Group123: Korea In The Crosshairs

yes anyway so yeah as Lauren mentioned this presentation will be about one year review of Group one to three different campaign we were able to identify some are very similar and some are really different I get in completely different region of the world and at the end you will see that this team is growing have more and more skills and in January this year as I start to use zero day we will explain to you everything at the end it would be worried so I bought me I'm Paul has Kenya so I'm French sorry for the accent it's not my choice basically I'm Miranda Stanford researcher at Cisco Telus I work on several case inside

CCleaner or Group one two three we present to you or MP destroyer and a lot of different fun stuff like that and yeah yeah that's the slight issue for example black/white oops oh nice Thanks that wasn't me someone at the same pointer and previous oh yeah so yet I worked with Palmer gets his guitars our researcher threat intelligence alder etcetera pull and I work on pretty much everything together so ccleaner olympic destroyer bond Robert etc and we're gonna go through today I doomed apologize for my accent because like I'm finally in a place where everyone understands me so it's great here so here is a timeline we will speak today so first campaign it's the

first one we identify but it's the first one on on the timeline is a golden time campaign here it was due during 2016 and until March 2017 so basically everything on this group Morris Austin everything start by email in this name in this campaign see Atticus use an email from an even named Korea Global Forum so it's a real conference and it's hosted by University and this email really come from the University if you look at the either some a really come from sever from University so basically Atticus compromised this account and was able to send the email if you I think everybody speak Korean here yeah of course so I want translate I'm kidding

so basically you have an attachment and it's hwp file in fact in Korea's they don't use office Microsoft Office they have their own office it's name angle word processor hwp and but you will see this basically is just the format is very close but it's about the characters in fact which is complicated for weather and they have a lot of tactile device and they are able to write recommend technique device and it translate on Korean and it's really useful for them so they have their own file format hwp and this document it's basically is the forum send this email we assume to several attendees and it's a survey when they ask to open an attachment and save it was good bad

extra another example during the same period is this one this one is completely different it's someone we are alleged to be in North Korea that send an email and ask for help and how we could move in South etc so it's the same thing in the DWP document and in this case see Atticus work on the empathy of the target to open the attachment both document the form for the conference and the email email saying I was born in an 84 X direction so let's go on the hwp document so as I said it's a kind of office document so you can use all Edom if you are used to analyze office document it's tool and open source tool

you you probably use often the biggest difference is you have object with the object a zip that lip compressed so it's the only difference so the tool is able to list the object but is not able to extract and read the content because you can extract it but you need to unzip it before working on it so yeah in this case you have an EPS document it's embedded PostScript something like that and they use a vulnerability in the EPS parser they use a well known vulnerability so this may worse and in 2007 gene I think and it's just vanilla from 2013 so it's old one and something if you are used to analyze share code generally you've got a lot of

90 it's not you got 1990 1998 blah blah in this case I think it's to avoid detection they use zero four zero four zero four zero four it simply make a useless add-on register so I think it's simply to bypass some some detection he don't note the purpose of this share code is to download to fake JPEG on website you will see this actor rarely loved JPEG file he always tries to download JPEG file but it's never real epic fight it's a real peanut and the website our legitimate website she compromised website put a fake JPEG file and use this file for the second stage of of the compromise in this case you can see WP content it's wordpress so

each time you have a big wiener bitten WordPress he compromised WordPress website which is Maru on it and provide campaign what is the purpose of this [ __ ] back so it's obfuscated with several boring stuff but anyway at the end we have a sample we named it hot hot it's a remote administration tool the purpose is basically to have more control of the remote system and I'm gonna explain real quickly some some of the picture we found them on them first he check the version of your system and if it's a Windows XP it simply go on infinite loop because nobody has Windows XP normally and it's basically used by syndics system so if you have Windows XP

he think it's a sandbox we do nothing she look on running process and it's recommend to check for understood such as I don't know we're shocked and in this case I think it's the same reason it's to avoid detection he doesn't look for the complete world like I don't know V bugs like wire shot but he's looking for Aisha so if you make the diction based on the world where you're shocked it doesn't work she look for small step part of the specific process here is the complete list that is really really common under restore if the Marwa find one of this tool she makes something really really weird start watching a TV show the Japanese TV show and she's

starting to watch the TV SH we don't really know why the TV show is I think Japanese or Korean TV show name golden time that's why we need this company like that so if you look if you exhibit on sandbox and do your sandbox is a Windows 7 but the Mirada text one of this tool running here we download this TV show and start watching it so the infrastructure for forces Mario is very specific usually you have a server and do you send that data to see several the server give order to compromised machine and it's how it works in this case it's completely different the atticus used legitimate platform in order to administrate compromised system

for example here you've got a Twitter account so the malware uses the Twitter API to get the infected machine and give order to this machine it's it's clever for cause on some organization it's really hard to block Twitter because it's used some time it's normal to be used inside of the organization and Twitter of course use HTTPS so it's boring to make massive SSL interception in your company we notify seven upgraded Twitter tokens on the binary another c2 channel in this case was Yandex it's a cloud storage platform it's very famous in Russia maybe not here it's like a Russian Google Drive Molly's in same thing the expectation document was thought inside of this Yandex right we

form four different tokens in the binary if it doesn't work they'll have a peoplein and major fire cloud platform so same thing they send fire directly on media fire and download them author yeah and yeah it's like Morris every remote enemy social to today he's about to perform a screenshot of of the machine and yeah it's simply either capture to say that so it was a first campaign and we don't find a second campaign more lessons in same time we named it every new year and in this case it start by malicious as documents or like previously so basically if you see hwp document it means Daggett Korea because nobody else use this file format and it in this case

it's in Korean and if you look at the logo and the text on bottom it's the logo of the Ministry of unification so it's Ministry of South Korea well the goal is to have one day unify country between north and south and the name of the document is North Korea New Yor analyzes so basically it's a document that explain to speak about the last speech of North Korean leader and they explain which will he choose and why and how to interpret it extra extra in this document you have to link it's mentioned you can click here to have more detail and obviously if you click here something happen it basically drop executable on your machine and

execute this file share is credit sandbox output so everything is right of course and it's a document it's basically two thousand sixteen and seventeen the world choose the Ringo speech in sixteen and the world chose the regular speak in seventeen and why the leader choose this one on this one it's really dude political interpretation of of the end of your speech what was the purpose of the dropped executable it was to make a fingerprint of the system so first he'd get the computer name secondly your user name execution path so where is executed the big Z if you look it should be there but the atticus get the path and finally you get our specific registry key this

registry key contain your BIOS model and if you use VirtualBox for example you have VirtualBox mentioned here so all this information are sent to the c2 server and here an example of the data sent from virus so the elf named the Aquila boom-boom is the esteem of the virtual machine over statin use the username is the username of by default on on virustotal and you have a path so with virus that'll execute the binary directly from the root of your file system with the ash the file name is ash basically if the attacker is waiting in that and he received that he would say it's probably not a real machine and at the end you've got to buy a small

database VirtualBox 1.2 and how does it works in fact this data sent to the PHP file here and if it matched expectation of the attackers if the path is a correct one if the name is a correct one if it's not VirtualBox it generated JPEG and also to pay and this JPEG is downloaded and you have the final stage of the Marwa it's how he detects senders and if you look at the domain GLS dot or dot PR it's a real government and website in Korea so they compromised his website to put PHP page and JPEG and the point is you don't blacklist governmental website normally or you have very very good reason and here is

the map of this campaign to different servers a JPEG file extra another one it's completely different than the previous the two previous one were very close but this one is completely different it's a campaign name are you happy it was between February and a print and in fact with on wrote rat we have some strings and on these strings we were able to know to see that a module was named er SP but we were not able to get it on the previous campaign we know it's exist but we did not have it at this time we finally have a way to to have this specific e RS p dot and sample and once we analyze it we understood what

means ER it's a res partition and he's a wiper basically he's hoping your physical drive and wipe know this and he put how you happy question so when you reboot your system you simply have a black screen mentioning how you happy so that's why we named his campaign like that of course another campaign always by the same guys completely different is a campaign name named Freeman in between open in June engine and in this case the guy didn't target Korean entities so they cannot choose hwp fight because it doesn't make any sense outside of Korea so yeah nothing fancy they use office document because you know it works so use a public severe at this time and the purpose was to

download an additional HTF a stalled on on a compromised website if you look at the source code may be too small for you but gee peg as usual it don't know the additional JPEG file and it's obviously not JPEG file and here is the sample drop its name booming we didn't choose the name it's just by developers since on the PDP third computation path we can have to milk name and the purpose was to execute another binary name in it same thing it's not our name and yeah it's a remoter discussion to the purpose was to have access on the machine and be able to do what they want to do ya know it's your time so that was like the first

sort of eight months of when we started to observe this from a an interesting camping point of view and if he notice July August maybe not so much September but July August or summer so these guys clearly take time off we go through June who thought let's have a rest and then they didn't do anything for three months that we observed or that any other person campaign Vander etc so we picked them all begin November time actually have till we're tenants sorry early November late October and what we found was the North Korean Human Rights Campaign again we see the hwp thing and it's totally peas a really cool form up to analyze and look at if

