North Korea's finest spent 2017 distributing RATs, wipers, and phish

And sent them mostly to South Korea, naturally

South Korea was the target of a barrage of malware campaigns last year.

Cisco Talos's Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An) spent the year watching goings-on on the Korean peninsula.

The researchers focussed on one organisation (likely North Korean given the target, but this is unconfirmed), which they dub Group 123, and its continuing campaigns against the South.

Remote Access Trojans – RATs – are Group 123's favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.

At least two of those campaigns were published by Talos at the time, but without a firm attribution to North Korea.

The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea's market leader, exploiting vulnerabilities such as the CVE-2013-4979 EPS viewer bug to pull down the RAT.

That's a rather old vulnerability, so when CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.

A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.

Finally, the “Are You Happy” campaign [surely you didn't really fall for that in the e-mail subject line? - Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim's hard drive.

Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT. ®




Biting the hand that feeds IT © 1998–2018