Summary:
Keypoints:
MITRE Techniques
◈ Executive Summary
- Analysis of the covert cyber reconnaissance activities of the state-backed APT37 group
- Information collection targeting the IP addresses (location data), web browsers, operating systems of victims
- Threat actors using malicious shortcut (lnk) files as a primary strategy
- Need for active implementation of EDR solutions for enhanced endpoint security
1. Overview
The APT37 group, known as a state-backed cyber security threat actor, is leading various cyber espionage activities against South Korea. The primary targets include North Korean human rights organizations, defectors, journalists covering North Korea, and experts and professors in the fields of unification, defense, diplomacy, and national security.
The ‘Genians Security Center (GSC)’ has published several CTI analysis reports on various APT37 campaign types, including impersonating North Korean human rights organizations, targeting macOS users, vulnerabilities associated with CVE-2022-41128, and an analysis case of RoKRAT.
The threat actors are very interested in evading detection by major Anti-Virus signature-based systems to successfully penetrate endpoints. GSC has discovered interesting behavioral patterns while monitoring their activities.
They repeatedly conducted pre-reconnaissance through a prepared threat infrastructure and collected necessary basic information. To adequately respond to these attack tactics, there is a rising trend for the implementation of Endpoint Detection and Response (EDR) systems that can collect and analyze endpoint event flows and broadly analyze and judge previously unknown anomalous behaviors.
2. Background
First, let us look at a case discovered last April. The attack was disguised as being sent by a current university professor with a background in a specific public office. The email titled ‘April North Korea Trends’ was designed to include a document named ‘North Korea Trends.docx’ as an attachment. The email was sent from a VPN IP address ‘61.97.243[.]2’.
[Figure 1] Attack case disguised as ‘North Korea Trends’ document |
The document file displayed on the screen was not directly attached to the email, but was distributed from an address resembling that of a domestic portal site domain, ‘navarar[.]com’. The ‘North Korea Trends.lnk’ file downloaded from this site is a typical type of shortcut malware.
The shortcut file contains a legitimate document named ‘North Korea Trends.docx’ to deceive the user, along with malicious PowerShell command instructions. The legitimate document actually contains information on North Korea’s trends for the month of April.
 [Figure 2] Content of the legitimate document used in the attack |
Analysis of the lnk file reveals that an RoKRAT malicious module encrypted with XOR logic is hidden inside. It also shows the typical pCloud API communication techniques of APT37, containing the string value ‘–wwjaughalvncjwiajs––’.
 [Figure 3] Analysis of the RoKRAT malicious module code |
Moreover, it also includes a function to search for and collect various document and smartphone audio file extensions from user devices.
 [Figure 4] Screen of the device information collection function |
The file extensions targeted for leakage are as follows:
- .XLS
- .DOC
- .PPT
- .TXT
- .M4A
- .AMR
- .HWP
3. Similar malware
As mentioned earlier, in April, the RoKRAT module was spread through several shortcut (lnk) files.
Some of the identified main filenames include △설비목록.lnk △동북공정(미국의회조사국(CRS Report).lnk △Gate access roster 2024.lnk △국가정보 아카데미 8기 통합과정 수료증(최종본).lnk, etc.
Each lnk file hides the RoKRAT module under names like ‘panic.dat’ or ‘viewer.dat’. Calling is conducted through files like ‘price.bat’ (or ‘find.bat’) and ‘para.dat’ (or ‘search.dat’), depending on the variant. Previously, various filenames such as ‘public.dat’, ‘docu1.dat’ were also used.
 [Figure 4-1] Threat flow diagram |
The threat actor exhibits a tendency to sign up for cloud services using Gmail accounts. Some noted representative email accounts include:
- tanessha.samuel@gmail.com
- tianling0315@gmail.com
- w.sarah0808@gmail.com
- softpower21cs@gmail.com
- sandozmessi@gmail.com
The ‘panic.dat’ file executes the encrypted RoKRAT module through a Shellcode routine.
 [Figure 4-2] Shellcode decoding screen |
During the main thread execution, RoKRAT commands are used to control the victim’s system and perform various functions based on case conditions.
For example, the ‘-e’ condition calls the ‘cmd.exe’ command through the ShellExecuteW function, while the ‘-c’ condition collects specific document files and audio file extensions described earlier and exfiltrates them to the C2 server.
