North Korea's finest spent 2017 distributing RATs, wipers, and phish

And sent them mostly to South Korea, naturally

By Richard Chirgwin

Posted in Security, 18th January 2018 06:30 GMT

South Korea was the target of a barrage of malware campaigns last year.

Cisco Talos's Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An) spent the year watching goings-on on the Korean peninsula.

The researchers focussed on one organisation (likely North Korean given the target, but this is unconfirmed), which they dub Group 123, and its continuing campaigns against the South.

Remote Access Trojans – RATs – are Group 123's favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.

At least two of those campaigns were published by Talos at the time, but without a firm attribution to North Korea.

The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea's market leader, exploiting vulnerabilities such as the CVE-2013-4979 EPS viewer bug to pull down the RAT.

That's a rather old vulnerability, so when CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.

A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.

Finally, the “Are You Happy” campaign [surely you didn't really fall for that in the e-mail subject line? - Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim's hard drive.

Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT. ®

Sign up to our NewsletterGet IT in your inbox daily

5 Comments

More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Apple blocks comms-snooping malware

Leaked developer certificate revoked, protection updated

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Critical update for security engine rushed out the door

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Microsoft says: Lock down your software supply chain before the malware scum get in

Stealthy attack code spotted going after payment systems

Sneaky 'fileless' malware flung at Israeli targets via booby-trapped Word docs

Spies, bank raiders gravitate to growing stealth technique

Cybercrooks charging more than the price of a new car for undetectable Mac malware

If you've got 40 Bitcoin burning a hole in your pocket...

Microsoft reveals details of flagship London store within spitting distance from Apple's

Neighbours, everybody needs good neighbours