\Release\Servlet.pdb ###### - E:\project\windows\Rocket\Ant_4.5\Ant\obj\Release\Ant.pdb ESRC has verified that when executing the malicious file, they download the normal programs from another infected server to trick users believing into the normal program is running. The C2 server overlaps with the hosts, which are detected from the distribution of Android malicious application (1.apk) and the bitcoin related 'bitcoin-trans.doc' (MD5: 8ab2819e42a1556ba81be914d6c3021f) malicious file. ###### - http://cgalim.com/admin/hr/hr[.]doc (MD5 : 24fe3fb56a61aad6d28ccc58f283017c) ###### - http://cgalim.com/admin/hr/1[.]apk (MD5 : 9525c314ecbee7818ba9a819edb4a885) ###### - http://cgalim.com/admin/hr/temp[.]set (MD5 : fa39b3b422dc4232ef24e3f27fa8d69e) The domain 'cgalim.com' left traces that show the variant file is distributed in /1211me/ as well as the subpath /hr/. Security Response Center 25 ----- The group conducted a watering hole attack against North Korean organizations in 2015 and 2016. The attackers were actively exploiting flash player vulnerabilities for the attack. North Korea-related news sites and web sites have been mainly targeted by the threat, and lasts for several months. The following is a malicious object added to the infected website. [Figure 15] Flash player vulnerability code used for watering hole attack The hacking group exploited the latest Flash player vulnerabilities CVE-2015-5119 and CVE-2015-0313 in 2015, and Flash Player CVE-2015-5119 vulnerability leaked from the server hacking attack performed by Italian Hacking Team. The group has used KakaoTalk Messenger to selectively target victims and carried out the attack exploiting the CVE 2018-4878 Flash Player Zero-day vulnerability since late 2017. ###### - G:\FlashDeveloping\mstest\src (CVE-2014-8439) ###### - G:\FlashDeveloping\20148439\src (CVE-2014-8439) ###### - G:\FlashDeveloping\Main\src\ (CVE-2015-0313) ###### - G:\FlashDeveloping\2015-3090\src (CVE-2015-3090) - G:\FlashDeveloping\20153105\src (CVE-2015-3105) - G:\FlashDeveloping\20155119\src (CVE-2015-5119) - G:\FlashDeveloping\chrome_ie\src (CVE-2015-5119) Security Response Center 26 ----- In case that the additional malware downloaded by the Flash Player Vulnerability (SWF) fails to execute administrator privileges via User Account Control, a fake error message of hard disk pops up after about 5 minutes. It manipulates as backup process and re-execute the malware with administrator privilege CMD command. Some Korean expressions observed were identical to the English computer expression (prose, program) used in North Korea. [Figure 16] Fake error message containing a North Korean expression of computer terminology The C2 communication method has evolved over the years. In the earliest days, America Online Instant Messenger (AIM) Oscar protocol was used for Command and Control. The encrypted communication proceeds with the AIM Messenger's account and password, which is English characters typed on Korean keyboard. The initially used PDB path shows it is developed in the AOL folder. ###### - fastcameron13 / powercooper00 / dPfWls&Rkapfns19 (옐찐&까메룬19) ###### - F:\Program\svr_install\Release\svr_install.pdb ###### - F:\Program\Aol\Release\ServiceDll1.pdb Security Response Center 27 ----- [Figure 17] Using AIM Messenger as C2 When communicating with AIM Messenger, the attacker uses the login account and password, and sends the encrypted message to another account user after the connection is completed. When the device is infected, the encrypted messages such as computer information and additional commands will be transmitted, and various accounts have been used. Attackers mainly have the following accounts such as aol.com, hotmail.com, yahoo.com, india.com, inbox.com, gmail.com and zmail.ru and created and used the other variants. ###### - allmothersorg11@hotmail.com ###### - allmothersorg@hotmail.com ###### - bluelove@india.com ###### - cmostenda01@yahoo.com Security Response Center 28 ----- ###### - cmostenda102@yahoo.com - cmostenda103@yahoo.com ###### - daum14401@zmail.ru ###### - dapplecom2013@yahoo.com ###### - eatleopard00@inbox.com ###### - fastcameron00 - fastcameron11 - fastcameron13 - fatpigfarms@hotmail.com - fatpigs9009@hotmail.com - friendleopard00@aol.com ###### - ganxiangu04@hotmail.com - ganxiangu07@hotmail.com - greatvictoria84 - greatvictoria85 - greatvictoria86 - greatvictoria87 ###### - hatmainman@hotmail.com - hatwoman40@hotmail.com ###### - jinmeng288@gmail.com ###### - minliu231@gmail.com ###### - Okokei@india.com ###### - pghlsn333@gmail.com ###### - prettysophia00 - prettysophia47 - prettysophia48 - prettysophia49 - prettysophia50 - prettysophia51 - prettysophia52 - prettysophia53 - prettysophia54 - prettysophia55 - prettysophia56 Security Response Center 29 ----- ###### - prettysophia57 ###### - tosarang87@gmail.com ###### - winpos1000@zmail.ru - winpos1001@zmail.ru - winpos1002@zmail.ru - winpos1003@zmail.ru - winpos1004@zmail.ru ###### - xiangangxu88@hotmail.com ###### - zum36084@gmail.com ###### - zum36084@zmail.ru - zum36085@zmail.ru The emails such as "zum36084@gmail.com", "zum36084@zmail.ru", daum14401@zmail.ru were generated and they were sent as a test in early 2016. Investigations based on IoA (Indicators of Attack) reveal that an attacker has set up a 'zum36084@gmail.com' email to disguise as 'Google Account Team', and they have used Hangul from the beginning. Security Response Center 30 ----- [Figure 18] Testing after generating the emails for the attack Emails sent as a test Mar 03, 2016 attached the '0303_zmail.gif' file, which is the malicious file of EXE format that is encrypted by 2 steps such as XOR 0x69 key. The decrypted malicious file is set to infect only a specific computer name, which includes Korean name and the name of a journalist from a specific press. ###### - 하지나 ###### - WOOSEONG-PC ###### - T-PC Security Response Center 31 ----- Some variants check the following accounts. For example, the name of SEIKO computer is often identified in IOCs. In particular, when using the HWP document file vulnerability, it matches the account of the last writer, and has been identified in the infection logs of '175.45.178.133'. ###### - 홍채연[하율] ###### - KIM[Administrator] ###### - JAMIE[Jamie Kim] ###### - DONGMIN[MinSk] ###### - T-PC[T] ###### - YONGJA-PC ###### - USER ###### - sec ###### - CRACKER-PC ###### - SEIKO The following sites are bookmarked by the users as follows in the infection log of 'SEIKO' account. ###### Windows IP Configuration ###### Host Name . . . . . . . . . . . . : SEIKO-PC ###### Primary Dns Suffix . . . . . . . : ###### Node Type . . . . . . . . . . . . : Hybrid ###### IP Routing Enabled. . . . . . . . : No ###### WINS Proxy Enabled. . . . . . . . : No ###### Ethernet adapter Ethernet: ###### Connection-specific DNS Suffix . : ###### Description . . . . . . . . . . . : Realtek PCIe FE Family Controller ###### Physical Address. . . . . . . . . : F0-DE-F1-A1-96-C3 ###### DHCP Enabled. . . . . . . . . . . : No ###### Autoconfiguration Enabled . . . . : Yes ###### IPv4 Address. . . . . . . . . . . : 175.45.178.133(Preferred) Security Response Center 32 ----- ###### Subnet Mask . . . . . . . . . . . : 255.255.255.240 Security Response Center 33 ----- In addition, the computer that satisfies the condition decrypts the encrypted code inside with XOR 0x55 key, and generates it as 'conhost.exe' filename and executes it. For instance, the 'conhost.exe' file communicates