 [Figure 4-3] Functions executed based on RoKRAT conditions |
The targeted file extensions for exfiltration remain the same as those described in the background.
4. Recon Scenario
About three days after the previously described spear-phishing attack entitled ‘April North Korea Trends’, new reconnaissance activities are undertaken.
 [Figure 5] Email used for reconnaissance activities |
The email subject contains a typo, suggesting a mistake made when writing the attachment name as the subject. The attached ‘North Korea Cyber Terrorism Lecture Materials.pptx’ file is a legitimate document file.
Interestingly, the email body contains the same sentence that was used in the email distributing the lnk malware.
| Date | 2024-04-23 | 2024-04-26 |
| Email Subject | April North Korea Trends | North Korea Cyber Terrorism Lecture Materials.pptx |
| Source IP | 61.97.243[.]2 [KR] | 61.97.243[.]2 [KR] |
| Body Comparison (partial) | Thank you for reviewing and please provide your feedback. Sent from my Galaxy |
Sending you the lecture materials I prepared Thank you for reviewing and please provide your feedback. Sent from my Galaxy |
| Attachment Name | North Korea Trends.docx | North Korea Cyber Terrorism Lecture Materials.pptx |
| Attack Strategy | Delivering lnk shortcut malware | Delivering a legitimate pptx document |
| Command and Control (C2) | navarar[.]com | N/A |
| 158.247.249[.]129 [KR] | N/A |
[Table 1] Email Content Comparison
Not only the source IP but also the expressions in the email body are identical. The threat actor does not only deliver malware but also sends legitimate content to lower suspicion or induce replies to prepare for follow-up attacks. Such reconnaissance activities can gather peripheral information necessary for initial infiltration.
Meanwhile, on September 27, several emails under the title ‘International Symposium on Civilian Abductions by North Korea’ were widely distributed. This email appeared to attach a document named ‘한일납치문제세미나자자료.pdf’. And the email was confirmed to have been sent from the VPN address ‘108.181.50[.]58’.
 [Figure 6] Appearance of reconnaissance disguised as seminar materials on the abduction issue |
However, the email links to a file on a specific server, similar to the case with the ‘April North Korea Trends’ emails. The linked site is ‘filedownloadserve[.]com’, and the Passive DNS history shows that two IPs were used.
| Domain Address | IP Address | Country Code |
| filedownloadserve[.]com | 158.247.219[.]10 | [KR] |
| 141.164.60[.]110 | [KR] | |
| kakaofilestorage[.]com | 158.247.219[.]10 | [KR] |
| 141.164.62[.]19 | [KR] |
[Table 2] C2 server information
Notably, the email was sent from the ‘108.181.50[.]58’ VPN address, which has been mentioned as a suspected IP address linked to North Korean-related virtual asset threat activities in the ‘UN Security Council Report’ page 567.
For reference, it can be seen that the same threat actor utilized similar IP ranges in 2023. The following IPs have been important indicators that were actually used in attacks, but their volatile nature should also be considered over the timeline.
| 108.181.50[.]58 | 108.181.52[.]169 |
| 108.181.52[.]229 | 108.181.52[.]231 |
| 108.181.52[.]234 | 108.181.52[.]235 |
| 108.181.52[.]236 | N/A |
[Table 3] Identified IP ranges in 2023
Meanwhile, comparing the attachment link addresses discovered in April and September, it can be seen that while the domain address has changed, the communication parameter values follow a similar pattern.
| 2024-04-23 (APT37 RoKRAT) | 2024-09-27 |
| North Korea Trends.docx | 한일납치문제세미나자자료.pdf |
| navarar[.]com/files/ files?type=(Count) &created=(Base64 Email) |
filedownloadserve[.]com/download/ files?type=(Count) &created=(Base64 Email) |
| 158.247.249[.]129 [KR] | 158.247.219[.]10 [KR] |
[Table 4] C2 parameter value comparison
On September 30, they carried out reconnaissance activities impersonating a journalist or writer from South Korean broadcasting related to North Korea-related current affairs programs. On October 7, they attempted to approach under the guise of a former government official requesting a review of lecture materials. At this time, although they utilized a URL shortening service, the final connecting domain remains the same.
 [Figure 7] Reconnaissance activity impersonating unification current affairs program |
On October 12, they employed a reconnaissance method that did not include attachments or links. At that time, the threat actor impersonated an expert working in the field of North Korean human rights and exhibited characteristics reminiscent of a welcome email for new subscribers.
