Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

6/5/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Trojan Campaign Uses US & North Korea Summit to Lure Victims

The hackers behind the NavRAT malware are targeting South Koreans with a spear-phishing effort that refers to the upcoming meeting between the US and North Korean leaders, Talso says.

North Korean cyber attackers appear to be using the planned upcoming summit talks between the leaders of the United States and North Korea in an email campaign aimed at South Korean computers, according to researchers with Cisco Talos.

The threat actors -- whom Talos analysts noted in a blog post are likely part of the group of North Korean hackers they call Group123 -- are using spear phishing emails designed to infect vulnerable Hangul Word Processors (HWPs) with a remote access Trojan Talos is calling "NavRAT." Once a malicious document attached to the email is opened, the Trojan is downloaded. HWPs are primarily used in South Korea, and the decoy document comes with the name "Prospects for US-North Korea Summit.hwp." Embedded in the document is an encapsulated postscript (EPS) object that executes the malicious shellcode onto the user's system.

Talos' Technical Leader Warren Mercer, who is one of the authors of the blog post, told Security Now in an email that "NavRAT is a typical RAT [remote access tool] which is attempting to compromise machines in order to facilitate both data theft and remote command execution capability on victim machines."

The NavRAT campaign is the latest coming out of North Korea even as its leader, Kim Jung Un, prepares to meet with President Trump at a June 12 summit in Singapore. The FBI and Department of Homeland Security (DHS) last week warned of malware called Joanap and Brambul, part of an advanced persistent threat (APT) effort by Hidden Cobra, the name given by the US government to attackers tied to the North Korean government. FBI and DHS officials noted that while Hidden Cobra has been around for more than 10 years, its activities have accelerated at the same time the two countries have been planning the summit designed to ease tensions between the United States and North Korea. (See FBI & DHS Warn About 2 North Korea Malware Threats .)

Since the start of 2018, the US government has put out multiple alerts about Hidden Cobra malware, including Sharpknot, Hardrain and Badcall. In April, McAfee Labs pointed to a Hidden Cobra campaign called "GhostSecret," which like Joanap targets critical infrastructure, finance, healthcare and other sectors in 17 counties. (See North Korea-Linked 'Operation GhostSecret' Found in 17 Countries.)

Given similarities between NavRAT and other attacks, Talos researchers have "medium confidence" that Group123 is behind the NavRAT campaign.

"We identified some relevant points which we believe with medium confidence suggests the involvement of Group123 based on previous TTPs used by this group," the analysts wrote in their blog. "The modus operandi is identical to previous Group123 campaigns -- a HWP document with embedded EPS object containing malicious shellcode. The shellcode of the embedded object is designed to download an image, which is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology used by Group123 during previous attacks. One such example is ROKRAT, another remote access trojan we discovered in April 2017 that targeted the Korean peninsula."

While the shellcode in the EPS object is not exactly the same, there are similarities in such areas as the number of instructions used, the amount of NOP (No Operations) and command layout that is almost identical.

Talos researchers wrote that NavRAT is a classic RAT -- it can download, upload, execute commands on the system and perform keylogging. They believe it has been around since 2016 but has been used sparingly for specific targets. One unique feature is that it uses a legitimate Naver email platform that is popular in South Korea. There has been malware that uses free email platforms, but this is the first campaign that leverages Naver, they said.

The analysts said that using a well-known local email provider was a smart move by the attackers because it's difficult to identify malicious messages in the middle of legitimate traffic. However, they also noted that during their investigation, NavRAT was not able to communicate with a particular email address due to protection implemented by Naver. The malware likely was executed from too many different countries and the account was locked, they said. The researchers said they identified the NavRAT sample on several public sandbox systems and assume that the sandboxes tried multiple times to connect.

"The Naver platform has a geo-positioning capability which appears to look for where users have previously logged in from," Talos' Mercer told Security Now. "This is an additional layer of protection which some email platforms use."

He said that while it's not easy predicting where and when cyberattacks will occur, "given the nature of the Korean Peninsula and the attacks we have witnessed over the last year with ROKRAT, it's not unfair to say there could be more attacks leveraging NavRAT in the future. Using international conferences and summits like this has been used previously, we saw similar decoy documents used during CyCon 2017, a conference about cyber conflict.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.