South Korean Industries Under Attack by North Korean APT

The North Korean APT group ITG10 has been identified to be conducting a large-scale cyber campaign targeting various South Korean entities. According to a report from IBM's Security X-Force, the campaign is targeting organizations in sectors such as communication, education, energy, government, manufacturing, supply chain, think tanks and dissident groups. ITG10 shares similarities in tactics, techniques, and procedures with APT37 (aka. ScarCruft, Richochet Chollima) leading to the assessment of overlap between these threat groups. As part of their attack strategy, ITG10 is utilizing malicious lure documents to distribute malware, including a remote access trojan named RokRAT. Lure documents distributed from ITG10 have touched on subjects associated with geopolitical news or the coverage of such news, media production for broadcasts, document proposals, and an agenda for a multi-group seminar.

The decoy documents have been found to be delivered within a zip file or ISO container file also containing a shortcut/LNK file to initiate the execution of a PowerShell script opening the decoy document to distract the victim whilst the download of the RokRAT occurs in the background. Another batch of potentially related malware was encountered by X-Force, pertaining to three distinct LNK files being used to drop a VBS file as opposed to a usual batch script payload. Unfortunately, the final payload could not be retrieved leaving the malware capabilities unknown and their association to ITG10 or further establishing a link with APT37. "IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity."