This Highly Sophisticated Malware Is Once Again Targeting the Korean Government

- April 4, 2017

The campaign targeting Korean government users has evolved and now shows more hallmarks of being a nation-state attack, researchers with Cisco’s Talos group say.

A very similar campaign—likely the same one—surfaced previously around late February, which also targeting Korean government users in a very targeted fashion. The malware uses public domains to act as command and control (C2) servers and deliver the malware attack commands. It also does an advanced level of fingerprinting of operating processes to weed out any sandboxes or attempts to analyze the malware.

Talos researchers Warren Mercer, Paul Rascagneres and Matthew Molyett documented in a blog post write up that the malware is active for very short periods of time, only mere hours, before wiping compromised hosts and disappearing. It is quite obvious this attack was meant to take any measure possible to not be discovered.

Indications of Nation-state Sponsorship

Sources who have viewed the evidence of the attack say one of the malicious documents used to compromise victims has strong indications of not only being written in fluent Korean, but even being a legitimately classified Korean government document. Researchers with Talos say the document could have been appropriated in a different campaign and weaponized for this attack.

Previous attempts to analyze this malware back in February fell just short of being able to obtain the final payload due to the malware’s highly evasive nature. This time the Talos group has obtained the final payload and have concluded that it is a remote access Trojan (RAT) that the group has named ROKRAT.

Starts with a Phish

The attack, like the last campaign, begins with a phishing e-mail. In this attack, researchers at Talos say the attackers compromised a legitimate e-mail address from the private Korean university Yonsei. The attackers are specifically targeting those interested in the “unification of the Korean peninsula,” and took the time to compromise the specific e-mail address used as the contact address for the Korean Global Forum.

The phishing e-mail uses a compromised account from a private Korean university. Source: Talos blog

“The sample filename translates as ‘Unification North Korea Conference _ Examination Documents’ which reinforces the text in the email about the reunification conference,” Talos researchers wore in their post. “For an added bonus the attacker even suggests in the email people who completed the document would get paid a ‘small fee.’ Perhaps the gift of embedded malware is the payment.”

Like the last campaign, the Hangul Office document contains an EPS (encapsulated postscript object) that downloads a binary disguised as a JPEG, which then downloads the actual RAT.

Sophisticated Infrastructure

There are in fact two phishing e-mails Talos analyzed as part of this campaign. The more sophisticated of the two, the one mentioned above, uses an official looking government e-mail to entice recipients into opening the malicious document. The second uses more of a personal appeal, being sent from a likely fictitious person claiming to be in the Kangwon Province. Talos suspects this was used to possibly draw empathy from the recipient, as Kangwon was previously part of South Korea, and the e-mail claims the person is in need of help.

The RAT payload is especially tricky as it uses legitimate websites as C2 servers, even enlisting the Twitter API to send the Trojan some of its commands. Talos researchers said in an interview not all the accounts are still active, and the team is reaching out to Twitter to have any active accounts blocked.

Evasions and Diversions

The malware takes extreme steps to avoid being analyzed. Before delivering a payload, the malware analyzes processes on the victim machine and checks for tools like Python scripts and applets used in sandbox analysis tools, VMWare tools, Virtual Box processes, Wireshark and others.

If it discovers any of these processes running, the malware will then attempt to fake an “infection” by sending dummy traffic to appear as though it is receiving feedback from a remote server, which is normally a good indication that the infection was successful.

The malware will also throw the fake traffic when the it is launched through any means other than executing the malicious document sent through the phishing e-mail.

After successfully opening the malware, Talos researchers were able to observe its relationship with the C2 domains from Twitter, Yandex and Mediafire. In the case of Twitter, the malware will use hardcoded API tokens to receive instructions. “The malware is able to get orders by checking the last message on the Twitter timeline,” Talos researchers wrote. “The order can be either execute commands, move a file, remove a file, kill a process, download and execute a file. The RAT is able to tweet also.”

In the case of Mediafire and Yandex, both are used to download and execute files, and possibly upload stolen information from infected victims.

“This communication channel is extremely hard to contain because organizations often have legitimate uses of these platforms,” the researchers wrote. “This investigation shows us once again that South Korean interests sophisticated threat actors.”

To see more technical details about the attack, including file hashes and the networks used, see the blog post from Talos here.