Stark#Mule Malware Campaign Targets Koreans, Uses US Army Documents

Techniques are similar to those in previous North Korean attacks and could be linked to well-known cyber-espionage organizations.

4 Min Read
North Korean and South Korean flags
Source: Steve Allen Travel Photography via Alamy Stock Photo

A Korean-language malware campaign known as Stark#Mule is targeting victims using US military recruiting documents as lures, then running malware staged from legitimate but compromised Korean e-commerce websites.

Security firm Securonix discovered the Stark#Mule attack campaign, which it said allows threat actors to disguise themselves amid normal website traffic.

The campaign seems to target Korean-speaking victims in South Korea, indicating a possible attack origin from neighboring North Korea.

One of the tactics used is sending targeted phishing emails written in Korean, which drop legitimate-looking documents in a zip archive with references to US Army recruitment and Manpower & Reserve Affairs resources included within the documents.

The attackers have set up a complex system that allows them to pass for legitimate website visitors, making it difficult to detect when they transmit malware and take over the victim's machine.

They also employ deceptive materials that purport to offer information on US Army and military recruitment, much like honeypots.

By tricking the receivers into opening the documents, the virus is unintentionally executed. The last stage involves a difficult infection that communicates through HTTP and embeds itself into the victim's computer, making it challenging to find and remove.

"It seems like they are targeting a particular group, which hints that the effort may be related to North Korea, with an emphasis on Korean-speaking victims," says Zac Warren, chief security advisor, EMEA, at Tanium. "This raises the possibility of state-sponsored cyberattacks or espionage."

Stark#Mule also may have laid its hands on a possible zero-day or at least a variant of a known Microsoft Office vulnerability, allowing the threat actors to gain a foothold on the targeted system just by having the targeted user open the attachment.

Oleg Kolesnikov, vice president of threat research, cybersecurity for Securonix, says based on prior experience and some of the current indicators he has seen, there is a good chance that the threat originates from North Korea.

"However, the work on final attribution is still in progress," he says. "One of the things that makes it stand out is attempts to use US military-related documents to lure victims as well as running malware staged from legitimate, compromised Korean websites."

He adds that Securonix's assessment of the level of sophistication of the attack chain is medium and notes these attacks align with past activities of typical North Korean groups like APT37, with South Korea and its government officials as the primary targets.

"The initial malware deployment method is relatively trivial," he says. "The subsequent payloads observed appear to be fairly unique and relatively well-obfuscated."

Warren says due to its advanced methodology, cunning strategies, precise targeting, suspected state involvement, and difficult virus persistence, Stark#Mule is "absolutely significant."

Success Through Social Engineering

Mayuresh Dani, manager of threat research at Qualys, points out bypassing system controls, evasion by blending in with legitimate ecommerce traffic, and gaining complete control on an earmarked target, all the while staying undetected, all make this threat noteworthy. 

"Social engineering has always been the easiest target in an attack chain. When you mix political rivalry leading to inquisitiveness to this, you have a perfect recipe for compromise," he says.

Mike Parkin, senior technical engineer at Vulcan Cyber, agrees a successful social engineering attack requires a good hook.

"Here, it appears the threat actor has succeeded in creating subjects that are interesting enough for their targets to take the bait," he says. "It shows the attacker's knowledge of their target, and what is likely to pique their interest."

He adds North Korea is one of several nations known to blur the lines among cyber-warfare, cyber-espionage, and cybercriminal activity.

"Given the geopolitical situation, attacks like this are one way they can lash out to further their political agenda without having a serious risk of it escalating into actual warfare," Parkin says. 

A Cyberwar Rages in a Divided Country

North Korea and South Korea have historically been at loggerheads since their separation — any information that gives the other side an upper hand is always welcome.

Currently, North Korea is stepping up offense in the physical world by testing ballistic missiles, and it is also trying to do the same in the digital world.

"As such, while the origin of an attack is relevant, cybersecurity efforts should focus on overall threat detection, response readiness, and implementing best practices to protect against a wide range of potential threats, regardless of their source," Dani says. 

The way he sees it, US military will collaborate with its partner states, including other government agencies, international allies, and private sector organizations, to share threat intelligence related to Stark#Mule and possible remediation action.

"This collaborative approach will strengthen overall cybersecurity efforts and is crucial for fostering international cooperation in cybersecurity," he notes. "IT enables other countries and organizations to enhance their defenses and prepare for potential attacks, leading to a more coordinated global response to cyber threats."

The North Korean state-sponsored Lazarus advanced persistent threat (APT) group is back with yet another impersonation scam, this time posing as developers or recruiters with legitimate GitHub or social media accounts.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights