ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)



ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)





























ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a second stage RokRAT shellcode. RokRAT can execute remote C2 commands, data exfiltration, file download/upload, and keylogging. The uncovered lure documents suggest ITG10 may be targeting individuals and organizations involved in foreign policy associated with the Korean peninsula.

Key Findings:

  • ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
  • Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
  • Email attachments mimic legitimate documents
  • Additional malware samples possibly related to ITG10 RokRAT campaigns

Decoy documents

In late April 2023, X-Force uncovered several Zip Archives files hosting multiple lure documents likely sent via phishing campaigns operated by ITG10. X-Force assesses that the documents are likely decoys geared toward various personnel within two subsets of activity: South Korean government, communication, and educational centers; and energy, manufacturing, and supply chain. This section provides analysis of the lure documents and potential targets.

South Korean government, communications and educational centers

The first suspected subset of activity revealed Korean-language lure documents. The first titled (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip [(0722) List of Standing Committee and Standing Special Committee members (final).zip)], contains charts listing the Standing Committee members and assignments associated with broadcast media in South Korea as of July 2022. Examination of the contents suggests that it is a directory of eighteen South Korean parliamentary committee assignments, the number of committee members, their names, and political party affiliation. Committees include Education and Judicial, International and Foreign Affairs, Defense, and Intelligence. The intended targets for this lure are likely to be parliamentary members seeking information on their committee assignment or reporters covering parliament.

(0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip

ITG10_1.png

An additional decoy document titled 계약서내용.pdf (Contract detail.pdf) appears to be associated with a 2021, North Korean threat actors compromised several email accounts of prominent defectors to send malicious documents to contacts working on DPRK issues. ITG10 has also been known to infect news websites with malware likely to spy on readers.

ITG10_2.png

A third decoy 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf) appears to be an itinerary for an event hosted in April 2023 by ‘2nd construction boom’. These construction projects are part of the South Korean government’s pivot to the Middle East, deepening ties both militarily and economically.

ITG10_4.png

Screenshot 2023-06-06 at 10.28.45 AM.png

Sample analysis

RokRAT has been previously analyzed as having a multi-stage process with two components. The first involves tooling, and the second involves the payload, likely to inhibit researchers from analyzing the final payload, while maintaining the ability to stop delivery once a target system is infected. RokRAT campaigns typically begin with a phishing email with a ZIP file attachment, containing a LNK file disguised as a Word document. When the LNK file is activated, a PowerShell script is executed, opening a decoy document to start the download process of RokRAT which is hosted at OneDrive or similar cloud application. In another campaign, ITG10 was observed delivering RokRAT via HWP and Word files containing LNK files. In X-Force’s analysis of recent RokRAT-related files, in lieu of a ZIP file, we found Optical Disc Image files (ISO) containing LNK files that had slightly modified PowerShell scripts, and Hangul Word Processor decoy documents (HWP).

 ISO files

The ISO files that X-Force observed contained a LNK file disguised as an exe icon, subsequently containing a HWP file, and a batch file. The LNK file contains a PowerShell command, as seen below as an example. Once the LNK file is executed, it extracts and drops a decoy file, and a batch file within the user’s %TEMP% folder. In this instance, the files were 2023년도 4월 29일 세미나.pdf – decoy file, and 230415.bat.

icon_location = C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe

ITG10_7.jpg

ITG10_8.jpg

PowerShell Commands:

ITG10_9.png

Related malware?

While researching the RokRAT-related files, X-Force also uncovered three LNK files that behave differently than expected. There is no use of OneDrive or similar cloud applications to host a second-stage payload, and instead of dropping a batch file, these LNK files drop VBS, with the obfuscation technique for the dropped files being hex-encoding vs. string concatenation. In addition, the RokRAT LNK files drop batch files and downloads the payload that is decoded using the first byte as a key, then the payload is executed using Windows API functions (VirtualProtect). With these additional LNK files, the VBS downloaders do not perform these actions.

The LNK files analyzed contain an encoded PowerShell, and once the LNK files are executed, the PowerShell script is run, and two files are dropped to the user’s %TEMP% folder. In one analyzed sample, the files dropped were a VBS file (tmp<random-9-digit-number>.vbs ), and a Plaintext file with contents asdfgqwert. The VBS file will get executed via Wscript.exe:

“C:WindowsSystem32WScript.exe” “C:UsersUsuarioAppDataLocalTemptmp<nine-digit-number>.vbs”.  Wscript.exe is a service 

Wscript.exe is a service provided by the Windows system with scripting abilities. Subsequently, two GET requests are initiated. In a third file we analyzed, instead of the LNK file dropping a VBS and a Plaintext file, a VBS file and a JPEG decoy file are dropped to the users %TEMPT% folder. In this case, the JPEG decoy file appears to be a correspondence related to the “Proof of Digital Assets”. At the time of this analysis, X-Force was unable to retrieve the final payload from the servers as they have been taken down; therefore, it is uncertain whether these additional LNK files are related to ITG10 activity. Further research and analysis are needed to determine relevance and attribution.