This time, there are no links or attached files, and they utilize web beacon reconnaissance techniques by inserting “img src” tags into the email body.
 [Figure 8] Screen using web beacon reconnaissance technique |
Web beacons are originally used for user tracking technologies. They serve to check whether the recipient has accessed some content in web pages or emails, usually for pure web traffic statistics or receipt verification.
The threat actors abuse this functionality to collect initial reconnaissance materials, such as the recipient’s IP (location information) and web browser (OS) information. These materials are used for analysis necessary for the actual infiltration.
5. Threat Infra Exposure
The process of soliciting servers used as threat bases or investigating their interiors according to procedures requires considerable time and close cooperation with relevant agencies. However, there are occasional cases where the threat actor has misconfigured server access permissions, leading to internal materials being exposed externally (Opsec Fail).
This case of reconnaissance server usage also experienced the phenomenon where log records were fully visible externally due to server configuration issues.
 [Figure 9] Partial exposure of reconnaissance infrastructure |
Numerous self-tests were conducted around late September, prior to the full reconnaissance operations, during which some IP addresses used by the threat actor were recorded. The same IPs are utilized in sending emails equipped with beacon functionality.
When exposed to beacon sensors, user IPs and User Agents are collected. The threat actor can choose block functions based on IP addresses, thereby excluding specific IP ranges from reconnaissance targets, which is used to evade analysis and scrutiny.
Moreover, by delivering legitimate documents linked to Dropbox addresses, they minimize user suspicion. They observe the response of attack targets through reconnaissance activities and gather the basic information necessary for future full-fledged attacks.
The threat actors use various IDs throughout their reconnaissance activities, with notable ones being the following: they mostly impersonate △former government agency officials, △journalists from news organizations, △writers for broadcasting stations, △North Korea-related media personnel, △program developers, and △experts in North Korean human rights.
- c039911
- kirnchi122
- nkhumans
- sjwarng3670
- shjhe777
- moonjongjo
- hanzak99
- l026star1ove
- sujan2024
- samuel19920411
- alchemist880808
- senior.developer8688
- hyook.iri
- dailynk23
- nknews23
- komonrodny
- johnbahu
- Dante
6. Conclusion and Response
The cyber threats posed by state-backed hacking groups are increasingly sophisticated day by day. The APT37 infrastructure for which access records have been confirmed has revealed the intelligent reconnaissance activities of the threat actors.
Therefore, institutions and companies need to understand the trends of the latest cyber threats and acquire various insights according to the technological attack difficulty.
Genian EDR products are useful in identifying the fileless intermediate flow in which malware is introduced into endpoints and executed as commands, as seen in this case.
 [Figure 10] Screen investigating fileless flow in Genian EDR |
Even if the initial influx was missed by existing antivirus program patterns installed on the endpoint, Genian EDR products can identify the fileless process and the C2 cloud communications as anomalous behavior. Additionally, the malware used in APT attacks can also be protected through patterns stored in Genians IoC, providing double protection.
 [Figure 11] Threat event detailed information screen |
By using conditions such as search filters and classifications, the detailed flow of events can be tracked in a time-series manner. This enables EDR administrators to conveniently review the timing and stepwise process of threats that have penetrated the endpoint and take follow-up actions.
 [Figure 12] Investigation of the installation process of malware in compressed file types |
The history of accessing the malicious file ‘North Korea Trends.zip’ via compression utilities can be retrieved. This enables understanding of the initial influx process and implementing follow-up actions.
7. Indicator of Compromise
● MD5
5f6682ad9da4590cba106e2f1a8cbe26
7a66738cca9f86f4133415eedcbf8e88
105ecd9f6585df4e1fe267c2809ee190
852544f01172b8bae14ec3e4d0b35115
358122718ba11b3e8bb56340dbe94f51
acf4085b2fa977fc1350f0ddc2710502
b85a6b1eb7418aa5da108bc0df824fc0
e4ddd5cc8b5f4d791f27d676d809f668
● C2
filedownloadserve[.]com
kakaofilestorage[.]com
navarar[.]com
108.181.50[.]58
158.247.219[.]10
158.247.249[.]129
141.164.62[.]19
141.164.60[.]110
223.104.236[.]114
175.214.194[.]61
61.97.243[.]2
Source: Original Post