theDocumentId => 743599 Trojan Campaign Uses US & North Korea Summit to ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/5/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Trojan Campaign Uses US & North Korea Summit to Lure Victims

The hackers behind the NavRAT malware are targeting South Koreans with a spear-phishing effort that refers to the upcoming meeting between the US and North Korean leaders, Talso says.

North Korean cyber attackers appear to be using the planned upcoming summit talks between the leaders of the United States and North Korea in an email campaign aimed at South Korean computers, according to researchers with Cisco Talos.

The threat actors -- whom Talos analysts noted in a blog post are likely part of the group of North Korean hackers they call Group123 -- are using spear phishing emails designed to infect vulnerable Hangul Word Processors (HWPs) with a remote access Trojan Talos is calling "NavRAT." Once a malicious document attached to the email is opened, the Trojan is downloaded. HWPs are primarily used in South Korea, and the decoy document comes with the name "Prospects for US-North Korea Summit.hwp." Embedded in the document is an encapsulated postscript (EPS) object that executes the malicious shellcode onto the user's system.

(Source: Wikimedia)
(Source: Wikimedia)

Talos' Technical Leader Warren Mercer, who is one of the authors of the blog post, told Security Now in an email that "NavRAT is a typical RAT [remote access tool] which is attempting to compromise machines in order to facilitate both data theft and remote command execution capability on victim machines."

The NavRAT campaign is the latest coming out of North Korea even as its leader, Kim Jung Un, prepares to meet with President Trump at a June 12 summit in Singapore. The FBI and Department of Homeland Security (DHS) last week warned of malware called Joanap and Brambul, part of an advanced persistent threat (APT) effort by Hidden Cobra, the name given by the US government to attackers tied to the North Korean government. FBI and DHS officials noted that while Hidden Cobra has been around for more than 10 years, its activities have accelerated at the same time the two countries have been planning the summit designed to ease tensions between the United States and North Korea. (See FBI & DHS Warn About 2 North Korea Malware Threats .)

Since the start of 2018, the US government has put out multiple alerts about Hidden Cobra malware, including Sharpknot, Hardrain and Badcall. In April, McAfee Labs pointed to a Hidden Cobra campaign called "GhostSecret," which like Joanap targets critical infrastructure, finance, healthcare and other sectors in 17 counties. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Given similarities between NavRAT and other attacks, Talos researchers have "medium confidence" that Group123 is behind the NavRAT campaign.

"We identified some relevant points which we believe with medium confidence suggests the involvement of Group123 based on previous TTPs used by this group," the analysts wrote in their blog. "The modus operandi is identical to previous Group123 campaigns -- a HWP document with embedded EPS object containing malicious shellcode. The shellcode of the embedded object is designed to download an image, which is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology used by Group123 during previous attacks. One such example is ROKRAT, another remote access trojan we discovered in April 2017 that targeted the Korean peninsula."

While the shellcode in the EPS object is not exactly the same, there are similarities in such areas as the number of instructions used, the amount of NOP (No Operations) and command layout that is almost identical.

Talos researchers wrote that NavRAT is a classic RAT -- it can download, upload, execute commands on the system and perform keylogging. They believe it has been around since 2016 but has been used sparingly for specific targets. One unique feature is that it uses a legitimate Naver email platform that is popular in South Korea. There has been malware that uses free email platforms, but this is the first campaign that leverages Naver, they said.

The analysts said that using a well-known local email provider was a smart move by the attackers because it's difficult to identify malicious messages in the middle of legitimate traffic. However, they also noted that during their investigation, NavRAT was not able to communicate with a particular email address due to protection implemented by Naver. The malware likely was executed from too many different countries and the account was locked, they said. The researchers said they identified the NavRAT sample on several public sandbox systems and assume that the sandboxes tried multiple times to connect.

"The Naver platform has a geo-positioning capability which appears to look for where users have previously logged in from," Talos' Mercer told Security Now. "This is an additional layer of protection which some email platforms use."

He said that while it's not easy predicting where and when cyberattacks will occur, "given the nature of the Korean Peninsula and the attacks we have witnessed over the last year with ROKRAT, it's not unfair to say there could be more attacks leveraging NavRAT in the future. Using international conferences and summits like this has been used previously, we saw similar decoy documents used during CyCon 2017, a conference about cyber conflict.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3663
PUBLISHED: 2021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2021-23413
PUBLISHED: 2021-07-25
This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance.
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...