#1257351: Venus 121, <Rocketman Campaign> Operation 'Black Banner' APT Attack

Description: https://translate.google.com/translate?hl=nl&sl=ko&tl=en&u=https%3A%2F%2Fblog.alyac.co.kr%2F2281

During the weekend, key figures in North Korea-related organizations have been caught up in a spear phishing attack.

Many recent APT (Intelligent Sustainable Threat) attacks found in Korea are based on the HWP document file vulnerability, and this case also exploits the same HWP vulnerability.

In particular, this attack was released without any detailed explanation or content, and it is attracted to the recipient to open the attachment in simple curiosity.

■ Operation Black Banner appeared

In ESRC, this APT attack was carried out by the organization 'Geumseong121' We have confirmed that it is part of the Rocket Campaign.

The attack vector used malicious code that disguised itself as a normal banner image file. By using this feature, Cyber operation name was named ' Operation Black Banner '

The e-mails used in the attack were as follows, distributed over the weekend to a variety of users, mainly from people working in North Korea-related organizations.

[Fig.1] Spear phishing screen performed by Korea's e-mail service

The attacker attacked with a 29KB HWP document file, and the e-mail body contained nothing.

■ HWP malicious code analysis

File Name

20190426.hwp / day_ schedule .hwp

Last Saved By




The BinData stream in the HWP document file contains 'BIN0001.eps' Post Script.

[Figure 2] HWP PostScript screen

If PostScript and shellcode work properly, you will try to communicate to a specific Korean website.

When communicating with the host, the file is downloaded as a GIF image file , which is actually a 32-bit malicious EXE file.

The malicious file was produced on April 18, 2019 based on Korean time (KST), and the UPX scramble technique is applied.

[Figure 3] PostScript shellcode and C2 address screen

Malicious files are registered on certain Korean websites as of April 29, 2019.

At ESRC, we believe that the malicious code is registered through the attacker's server , and we are working closely with relevant organizations such as KISA to ensure rapid response.

When you actually access the server, you will see the following.

[Figure 4] Server screen with malicious file

The ESRC analyzed the code and obtained clues that Venus 121 threat organization is behind.

The malicious code is registered as 'sogoupin.exe' and will attempt to communicate with a specific C2 address in Korea.

- youngs.dgweb.kr/skin15/include/bin/home[.]php

[Figure 5] C2 communication packet screen

■ Pseudo-threat cases analysis

You can see that the string 'srvrlyscss' is used when communicating with the C2 server, which is constantly being discovered in a previous pseudo- infringement incident.

This abbreviation is estimated to be short for Server Relay Success.

This string has been published in the latest APT campaign of 'Venus 121 Group' - 'Operation Rocket Man' report.

And the 'youngs.dgweb.kr' domain, which is used as the C2 address, has been used in the [ Operation Golden Bird ] report of the Rocketman APT campaign .

As such, attackers are already using the same attack vectors based on the same TTPs (Tactics, Techniques, and Procedures).

Interestingly, this malware also identified the following PDB paths:

- F: \)) PROG \ ie \ test.pdb

[Figure 6] PDB path existence screen

A similar PDB path has already been reported in many similar forms, and 100% identical code is included in the Operation High Expert content.

▶ Venus 121 APT organization, 'Operation High Expert' / 2019 04.02

- F: \)) PROG \ ie \ test.pdb
▶ The latest APT Campaign of Goldsmith 121 Group - 'Operation Rocket Man' / 2019. 08. 22

- E: \)) PROG \ doc_exe \ Release \ down_doc.pdb

The APT attack on the Venus 121 organization is progressing steadily. Mainly spear phishing attacks are being caught and exploit vulnerabilities in HWP document files.

At ESRC, we are confident that these organizations will be sponsored by specific governments and are conducting research based on threat intelligence.

It is not a zero-day vulnerability that has been used for attacks, and users are urged to update the documentation software with the latest version, so that they are not exposed to similar threats, as the already completed security patches are constantly being exploited.

We identified the malicious code related to this attack as 'Trojan.Agent.110592C' It has been added as a detection name.

출처: https://translate.googleusercontent.com/translate_c?depth=1&hl=nl&rurl=translate.google.com&sl=ko&sp=nmt4&tl=en&u=https://blog.alyac.co.kr/2281&xid=17259,15700022,15700186,15700190,15700253,15700256,15700259&usg=ALkJrhj5SXYd4sGShzD5svVMgxhPw5iQ6g [이스트시큐리티 알약 블로그]

More info: https://blog.alyac.co.kr/2281

Date added May 2, 2019, 3:51 p.m.
Source alyac.co.kr
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - North Korea - New Reports in
  • North Korea - Venus-121/ Venus121 / Rocketman / Rocket Man Ransomware / Black Banner
Country North Korea