North Korea's black hats launched at least six extensive malware campaigns mostly against South Korean targets during 2017.
That's the conclusion of Cisco's Talos Warren Mercer and Paul Rascagneres (with contributions from Jungsoo An), who spent the year watching goings-on on the Korean peninsula.
The researchers focussed on one North Korean organisation, which they
dub Group 123, and its continuing campaigns against the South.
Remote Access Trojans – RATs – are Group 123's favourite approach, with three phishing campaigns (“Golden Time”, “Evil New Year” and “North Korean Human Rights”) working to deliver ROKRAT to targets.
At least two of those campaigns were
published by
Talos at the time, but without a firm attribution to North Korea.
The three campaigns tried to get users to infect themselves with a payload in the Hancom Hangul Office Suite, South Korea's market leader, exploiting vulnerabilities such as the
CVE-2013-0808 EPS viewer bug to pull down the RAT.
That's a rather old vulnerability, so when
CVE-2017-0199 (arbitrary code execution from a crafted file) landed, the Norks hackers got to work. In less than a month, Talos said, Group 123 launched the FreeMilk campaign against financial institutions from beyond the Korean peninsula.
A binary called Freenki (sometimes called by another binary, PoohMilk) then hauled down a ROKRAT-like trojan.
Finally, the “Are You Happy” campaign [surely you didn't really fall for that in the e-mail subject line? -
Ed] was simply destructive: it deployed a module from ROKRAT to wipe the first sectors of the victim's hard drive.
Oh, and happy 2018: on January 2 this year, Group 123 ushered in the new year with a redux of its Evil New Year campaign. This time, the Talos post noted, the malware-slingers are trying to evade detection with a fileless version of ROKRAT.