with AOL Messenger. [Figure 19] The code to communicate with AOL Messenger Security Response Center 34 ----- It is noteworthy that the password code (dPQms&Thvldk1987), which is used to log in to AOL Messenger, will be converted to '예쁜&쏘피아1987 (Pretty&Sopia1987)' in Korean when typing it with Hangul keyboard. Attackers also use multiple Chinese expressions in AOL messenger communication. Another variant uses the 'Dajiahao' code as the mutex key, which means 'Hello everyone’ in Chinese. dPfWls&Rkapfns19 is used as the password for the AOL login account and it is changed to '옐찐&까메룬19 (Yelchin&Kermelon19)' in Korean when typing with Korean keyboard. [Figure 20] Chinese greeting and Korean-convertible password Security Response Center 35 ----- Many variants are found in various forms. In case of SEIKO computer name, the following PDB path is observed and emails like 'zum36085@zmail.ru', 'pghlsn333@gmail.com' were used. ###### - F:\2_Program\Orbis_zmail\Release\RecvTest_zmail.pdb The following PDB paths are identified in similar variants: ###### - F:\2_Program\Orbis_academia\Release\RecvTest_zmail.pdb ###### - F:\2_Program\Orbis_academia\Release\Recv_Pwd_2_India.pdb [Figure 21] PDB code with Zmail test information ESRC has been able to detect the attack technique aimed at an unspecified number of people in addition to the APT target attacks. The attackers infect users by injecting the malware in illegal software by subscribing to the Korean torrent website. Namely, they distribute the famous commercial software illegally after inserting malware inside. Attackers have earned points as follows from the Korean torrent site, and they actively uploaded files and posted comments as well. Security Response Center 36 ----- [Figure 22] Activity History in Korean torrent site ###### ■ Time Series Analysis of Geumseong12 Group The attackers hacked the Korean website and used it as C2 server for a while after using the AOL Messenger communication technique in the first half of 2013. However, they may have discovered that the technique is lack of continuous availability after the websites are detected and quickly shut down by the security providers and managers. After a while, they created a variant with excellent sustainability, exploiting the AOL Messenger communication technique. After that, the infected WordPress-based websites were mainly used it as a watering hole attack base. They mainly used Flash player vulnerability files and ‘Streamnation’ cloud account, which is a personal media hub service, in attacks using the WordPress websites. The attackers continued to use the AOL messenger for the attacks, but they chose WordPress websites as a C2 server for mediation server of spear phishing and watering hole attacks. In the meantime, as the "Streamnation" service is closed in February 2016, the attackers launched the testing for ‘zmail.ru’ service since the end of January 2016, which they had been continuously used before. Security Response Center 37 ----- As such, the attackers attempted to change to the new C2 server system by introducing the zmail.ru service and start to introduce 'pCloud' service with the AOL messenger communication. When creating a cloud service account, they use free email services not only in Korea but also in countries such as the US, China, India, and Russia. As attack tactics have changed over time, CVE-2018-4878 vulnerability files have been sent to specific targets that had not been added to friends via KakaoTalk messages, and Android malicious apps targeting smartphone users have also been found. The DOC document vulnerability attack on cryptocurrency was first reported overseas at the end of 2017. In addition, the attackers are steadily upgrading attack