Security

North Korea's finest spent 2017 distributing RATs, wipers, and phish

And sent them mostly to South Korea, naturally

By Richard Chirgwin

5 SHARE

South Korea was the target of a barrage of malware campaigns last year.

Cisco Talos's Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An) spent the year watching goings-on on the Korean peninsula.

The researchers focussed on one organisation (likely North Korean given the target, but this is unconfirmed), which they dub Group 123, and its continuing campaigns against the South.

Remote Access Trojans – RATs – are Group 123's favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.

At least two of those campaigns were published by Talos at the time, but without a firm attribution to North Korea.

The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea's market leader, exploiting vulnerabilities such as the CVE-2013-4979 EPS viewer bug to pull down the RAT.

That's a rather old vulnerability, so when CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.

A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.

Finally, the “Are You Happy” campaign [surely you didn't really fall for that in the e-mail subject line? - Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim's hard drive.

Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Hey you smart, well-paid devs. Stop clicking on those phishing links and bringing in malware muck on your shoes

At Node Summit, coders served some humble pie

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

One does dev, the other ops, and they're believed to be former white hats

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Apple blocks comms-snooping malware

Leaked developer certificate revoked, protection updated

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did