1. Short Summary
The BlueShark APT group has been actively targeting individuals in South Korea during the first half of 2024, utilizing various malware types and spear-phishing tactics disguised as legitimate requests for lectures and interviews.
2. Keypoints
- Utilization of various types of malware such as LNK, ISO, MSC, and HWP.
- Attempts to access targets disguised as requests for interviews, lectures, and seminars.
- Delivery of malicious files via cloud services like OneDrive and Proton Drive.
3. MITRE ATT&CK TTPs – created by AI
- Phishing (T1566)
- Procedures:
- Disguising malicious emails as legitimate requests for lectures or interviews.
- Using cloud services to deliver malicious files.
- Procedures:
- Malware (T1203)
- Procedures:
- Using various file types (LNK, ISO, MSC, HWP) to deliver malware.
- Procedures:
4. Full Article Translation
● Various types of Malware such as LNK, ISO, MSC, HWP are used.
● Attempts to access disguised as requests for interviews, lectures, and seminars.
● Delivery of malicious files through cloud services like OneDrive and Proton Drive.
1. Overview
○ Various APT (Advanced Persistent Threat) attacks have been observed, with South Korea as a major base during the first half of 2024. Among them, the activities of the Kimsuky group are at the center of the threat, making it difficult to discuss importance without mentioning them.
○ The ‘BabyShark’ family they use continues to evolve, and depending on its form, it is referred to by various nicknames such as ‘ToddlerShark’ and ‘ReconShark’. Among these, the attack tactics based on the MS management console (msc) were first introduced through the analysis report from the Genian Security Center (GSC), and abnormal behavior detection and response are possible through Genian EDR products.
○ Meanwhile, GSC confirmed that malicious files disguised as lecture request documents were registered on the ‘blushaak’ site. Therefore, this family name has been named ‘BlueShark’, and we aim to analyze several cases comprehensively.
○ During this investigation, the linguistic correlation of several command and control (C2) servers and the mailers created by the threat actors was also confirmed.
[Figure 1-1] BlueShark flowchart and phishing mail sender correlation |
2. Background
○ First, let’s look at representative past cases using the theme of lecture requests. Among them are two cases discovered in May 2023. One of the targeted individuals was a North Korean business representative who defected, and the other was the head of a North Korean human rights organization in South Korea.
[Figure 2] Follow-up attack screen for the reply sender
|
○ The spear-phishing attack targeting two experts working in the North Korean field continued over several days. As can be seen from the email screens, the attackers attempted initial access by impersonating a global academy lecture request run by a specific university researcher.
○ Only the recipient’s name changes slightly, while the main body remains almost identical. After being sent, some recipients who reply are selected, and a pre-prepared follow-up attack is carried out.
°°° Dear Representative, Hello, °° I am Professor °°° from the °°° Global Academy (°°°) operated by the °°° Research Institute. How have you been?
(Middle omitted) I am emailing to request a lecture for students preparing to enter international organizations this year.
(Middle omitted) As a token of appreciation, a modest speaker fee of 600,000 won will be provided. Please reply with the date and time you are available for the lecture, and feel free to contact me anytime if you have any additional inquiries. Thank you! |
[Table 1] Part of the body requesting a lecture
○ The body describes that the lecture request attachment was sent as a secure email. It appears as if a docx or pdf document is attached. The attachment area contains the expression [Secure Document], but clicking on it leads to a webpage designed to lure victims to a phishing site.
[Figure 3] Phishing lure screen displayed after clicking the attachment |
○ The domain of the phishing lure server disguised as a [Secure Email] guidance page is as follows:
Domain | IP | Country (Name Server) |
cicctv.co[.]kr | 112.175.50[.]142 | KR (ns.gethompy[.]com) |
dh00386[.]com | 183.111.161[.]156 | KR (ns.gethompy[.]com) |
jinsungm[.]com | 112.175.85[.]243 | KR (ns.gethompy[.]com) |
[Table 2] Phishing lure server domain information
○ Clicking on the [View Secure Email] link at the bottom of the phishing lure page leads to a phishing screen that mimics the email service used by the recipient.
○ If the user is deceived by the phishing page and enters their email address and password, they will be redirected to a Google Drive prepared by the threat actor. This is a deceptive process to hide the fact that account information has been leaked, showing a normal lecture request document screen.
○ Here, the normal lecture request document was used as bait. At the time of the attack, docx and pdf documents were discovered. There are slight differences between the contents of the docx document and the pdf screen.
○ The pdf content explains that it is a process operated to establish an understanding of North Korean policies for soldiers and a sound security perspective, and a balanced view of North Korea. However, the docx document describes it as a focused training program on global issues and the creation of international public goods.
Full Report: https://www.genians.co.kr/blog/threat_intelligence/blueshark