ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a second stage RokRAT shellcode. RokRAT can execute remote C2 commands, data exfiltration, file download/upload, and keylogging. The uncovered lure documents suggest ITG10 may be targeting individuals and organizations involved in foreign policy associated with the Korean peninsula.
Key Findings:
- ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
- Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
- Email attachments mimic legitimate documents
- Additional malware samples possibly related to ITG10 RokRAT campaigns
Decoy documents
In late April 2023, X-Force uncovered several Zip Archives files hosting multiple lure documents likely sent via phishing campaigns operated by ITG10. X-Force assesses that the documents are likely decoys geared toward various personnel within two subsets of activity: South Korean government, communication, and educational centers; and energy, manufacturing, and supply chain. This section provides analysis of the lure documents and potential targets.
South Korean government, communications and educational centers
The first suspected subset of activity revealed Korean-language lure documents. The first titled (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip [(0722) List of Standing Committee and Standing Special Committee members (final).zip)], contains charts listing the Standing Committee members and assignments associated with broadcast media in South Korea as of July 2022. Examination of the contents suggests that it is a directory of eighteen South Korean parliamentary committee assignments, the number of committee members, their names, and political party affiliation. Committees include Education and Judicial, International and Foreign Affairs, Defense, and Intelligence. The intended targets for this lure are likely to be parliamentary members seeking information on their committee assignment or reporters covering parliament.
(0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip
An additional decoy document titled 계약서내용.pdf (Contract detail.pdf) appears to be associated with a 2021, North Korean threat actors compromised several email accounts of prominent defectors to send malicious documents to contacts working on DPRK issues. ITG10 has also been known to infect news websites with malware likely to spy on readers.
A third decoy 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf) appears to be an itinerary for an event hosted in April 2023 by ‘2nd construction boom’. These construction projects are part of the South Korean government’s pivot to the Middle East, deepening ties both militarily and economically.
Sample analysis
RokRAT has been previously analyzed as having a multi-stage process with two components. The first involves tooling, and the second involves the payload, likely to inhibit researchers from analyzing the final payload, while maintaining the ability to stop delivery once a target system is infected. RokRAT campaigns typically begin with a phishing email with a ZIP file attachment, containing a LNK file disguised as a Word document. When the LNK file is activated, a PowerShell script is executed, opening a decoy document to start the download process of RokRAT which is hosted at OneDrive or similar cloud application. In another campaign, ITG10 was observed delivering RokRAT via HWP and Word files containing LNK files. In X-Force’s analysis of recent RokRAT-related files, in lieu of a ZIP file, we found Optical Disc Image files (ISO) containing LNK files that had slightly modified PowerShell scripts, and Hangul Word Processor decoy documents (HWP).
ISO files
The ISO files that X-Force observed contained a LNK file disguised as an exe icon, subsequently containing a HWP file, and a batch file. The LNK file contains a PowerShell command, as seen below as an example. Once the LNK file is executed, it extracts and drops a decoy file, and a batch file within the user’s %TEMP% folder. In this instance, the files were 2023년도 4월 29일 세미나.pdf – decoy file, and 230415.bat.
icon_location = C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe
PowerShell Commands:
Related malware?
While researching the RokRAT-related files, X-Force also uncovered three LNK files that behave differently than expected. There is no use of OneDrive or similar cloud applications to host a second-stage payload, and instead of dropping a batch file, these LNK files drop VBS, with the obfuscation technique for the dropped files being hex-encoding vs. string concatenation. In addition, the RokRAT LNK files drop batch files and downloads the payload that is decoded using the first byte as a key, then the payload is executed using Windows API functions (VirtualProtect). With these additional LNK files, the VBS downloaders do not perform these actions.
The LNK files analyzed contain an encoded PowerShell, and once the LNK files are executed, the PowerShell script is run, and two files are dropped to the user’s %TEMP% folder. In one analyzed sample, the files dropped were a VBS file (tmp<random-9-digit-number>.vbs ), and a Plaintext file with contents asdfgqwert. The VBS file will get executed via Wscript.exe:
“C:WindowsSystem32WScript.exe” “C:UsersUsuarioAppDataLocalTemptmp<nine-digit-number>.vbs”. Wscript.exe is a service
Wscript.exe is a service provided by the Windows system with scripting abilities. Subsequently, two GET requests are initiated. In a third file we analyzed, instead of the LNK file dropping a VBS and a Plaintext file, a VBS file and a JPEG decoy file are dropped to the users %TEMPT% folder. In this case, the JPEG decoy file appears to be a correspondence related to the “Proof of Digital Assets”. At the time of this analysis, X-Force was unable to retrieve the final payload from the servers as they have been taken down; therefore, it is uncertain whether these additional LNK files are related to ITG10 activity. Further research and analysis are needed to determine relevance and attribution.