you're into malware research I don't know if anybody has ever looked at it but as Paul said that all it entails work really well on one thing disorder Newt there's always a default JavaScript element there it's generally nothing but generally if you see JavaScript in an office fight or whatever it's something bad but with hwp it's default it's there so it'll go out if you are looking Auto so this was a parley written by a lawyer and it was basically saying hello we're representing the community of North Korean human right on unification people and we're basically wanting to discuss with all these other peoples how we can make people more interested and the activities that they're trying to do no

one reads Korean so let's hope it says that but we've currently gosu we knew it says that we're able to do is actually start looking at this and see okay what's it in obviously is some of the other campaigns Paul went through generally it's pulled on a malicious script whether it be partial based whether it be just a binary pay lupus and what they're looking to do is put on something more interesting and different here so what we find was a bit 64 included payload so he pulled that down and actually used W scripts so when there's command script deke who did it drop the payload do this and then execute and that was the malicious

script to contend that what we find there of his process injection so this is a from Ida and what you'll see is any command XE hewed probably can't see that actually trust me that says command on XE and the student process in jackson using command XE it doesn't virtual allocate and that does a read process memory a critical thread and we get away and for the attacker to inject his own information is in library is okay to Sarah so from here we started to get decoy documents and then once Paul talked abut we got decoy display pictures and we don't know what any of these are they're just Robin pictures that appeared and some of the resource files okay

so they don't mean anything to us we weren't really able to find anything so you see it's sliding a little bit so we're gonna talk to in the bottom two middle tier who's like a politician's political activist a people and I said what are we fine because that's the interesting stuff so we found a new grant aurora rock res so when we track for a long time it's called rock rock because of Republic of Korea rock it primarily attacks I say primarily attacks Korean based users in Korean this victimology it has no I'll be sandbox technics and it has library distance Jackson for all our same major but all some sound off platforms or there's of some boxy TFI

and Microsoft debugging tools it may be in use we find stealers so browser Steelers are effectively pieces of malicious code that will try and seal any username password combinations that you use because I'm very lazy and when I click on a website and I've been there before it says do you want me to login I'm like yes because I don't remember all my passwords and don't say you do this can help until all this is my point here be careful where you store your information where you store your passwords at SUNY I think debug that we started the C so I use x64 debug so this never happened for me Paul is stuck in 1970s and uses per debuggers like windbg

and immunity and all a DBT and what we find here was an anti debug or a compilation error we're not really sure we've seen it in other platforms and other pieces in our sir what this basically does is crashes the debugger which stops you from trying to debug it is the long and short of them so that was the first instance of a debug that we saw within rock rot we then seen this skin again the use of legitimate cloud platforms these are really hard to block because well maybe Yandex isn't because it's Russian this client storage p-card box and dropbox are legitimate resources that loss and Marcus use so these are these make it really difficult to actually walk

that much the same with Twitter ban use with the last one mediafire at the end Yandex might be something you could have some sort of reason or rationale for blocking by using these traffic analysis becomes difficult that's all HTTP it's all API based or I mean it's very difficult the Chronicle and basically see what they've done is been really sensible with the people that are trying to attack using this kind of infrastructure doesn't mean I have to go and compromise a box somewhere like they did in some other campaigns but these are much easier platforms to get access to a much less likely to be blocked and then we've seen the evil new year 2018

campaign they like New Year because they did this for the last two years even new year 2018 campaign was the same sort of idea it was the Korean Ministry of unification again the idea here was a Spearfish the email sent and that Spearfish the Emil was usually this analysis of the last Korean speeches that have been performed baba pleased when they stopped me to find it all information of course when you will not talk when you get a high goal workforce tears talking with an encapsulated PostScript front and within that object is more shellcode what do you think that shellcode does what do you think that co2 does so what we find is it could

actually execute chakra and memory and I was the first viola scampi and we seen of rock rock rock rock generally was but this time it actually wasn't it executed rock route within memory so it was the first time we sing the real sort of evolution from let's compromise this random website let's put a jpeg up here let's put a JPEG time that worked really well let's do that again let's see that again and then no that's wallet as a finest memory or so have fun small work on executed in memory so what are the links look like they all note the title there is a series of typos come up so please ignore well they all had the same

