Researchers have attributed six separate phishing campaigns targeting South Koreans in either 2017 or 2018 to a single threat actor called "Group123," including multiple operations designed to infect victims with the remote administration tool ROKRAT.
The six campaigns -- Golden Time, Evil New Year, Are You Happy?, FreeMilk, North Korea Human Rights, and Evil New Year 2018 - have been linked through shared code and tactics, according to researchers with Cisco Systems' Talos Security Intelligence and Research Group.
Commonalities include not just ROKRAT, but also the use of Korean Hangul Word Processor (HWP) documents, similar Program DataBase patterns and reconnaissance codes, and the presence of a browser stealer in certain payloads. Also, many of the campaigns have used email lures that reference the longstanding North Korea-South Korea reunification movement.
Due to the phishing emails' use of Hangul - a product of South Korean company Hancom Inc. - and their strong command of the Korean language, Talos believes it is likely that "the origin of this group is from the Korean peninsula" and that "we are dealing with a new Korean actor." However, while state-sponsored North Korea hackers have a history of launching attacks on South Korea, Talos does not outright state if the threat specifically comes from the north.
The most recent campaign, Evil New Year 2018, is essentially a reboot of the threat actor's original Evil New Year operation that ran from November 2016 through January 2017, explains Talos in a 16 January blog post authored by researchers Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An).
The newer campaign, which launched on 2 January, 2018, lures victims in with a malicious HWP decoy document, supposedly written by South Korea's Ministry of Reunification. The doc claims to offer an analysis of a New Year's speech made by the leader of North Korea (presumably Kim Jong-un, although Talos doesn't specifically name him in its analysis).
The document exploits a vulnerability in the Encapsulated PostScript (EPS) format to download and execute shellcode hidden in a fake image on a previously compromised website. In this case, the shellcode downloads and decodes a fileless variant of ROKRAT from memory as the final payload. Much like the ROKRAT samples distributed in previous Group123 campaigns, this variant leverages cloud providers, including Yandex, pCloud, Dropbox, and Box, to exfiltrate documents and communicate with the attackers.
According to Talos, the 2017 Evil New Year campaign similarly involved spearphishing emails that appeared to come from the Korean Ministry of Unification and used malicious Hangul attachments to drop ROKRAT. "The document claimed to discuss the New Year's activities of North Korea and this would have been something that the victims in South Korea would be very interested in. This would have been particularly true for Government targets, who we believe to be Group123's target of choice," the Talos blog post states.
The malicious documents in the earlier campaign featured two links that opened up additional decoy documents containing malicious OLE objects used to drop binaries, which in turn injected shellcode that unpacked and executed reconnaissance malware designed to communicate with the C&C server.
The Talos report detailed four additional phishing campaigns from Group123:
Golden Time, August 2016 - March 2017: This campaign infected targets with ROKRAT via spear phishing emails that lauded recipients for joining a panel at a phony Korean reunification conference. Other phishing emails purported to be a help request from a resident of the South Korean city Munchon.
Are You Happy?, March 2017: This campaign dropped a ROKRAT module called named ERSP.enc that acts as a disk wiper, capable of opening an infected system's drive and writing data to the Master Boot Record. After the malware reboots the affected machine, the MBR displays a string that reads "Are you Happy?"
FreeMilk, May 2017: Because this campaign targeted non-Korean financial institutions, the attackers used Microsoft Office documents instead of HWP docs. "The attackers exploited CVE-2017-0199 [a flaw in the Windows Object Linking and Embedding (OLE) interface] in order to download and execute a malicious HTA document inside of Microsoft Office," Talos explains. This scheme resulted in two payloads: The first, PoohMilk, creates persistence and checks specific files on an infected machines, paving the way for the second malware, Freenki, which collects information on the infected system and can download a third executable.
North Korean Human Rights, November 2017: This campaign served another version of ROKRAT, via a malicious HWP document authored by a representative from the Citizens' Alliance For North Korean Human Rights And Reunification Of Korean Peninsula. Purportedly, "the main purpose of this document was an attempt to arrange a meeting to discuss items related to "North Korean Human Rights Act" and "Enactment of a Law," which was passed in 2016 in South Korea. Of course, the document's true purpose was to infect unwitting victims.