Researchers have detailed the activity of a sophisticated new threat group targeting mainly South Korean victims in several intelligence gathering and destructive malware campaigns.
According to Cisco Talos, “Group 123” is responsible for six campaigns throughout 2017 and into the New Year: Golden Time, Evil New Year, Are You Happy?, Free Milk, North Korean Human Rights and Evil New Year 2018.
“The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns,” the vendor explained.
Four of the campaigns targeted South Korean with spear phishing emails containing malicious documents in the local Hancom Hangul Office Suite format. These documents installed the ROKRAT remote administration tool (RAT), sometimes directly and sometimes via a multi-staged attack.
The Free Milk campaign targeted non-Korean organizations with malicious Office documents exploiting CVE-2017-0199 less than a month after its public exposure.
“During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki,” explained Cisco. “PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.”
The most recent campaign included a more sinister edge: a disc wiper designed to erase “the first sectors” of the targeted device.
Cisco Talos was cagey on attribution, but North Korean agents will come high up the suspect list, not least because the local documents were written in “very specific language suggesting that they were crafted by native Korean speakers rather than through the use of translation services.”
The vendor warned that this group could be around for years to come and continues to evolve, with new fileless capabilities the latest added in a bid to help attacks fly under the radar of security filters.