#1248917: Targetted attack on the second North American summit

Description: CVE-2018-20250 exploit vulnerability, APT attack on the second North American summit, 'Operation Hiden Python'


출처: https://translate.googleusercontent.com/translate_c?depth=1&rurl=translate.google.com&sl=ko&sp=nmt4&tl=en&u=https://blog.alyac.co.kr/2160&xid=17259,15700019,15700186,15700190,15700248,15700253&usg=ALkJrhjqh_ofzKx8QgLoaEBpWm036_vAoA [이스트시큐리티 알약 블로그]


With the schedule for the second North American summit meeting in Hanoi, Vietnam, the suspicion of an APT attack using the ACE compression format vulnerability (CVE-2018-20250) was captured.

■ ACE Compression Format Vulnerability (CVE-2018-20250) Background

CVE-2018-20250 Vulnerability exists in the ACE decompression dynamic library 'unacev2.dll' file. When this vulnerability is exploited, malicious files can be created in the Windows operating system startup program path so that it can be executed automatically upon rebooting. .

- C: \ Users \ [Account Name] \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup

- C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ StartUp

※ (Reference) Found a vulnerability in WinRAR for 19 years! Approximately 500 million users are likely to be affected

■ Attempted Attack of Intelligent Sustainable Threat (APT) disguised as the 2nd North American Summit Document?

ESRC has found a vulnerability file 'CVE-2018-20250' using the filename 'North America Second Summit .rar' .

The file has a RAR compressed file extension, but it has internal ACE format and contains Python-based malicious files.

This ACE vulnerability has been hidden for a long time What you use I named it 'Operation Hidden Python' in terms of using Python based attack vectors .

Also, it is assumed that the file is password protected and that the attacker sent the spear phishing e-mail body with the password for the release.

Inside the compressed file, you can see that 'North American Second Summit .hwp' document file was added at about 3:28 am on February 26, 2019, and another 'Desktop.ini.exe' I see that a malicious file exists.

[Figure 1] ACE vulnerability file inside 'North Africa Second Summit .rar' compressed format file

If you try to unzip the 'North America Second Summit .rar' archive, you will see a window asking you to enter your password.

The attacker attempted to customize the attack and avoid security detection through the encryption compression setting in the step of configuring the corresponding ACE compression format.

Therefore, if you do not know the password you set, you may have difficulty in analyzing the additional files that exist inside.

[Figure 2] Password function set in compressed file

If you look at the code structure inside the malicious RAR file found here, you can see the ACE header as follows, and the phrase '* UNREGISTERED VERSION *' exists.

In addition, you can see that the startup path and the generated file name ('Desktop.ini.exe') are hard-coded.

[Figure 3] RAR code internal structure screen

ESRC has succeeded in securing the internal files while checking the set password.

If the infection is caused by exposure to ACE vulnerabilities, by default 'Desktop.ini.exe' malicious files are registered with the startup program and configured to run automatically upon reboot.

Therefore, the file will remain latency until rebooting , and the attacker will use the file name and icon similarly, utilizing the fact that the 'desktop.ini' normal configuration file exists in the startup program path .

[Fig.4] Screen when registered in the startup program

The 'Desktop.ini.exe' file will be created as a Python library and a main module in a temporary path (Temp) if it is executed as an EXE file created on Python (Python) basis.

The main function is iteratively encoded with Base64 code, and the main command code consists of a PowerShell.

And '46 .29.163.222: 9999 'It tries to communicate secretly with Russian IP address and it waits for additional command of attacker.


- Cookie: session = jbWUS4FOkzKjPDqMrYuDTzCiaVY =

[Figure 5] Python main function command screen

■ Encrypt normal HWP documents for use in target attacks

In addition, 'North America's second summit.rar' file includes 'North America's second summit.hwp' file.

This file is based on UTC 02/26/2010 at 11:28 UTC and contains the following meta information.

In addition, the HWP document file also has the password setting function enabled, so if you do not know the password set by the author, you will not be able to open it.

[Figure 6] 'North American Second Summit .hwp' Information Screen

ESRC was able to obtain a similar document that was not password-protected during the investigation of the password-enabled document file .

The document includes the following, together with the title of 'North America's Second Summit', together with the contents of the Hanoi Talks in Vietnam on 27-28 February 2019 and the Declaration of Panmunjom on April 27, 2018 .

Unusually, it is estimated that some of the contents related to the Vietnam talks and some of the summit talks between Panmunjom and North Korea were written with different fonts .

[Figure 7] 'North American Second Summit .hwp' Document File Contents Screen

ESRC notes that this malicious file format was built on a Python-based platform that was not widely known and has been conducting similar threats and association studies in the past.

IoC will be provided through 'Threat Inside' service.

Since the attack using the ACE compression format vulnerability (CVE-2018-20250) has been detected, users of compressed programs are encouraged to update to the latest version, and the pills will maintain correspondence with the detection name of 'Backdoor.Agent' type There is.

More info: https://blog.alyac.co.kr/2160

Date added Feb. 27, 2019, 10:43 a.m.
Source Alyac
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - North Korea - New Reports in
  • North Korea - GandCrab / GrandCrab / FusionCore / ICLoader / PUA_ICLOADER / VenusLocker / Venus 121 / Goldstart 121
  • North Korea - Phorpiex/Trik Botnet Malware (Used to spread GandCrab)
  • North Korea (Possibly) Fallout Exploit Kit - Linked to Gandcrab / SmokeLoader Trojan
  • North Korea - Vidar InfoStealer Trojan (Used in combination with Gandcrab)
Country North Korea
CVE CVE-2018-20250