Encoded PowerShell:

ITG10_10.jpg

Decoded PowerShell:

ITG10_11.jpg

tmp1698268529.vbs

ITG10_12.jpg

GET requests:

Screenshot 2023-06-06 at 10.32.19 AM.png

Proof of digital assets JPEG

ITG10_14.png

X-Force recommendations

Multiple lure documents uncovered in this campaign suggest ITG10 continues to target individuals and organizations involved in foreign policy, potentially related to shifts in the geopolitical and security environment on the Korean peninsula. IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity.

Organizations that may be at elevated risk of targeting from ITG10 have the potential to decrease the risk to their organization by employing heightened vigilance toward potential phishing emails, warning employees of the phishing email threats, employing and closely monitoring endpoint detection and response (EDR) tools, and leveraging behavioral analytics to identify malicious behavior. We also recommend that potentially targeted organizations alert on the following indicators of compromise to detect behavior related to this campaign.

Indicators of compromise

Indicator Indicator Type Context
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753 LNK
7ef2c0d2ace70fedfe5cd919ad3959c56e7e9177dcc0ee770a4af7f84da544f1 PDF Decoy 2023년도 4월 29일 세미나.pdf
06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d Batch File 230415.bat
1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3 ZIP (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip
cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286 LNK
5815a6f7976e993fcdf9e024f4667049ec5a921b7b93c8c8c0e5d779c8b72fcc HWP Decoy 0722.hwp
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a Batch File 202207221.bat
9854750f3880c7cee3281d8c33292ca82d0d288963f0f2771d938c06ccaffaa9 LNK
ce56b011ac4663a40f0ba606c98c08aaf7caf6a45765aa930258fe2837b12181 PDF Decoy 계약서내용.pdf
cc6ae9670e38244e439711b1698f0db3cff000b79bec7f47bc4aa5ab1f6177c0 Batch File 230422.bat
00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5 ZIP projects in Libya.zip
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494 LNK Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa – Mellitah).lnk
f1289e7229ace984027f29cf8e2dd8fdd19b0c4b488da31ff411ee95305eaecc docx Proposed MOU GTE Korea.docx
fa2ebcdfce8bbe4245ed77b43d39e22c0c7593ca3f65be3fd0ccdf7ee02130a9 PDF Decoy Proposed MOU GTE Korea.pdf
76d0133d738876f314ae792d0cf949710b66266ba0cebefbd98ce40c64a9b15b PDF Decoy MFZ Executive Summary Korea.pdf
5678196f512f8a531c7d85af8df4f40c7a5f9c27331b361bb1a1c46d317a77d8 PDF Decoy 230130.pdf
C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe Icon Location
C:Program Files (x86)HncOffice 2020HOffice110BinHwp.exe Icon Location
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content URL Document Location
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRlNnFWazdDNHp2Yy1SekU_ZT1SSFZJSk4/root/content URL Document Location
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content URL Document Location
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content URL Document Location
hxxps[:]//api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content URL Document Location
6bab11d9561482777757f16c069ebef3f1cd6885dbef55306ffde30037a41d48 LNK
7529eaeeb29c713f8e15827c79001a9227d8bc31c9209bf524a4ff91648a526e VBS
xn--vn4b27hka971hbue[.]kr  C2 GET Request
50fe8a981a7d4824f0b297f37804b65672ed4484e198e7c324260a34941ddac7 LNK
3d1d2d0464013d9e1dd7611d73176f3a31328a41d6474d5b6d0582ad09d3b17d VBS
partybbq.co[.]kr  C2 GET Request
1ec4d60738a671f00089a86eeba6cb13750bce589e84fd177707718a4cc7d8f1 LNK
88c219656f853b2dc54ae02d32a716e10c8392ed471d1c813e57de2dc170951e VBS
7aa7233feb8e8a7b71ae6cdd0ddb8c2b192d4b6e131fed1ade82efdcb8096c57 JPEG Decoy

Scroll to view full table

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here:

IBM X-Force Scheduler

If you are experiencing cybersecurity issues or an incident, contact X-Force to help:

US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034

More from Threat Intelligence

A red digital rendering of the globe of the Earth
A red digital rendering of the globe of the Earth

Hive0051 goes all in with a triple threat

13 min read – As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051’s use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

A blue rendering of the Earth from space at night with neon pink lines connecting various geographies
A blue rendering of the Earth from space at night with neon pink lines connecting various geographies

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read – As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Computer screen displaying a hack in progress exploiting vulnerabilities & granting access
Computer screen displaying a hack in progress exploiting vulnerabilities & granting access

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read – CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities – Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.

Subscribe today

Source: https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/

Tags: EMAIL, WINDOWS, EXFILTRATION, DNS, PHISHING, PAYLOAD, VULNERABILITY, EDR