recurrences fees the number constants fears was looking at certain objects or register Keys within the system to tell what type of machine it was fingerprinting a victim is very popular by the more sophisticated actor they don't want the waste time compromising someone they don't want to compromise visible so you try and determine thing you want to compromise why you want to compromise it this is a graph overview from Ida the choose no a lot from this point of view but basically what we're trying to say here is they have the same reconnaissance proof lights through they're using the same paths the entries functions et cetera the reason why we have two is they're two different

samples but you can see they look pretty much identical from a call call similarities that then existed between Rock rut and free milk so free mode was actually discovered by Palo Alto I think not not by us but we were able to do obviously the linkages back to see what we had so we see the use of browser stealer so I Chrome Firefox we see the use of this bolt CLI DLL and then all the vault enumerate API cases that are used as functions that are used to try and get that information and what we're trying to do is an attacker is select your username and password values and click that all from the login

information basically we want your username and password for potential Harvison we then obviously look for some more what's really interesting to look for when you're dealing with non-native actors is v sorry I'm file type oops so registry we all know is not spelt like that however this attacker maybe has made the assumption and they've typed it in and they reuse that code and you can then use that to track campaigns similarly this almost of constant Chris we're talking about are there if you're writing our rules this is a really really easy are in the capture this kind of stuff really easy you just look for asking code that says registry spelled incorrectly very simple so again we

started linking it to those campaigns which is how we were able to say rock rot is also free Millie PDP product so this is complet oh that's really hard to see so I'm computation popular from using that you can determine so we're able to look back at all the samples that we've seen and you'll see that they go from version 12 what's after 12 13 after 13 was 13 first dragon feeling particularly good that day this but we're looking at the dolphin speedpaint path and in the dog called peony pot so these are different campaigns that we watched and then the last one wiper again you see the high school version information so that's why

we're able to use them small link it's just these are not things that attackers are gonna put in these are things that are taka-kun prudent potentially is a false fly but it's more likely that this attacker has reused code and reused it seems sort of engine and stage and information to be able to create this last one fly through this because everybody loves here it is so the K is a which is the Korean sir as I say Paul and I have a fascination with Korean malware as you probably realize they published an advisory for February I think 2018 and this basically said in Korean there's a fuss every day for nothing it's like right okay that's

really helpful so we were able to start finding out a bit more and we determined ok the flash new day is actually rooted to this because they don't release the Security Adviser or we will say let's go back now and we can see what we find in terms of what we see with rock ground etcetera as we find an office document and then that office document was an embedded flash object sorry walking from the screen what embedded flash object that executed a connection to the first command control channel which was a PHP file what this did was obtained an encryption key sorry a decryption key to decrypt the second flash object so the first flash object launched not an encrypted

brawl included in it but had no decryption key crimson key was created in a remote server so I needed internet connectivity so if you're only missing the Sambo's new internet connectivity it didn't do anything first stage growl the decryption key send the decryption key back to me as a victim I will then decrypt an encrypted blow within this flash object and I will give you another flash object and within this flash object is where they started to use that CV B then and what that is is shelter and they pull the shellcode back down again it started the decode to P within the exploit that they've used created execution the table script and then had Rob transaction that we've seen

so we've went from let's say on the Spearfish name email okay that's fairly sophisticated particularly when you're compromising colleges et cetera to be able to send you're compromising government platforms so we sent those let's know I hike a couple of boxes and use things like ping code and the on Dex okay okay it's like they had a check box of fun things they wanted to do and then they came the flashy everyday what's really interesting is when attacking groups and actors like this start using zero days it shows their evolution has came to a peak either they have lots of money to be able to buy these exploits or they've got lots of very good very

skilled coders and developers they're experts obviously what we call was rock rod as I mentioned he's still in high school as you can see and he's still using the same PDP pots were able to link it directly to rock radically and based on that conclusion of all but sophisticated attackers will use multiple methods of tradecraft as I was discussing they'll send you an email one day they'll maybe send me a flash object another day they'll maybe send you decrypting decryption keys another day but we step through and see the clear evolution of rock route that we've seen in one two three four five six campaigns over a year period we seen them move from not using browser stealers to using

browser stealers so we've seen them up on their game in terms of what credentials they wanted to harvest we seen them using its WP documents in some instances and then within free milk the first time they attack the non-koreans unknown korean victim where they were using office documents so they clearly have capability to be able to create I say you spoke like that but I mean from a malicious perspective it was useful they were creating useful documents across booth hwp an office platform so they clearly had the skill set to be able to do both of these allows us and we find this very interesting if you knew anything about a row you want the

talk to us about it please feel free I don't know if you've any questions if you do please ask otherwise thank you you