Cisco Talos highlights malware campaigns (probably) brewed from North Korea

Meet North Korea's most active cyber crooks...

Cisco Talos, the IT security arm of the networking giant, has published a new report highlighting the range of sophisticated campaigns from just one group, which is believed to be linked to the North Korean.

In the report, the researchers examined a range of malicious activities targeting South Korea launched by a hacking group called "Group 123" over the past year or so.

The researchers said that they have "high confidence" that the group was responsible for six major hacking campaigns during 2017 and into this year.

Their most recent attack, dubbed "Evil New Year 2018", began at the start of the month. It shares the same code and compiler artifacts as previous attacks launched by the organisation.

According to the researchers, the organisation has been targeting South Korea, in particular. "Based on our analysis, the Golden Time, both Evil New Year [campaigns] and the North Korean Human Rights campaigns specifically targeted South Korean users," said the researchers

In these attacks, the attackers sent an array of phishing emails to targets. They contained malicious HWP documents, intended to compromise users' PCs via flaws in the Hancom Hangul Office suite, which is popular in South Korea.

When successful, the attackers were able to install dodgy software onto victims' computers and conduct remote commands. "The purpose of the malicious documents was to install and to execute ROKRAT, a remote administration tool (RAT)," said the researchers.

However, the attackers varied this method in a bid to deceiver targets. "On occasion the attackers directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes," added the report.

"The document only contained a downloader designed to download ROKRAT from a compromised web server."

North Korean hackers are also believed to be behind the "FreeMilk" campaign, which targeted a range of financial institutions. This time, they used a malicious Microsoft Office document instead of Hancom documents.

"This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability less than one month after its public disclosure," explained the bods.

There were two separate binaries: PoohMilk and Freenki. The first was responsible for launching Freenki, which gathers "information about the infected system and to download a subsequent stage payload".

Researchers also identified a sixth campaign from the group - dubbed "Are You Happy". The hackers used a disk wiper to gain access to systems and "wipe the first sectors of the device".