This article analyzes APT attacks leveraging political and social issues in South Korea, with a focus on a spear phishing campaign distributing malicious files via email. The attack targets users in the North Korean sector using social engineering tactics to avoid antivirus detection. It emphasizes the urgent need for Endpoint Detection and Response (EDR) systems to identify and mitigate these threats effectively. Affected: macOS, Windows
Keypoints :
- A spear phishing email titled “FW: 방첩사 작성한 ‘계엄 문건’ 공개” was randomly distributed to individuals in the North Korean sector.
- The email contained links to malicious files disguised as legitimate documents related to a state of emergency.
- Malicious files were distributed differently based on the operating system, with CPL files targeting Windows users.
- Social engineering tactics were employed to exploit user curiosity and bypass antivirus detection.
- The report highlights the need for EDR systems to proactively identify unknown threats.
MITRE Techniques :
- T1037.001 – Logon Script: The malicious module registers a logon script to ensure persistence on the infected system.
- T1203 – Exploitation for Client Execution: The spear phishing email exploits user behavior to execute malicious files.
- T1071.001 – Application Layer Protocol: The malware communicates with its command and control (C2) server using standard protocols.
- T1041 – Exfiltration Over Command and Control Channel: The malware attempts to exfiltrate data to the C2 server.
- T1059.001 – Command and Scripting Interpreter: The malware uses scripting to execute commands on the infected system.
Indicator of Compromise :
- [IP Address] 112.175.185[.]59
- [IP Address] 104.21.13[.]241
- [IP Address] 172.67.133[.]130
- [Domain] googlauth[.]com
- [URL] github[.]com/adrhpbrn29
Source: https://www.genians.co.kr/blog/threat_intelligence/apt-attacks-martial-law