Trojan Campaign Uses US & North Korea Summit to Lure Victims

North Korean cyber attackers appear to be using the planned upcoming summit talks between the leaders of the United States and North Korea in an email campaign aimed at South Korean computers, according to researchers with Cisco Talos.

The threat actors -- whom Talos analysts noted in a blog post are likely part of the group of North Korean hackers they call Group123 -- are using spear phishing emails designed to infect vulnerable Hangul Word Processors (HWPs) with a remote access Trojan Talos is calling "NavRAT." Once a malicious document attached to the email is opened, the Trojan is downloaded. HWPs are primarily used in South Korea, and the decoy document comes with the name "Prospects for US-North Korea Summit.hwp." Embedded in the document is an encapsulated postscript (EPS) object that executes the malicious shellcode onto the user's system.

(Source: Wikimedia)

Talos' Technical Leader Warren Mercer, who is one of the authors of the blog post, told Security Now in an email that "NavRAT is a typical RAT [remote access tool] which is attempting to compromise machines in order to facilitate both data theft and remote command execution capability on victim machines."

The NavRAT campaign is the latest coming out of North Korea even as its leader, Kim Jung Un, prepares to meet with President Trump at a June 12 summit in Singapore. The FBI and Department of Homeland Security (DHS) last week warned of malware called Joanap and Brambul, part of an advanced persistent threat (APT) effort by Hidden Cobra, the name given by the US government to attackers tied to the North Korean government. FBI and DHS officials noted that while Hidden Cobra has been around for more than 10 years, its activities have accelerated at the same time the two countries have been planning the summit designed to ease tensions between the United States and North Korea. (See FBI & DHS Warn About 2 North Korea Malware Threats .)

Since the start of 2018, the US government has put out multiple alerts about Hidden Cobra malware, including Sharpknot, Hardrain and Badcall. In April, McAfee Labs pointed to a Hidden Cobra campaign called "GhostSecret," which like Joanap targets critical infrastructure, finance, healthcare and other sectors in 17 counties. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Given similarities between NavRAT and other attacks, Talos researchers have "medium confidence" that Group123 is behind the NavRAT campaign.

"We identified some relevant points which we believe with medium confidence suggests the involvement of Group123 based on previous TTPs used by this group," the analysts wrote in their blog. "The modus operandi is identical to previous Group123 campaigns -- a HWP document with embedded EPS object containing malicious shellcode. The shellcode of the embedded object is designed to download an image, which is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology used by Group123 during previous attacks. One such example is ROKRAT, another remote access trojan we discovered in April 2017 that targeted the Korean peninsula."

While the shellcode in the EPS object is not exactly the same, there are similarities in such areas as the number of instructions used, the amount of NOP (No Operations) and command layout that is almost identical.

Talos researchers wrote that NavRAT is a classic RAT -- it can download, upload, execute commands on the system and perform keylogging. They believe it has been around since 2016 but has been used sparingly for specific targets. One unique feature is that it uses a legitimate Naver email platform that is popular in South Korea. There has been malware that uses free email platforms, but this is the first campaign that leverages Naver, they said.

The analysts said that using a well-known local email provider was a smart move by the attackers because it's difficult to identify malicious messages in the middle of legitimate traffic. However, they also noted that during their investigation, NavRAT was not able to communicate with a particular email address due to protection implemented by Naver. The malware likely was executed from too many different countries and the account was locked, they said. The researchers said they identified the NavRAT sample on several public sandbox systems and assume that the sandboxes tried multiple times to connect.

"The Naver platform has a geo-positioning capability which appears to look for where users have previously logged in from," Talos' Mercer told Security Now. "This is an additional layer of protection which some email platforms use."

He said that while it's not easy predicting where and when cyberattacks will occur, "given the nature of the Korean Peninsula and the attacks we have witnessed over the last year with ROKRAT, it's not unfair to say there could be more attacks leveraging NavRAT in the future. Using international conferences and summits like this has been used previously, we saw similar decoy documents used during CyCon 2017, a conference about cyber conflict.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.