Encoded PowerShell:
Decoded PowerShell:
tmp1698268529.vbs
GET requests:
Proof of digital assets JPEG
X-Force recommendations
Multiple lure documents uncovered in this campaign suggest ITG10 continues to target individuals and organizations involved in foreign policy, potentially related to shifts in the geopolitical and security environment on the Korean peninsula. IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity.
Organizations that may be at elevated risk of targeting from ITG10 have the potential to decrease the risk to their organization by employing heightened vigilance toward potential phishing emails, warning employees of the phishing email threats, employing and closely monitoring endpoint detection and response (EDR) tools, and leveraging behavioral analytics to identify malicious behavior. We also recommend that potentially targeted organizations alert on the following indicators of compromise to detect behavior related to this campaign.
Indicators of compromise
Indicator | Indicator Type | Context |
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753 | LNK | |
7ef2c0d2ace70fedfe5cd919ad3959c56e7e9177dcc0ee770a4af7f84da544f1 | PDF Decoy | 2023년도 4월 29일 세미나.pdf |
06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d | Batch File | 230415.bat |
1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3 | ZIP | (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip |
cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286 | LNK | |
5815a6f7976e993fcdf9e024f4667049ec5a921b7b93c8c8c0e5d779c8b72fcc | HWP Decoy | 0722.hwp |
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a | Batch File | 202207221.bat |
9854750f3880c7cee3281d8c33292ca82d0d288963f0f2771d938c06ccaffaa9 | LNK | |
ce56b011ac4663a40f0ba606c98c08aaf7caf6a45765aa930258fe2837b12181 | PDF Decoy | 계약서내용.pdf |
cc6ae9670e38244e439711b1698f0db3cff000b79bec7f47bc4aa5ab1f6177c0 | Batch File | 230422.bat |
00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5 | ZIP | projects in Libya.zip |
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494 | LNK | Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa – Mellitah).lnk |
f1289e7229ace984027f29cf8e2dd8fdd19b0c4b488da31ff411ee95305eaecc | docx | Proposed MOU GTE Korea.docx |
fa2ebcdfce8bbe4245ed77b43d39e22c0c7593ca3f65be3fd0ccdf7ee02130a9 | PDF Decoy | Proposed MOU GTE Korea.pdf |
76d0133d738876f314ae792d0cf949710b66266ba0cebefbd98ce40c64a9b15b | PDF Decoy | MFZ Executive Summary Korea.pdf |
5678196f512f8a531c7d85af8df4f40c7a5f9c27331b361bb1a1c46d317a77d8 | PDF Decoy | 230130.pdf |
C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe | Icon Location | |
C:Program Files (x86)HncOffice 2020HOffice110BinHwp.exe | Icon Location | |
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content | URL | Document Location |
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRlNnFWazdDNHp2Yy1SekU_ZT1SSFZJSk4/root/content | URL | Document Location |
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content | URL | Document Location |
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content | URL | Document Location |
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content | URL | Document Location |
6bab11d9561482777757f16c069ebef3f1cd6885dbef55306ffde30037a41d48 | LNK | |
7529eaeeb29c713f8e15827c79001a9227d8bc31c9209bf524a4ff91648a526e | VBS | |
xn--vn4b27hka971hbue[.]kr | C2 | GET Request |
50fe8a981a7d4824f0b297f37804b65672ed4484e198e7c324260a34941ddac7 | LNK | |
3d1d2d0464013d9e1dd7611d73176f3a31328a41d6474d5b6d0582ad09d3b17d | VBS | |
partybbq.co[.]kr | C2 | GET Request |
1ec4d60738a671f00089a86eeba6cb13750bce589e84fd177707718a4cc7d8f1 | LNK | |
88c219656f853b2dc54ae02d32a716e10c8392ed471d1c813e57de2dc170951e | VBS | |
7aa7233feb8e8a7b71ae6cdd0ddb8c2b192d4b6e131fed1ade82efdcb8096c57 | JPEG | Decoy |
Scroll to view full table
To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here:
IBM X-Force Scheduler
If you are experiencing cybersecurity issues or an incident, contact X-Force to help:
US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034