North Korean cybercriminals exploit sensitive data from Seoul's intelligence agencies to launch attacks against South Korean citizens.
South Korean government institutions, military alliances, and international organisations have been targeted in a recent spear-phishing campaign, according to cybersecurity firm Seqrite Labs. The group behind this operation is believed to be APT37, a nation-state hacking group associated with the North Korean regime.
The targets of the campaign include the Lee Jae-myung administration, the Ministry of Unification, the S.-South Korea Military Alliance, and the Asia-Pacific Economic Cooperation (APEC). The attackers also targeted recipients of the National Intelligence Research Association's internal newsletter, which typically consists of members from institutions such as the National Intelligence Research Association, Kwangwoon University, Korea University, Institute for National Security Strategy, Central Labor Economic Research Institute, Energy Security and Environment Association, National Salvation Spirit Promotion Association, Yangjihoe, and Korea Integration Strategy.
The payload delivered in the campaign is RokRAT, a backdoor commonly distributed as an encoded binary file. Simultaneously, the attackers exfiltrated %TEMP% files via disguised POST requests, mimicking PDF uploads, before deletion. They used LOLBins, memory execution, and traffic blending to evade detection.
In the first campaign, a national intelligence newsletter was used as a decoy document to lure victims. The attackers distributed a legitimate-looking PDF along with a malicious LNK (Windows shortcut) file. Once the LNK file was executed, it triggered the download of a payload or command execution, enabling the attacker to compromise the system. The LNK self-deletes, followed by a batch script that triggers a fileless attack.
In the second campaign, the attackers used a statement issued by Kim Yō-jong, a high-ranking North Korean official, as a decoy. The attack chain mirrors the first, starting with a malicious LNK file that drops decoy components to %TEMP%. The analysis of the Operation HanKook Phantom campaign highlights how APT37 continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms.
APT37, also known as InkySquid, ScarCruft, Reaper, Group123, RedEyes, and Ricochet Chollima, has been active since at least 2012. Its primary focus has been the South Korean public and private sectors. In 2017, the group expanded its targeting beyond the Korean peninsula to include Japan, Vietnam, and the Middle East, and a broader range of industry verticals.
This latest campaign serves as a reminder of the ongoing cyber threats posed by nation-state actors. As these attacks become increasingly sophisticated, it is crucial for organisations to remain vigilant and implement robust security measures to protect against such threats.
