Report Ties North Korean Attacks to New Malware, Linked by Word Macros

Haythem Elmir

Newly discovered malware from the world of cyberespionage connects the dots between the tools and operations of the little-known Reaper group believed to act on behalf of the North Korean government.

The latest findings indicate that the remote access Trojans (RAT) in the KONNI and DOGCALL families are the work of the same operator, tasked with spying organizations in the military and defense industry in South Korea, an entity in the Middle East that was doing business with the Pyongyang and politically-motivated victims in Eurasia.

NK is the common ground for the KONNI and NOKKI RATs

Security researchers from Palo Alto Network’s Unit 42 recently published an analysis of NOKKI, a new RAT named so because of the significant code overlap with KONNI threat of the same type, initially discovered Cisco Talos.

During the NOKKI analysis, the researchers found that the latest attacks using this RAT began in July and relied on malicious Microsoft Word documents to lure victims into deploying the malware.

This is common tactics, but the technique used to avoid detection was particular, in that « it would first convert the base64-encoded text into hex, and then convert that hex into a text string, » Unit 42 explains in a report shared with BleepingComputer.

This unique approach for evading detection was present in one other malicious document in Unit 42’s sample bank, with a creation date of March 19, and the last modification on June 16.

Its name was ‘World Cup predictions.doc’ and the macro code inside it ran the same deobfuscation routine for payload delivery as the in macros that dropped the NOKKI RAT.

Unit 42 found that the new sample of malicious macro code downloaded and executed a VBScript and included two texts it could append to the Microsoft file displayed to the victim: one was an excerpt from an ESPN article on World Cup predictions; the other was a piece from an article detailing Supreme Leader’s visit to Singapore.

Word document with macro that downloads DOGCALL RAT

If the lure worked and the victim opened the document and enabled macro code, they would read one of the two texts as if it was a regular document, just like seen in the image below, while the DOGCALL RAT downloaded and installed in the background.

Macro code shows decoy text while RAT installs in the background

New dropper found for an old RAT

If NOKKI or KONNI have not been attributed to North Korean operations in the past, DOGCALL has been associated with the cyber activity led by Pyongyang, more specifically with the Reaper group, also known as APT37, Group123, FreeMilk,  StarCruft, Operation Daybreak and Operation Erebus.

While disentangling the deobfuscation and download routines used by the macro in the ‘World Cup predictions’ document, the researchers also noticed a malware dropper that has not been reported before, which they called Final1stspy.

The final payload delivered by Final1stspy is from the DOGCALL family and it can take screenshots, log keystrokes, exfiltrate files, download and execute other payloads or capture audio through the computer’s microphone.

Unit 42’s research adds new pieces to the North Korean cyberespionage operations puzzle and shows that even nation-state actors make mistakes that lead to revealing the author behind the malicious tools, or at least pin them under the same operator.

Using information about tools already attributed to the DPRK (Democratic People’s Republic of Korea) cyberspionage enterprises, security researchers recently have built a malware family tree showing how various operations between 2009 and 2017 connect to each other, some of them unattributed to the government in Pyongyang.

To read the original article:

Laisser un commentaire

Next Post

Appels frauduleux provenant des numéros commençant par +881

L’Instance Nationale des Télécommunications appelle les consommateurs à la vigilance face aux appels en absence provenant de plusieurs numéros surtaxés ayant comme indicatif +881. Cette arnaque ne date pas d’aujourd’hui mais elle continue à sévir, soyez donc prudents! Il se peut bien que vous soyez victime d’une tentative de fraude […]