technologies such as distribution of malware disguising as security programs in Korea and China or infecting users via Torrent. [Changes in C2 techniques according to Time Series] March 26, 2013: AOL messenger service April 20, 2013: Communication with a specific website in Korea July 10, 2015: WordPress Website Communication July 14, 2015: Streamnation Personal Cloud Service August 09, 2015: Streamnation Personal Cloud Service February 09, 2016: Official end of Streamnation Personal Cloud Service April 11, 2016: Pcloud Personal Cloud Service December 15, 2017: Official end of AOL Messenger service December 12, 2017: PubNub IaaS Service January 16, 2018: PubNub laaS Service February 23, 2018: PubNub IaaS Service ###### August 14, 2018: PubNub IaaS Service Security Response Center 38 ----- [Figure 23] C2 communication that changes with time Security Response Center 39 ----- # 03 ## Conclusion ###### - Persistent Threat Security Response Center 40 ----- ###### Special Report #### Conclusion ###### ■ Persistent Threat In addition to the previous cases, similar infringement using the same IoC code or metadata has been discovered for many years in Korea, and ESRC is constantly pursuing the change process. Further details will be available on 'Threat Inside', which is the service scheduled to be launched from the second half of the year. IoCs and the specialized intelligence report are provided to corporate customers via 'Threat Inside'. Security Response Center 41 ----- ###### Special Report #### Indicator of Compromise (IoC) ###### ■ Press Resources Fake AV Investigation Unearths KevDroid, New Android Malware https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html Reaper Group’s Updated Mobile Arsenal https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/ 最新rtf漏洞野外利用分析报告 https://s.tencent.com/research/report/274.html 광복절 앞둔 14 일, 北 추정 보안 프로그램 위장 공격 포착 https://www.boannews.com/media/view.asp?idx=72235 ###### ■ File name 안전수칙.zip 안전수칙.hwp denk.zip 360TS_Setup_Mini.exe bitcoin-trans.doc 1.apk conhost.exe ###### ■ Malware MD5 af6721145079a05da53c8d0f3656c65c 1213e5a0be1fbd9a7103ab08fe8ea5cb edc1bdb2d70e36891826fdd58682b6c4 b710e5a4ca00a52f6297a3cc7190393a 05eef00de73498167b2d7ebdc492c429 ff32383f207b6cdd8ab6cbcba26b1430 84cbbb8cdad90fba8b964297dd5c648a ab2a4537c9d6761b36ae8935d1e5ed8a fa39b3b422dc4232ef24e3f27fa8d69e Security Response Center 42 ----- 8ab2819e42a1556ba81be914d6c3021f 24fe3fb56a61aad6d28ccc58f283017c 9525c314ecbee7818ba9a819edb4a885 fa39b3b422dc4232ef24e3f27fa8d69e ###### ■ Domain http://endlesspaws.com/vog/tan[.]php?fuck=x http://endlesspaws.com/vog/denk[.]zip seline.co.kr/datafiles/CNOOC[.]php www.causwc.or.kr/board_community01/board_community01/index2[.]php www.kumdo.org/admin/noti/files/iindex[.]php www.icare.or.kr/upload/board/index1[.]php cnjob.co.kr/data/blog/iindex[.]php notac.co.kr/admin/case/iindex[.]php http://ebsmpi.com/ipin/360/down[.]php http://cgalim.com/admin/hr/hr[.]doc ###### ■ IP address 175.45.178.133 ###### ■ Mutex name taihaole9366 ###### ■ CVE CVE-2017-8759 CVE-2015-5119 CVE-2014-8439 CVE-2015-0313 CVE-2015-3090 CVE-2015-3105 CVE-2015-5119 ###### ■ String Haizi LiuJin srvrlyscss 프로쎄스 Security Response Center 43 ----- 프로그람 fastcameron13 powercooper00 dPfWls&Rkapfns19 (옐찐&까메룬19) dPQms&Thvldk1987 (예쁜&쏘피아1987) 홍채연[하율] KIM[Administrator] JAMIE[Jamie Kim] DONGMIN[MinSk] T-PC[T] YONGJA-PC USER sec CRACKER-PC SEIKO Security Response Center 44 ----- # The content of the report or any part of it shall not be cited, reproduced, copied, stored or transmitted to third parties without a prior written consent of ESTsecurity. ###### ESTsecurity Response Center https://www.estsecurity.com/ Security Response Center 45 ###### esrc@estsecurity.com -----