North Korean hacker group infiltrates popular South Korean security program

Malicious files disguised as icons. Image: ESTsecurity’s Security Response Center

A hacker group likely supported by North Korea has launched an advanced persistent threat (APT) attack by inserting malicious code in a popular South Korean security program. APT attacks are typically characterized by being sophisticated, long-term attacks aimed at monitoring information and stealing data rather than immediately causing damage to a network or organization.

“A large number of APT files recently created on October 31, 2018, have been identified,” reported ESTsecurity’s Security Response Center (ESRC) on November 2. “The files are disguised as icons for a particular South Korean [computer] security product.”

The hackers appear to have guessed that most users will not suspect the South Korean security program to be malicious, as it’s widely used by South Korean banks and government institutions.

ESRC reported that the hacker group that distributed the file is “supported by a specific government” and is directly and indirectly related with the ‘Kimsuky’ group, which attacked [code-related] weaknesses inherent in Hangul Word Processing (.hwp) files in February this year.

The malicious code produced by the Kimsuky group is known to be used by North Korean hackers. Such code was used in attacks against email accounts owned by government officials, scholars and other South Korean diplomatic and national security figures in 2016, along with a hacking attack against Korea Hydro & Nuclear Power Co., Ltd in 2014.

According to the ESRC, once the malicious code infects a computer, the victim’s major system-related information, keyboard strokes, and other sensitive information including user account information is leaked to the external attacker.

The malware collects a wide range of file formats from the infected computers, including .hwp, .pdf, .doc/.docx, .xls/.xlsx, .ppt, .alz/.rar/.zip, and .jpg and .png files.

The malicious code also reportedly collects files in the .keystore format, a format required in Android application development and which also requires digital signatures. This suggests that the malicious code may also be used in phishing attacks against mobile phone users.

“The collection of .keystore files by the hackers may be aimed at infecting Android app developers’ computers to steal the ‘key files’ used in app development,” said Mun Chong Hyun, the director of ESRC. “The hackers may use the stolen key files to create other malicious apps or create those disguised as normal apps to attack other users.”

Key files, however, must be digitally signed whenever they are updated in order for them to be distributed through public app markets (like Google Play, etc). Hackers can use the key files to distribute apps with malicious code under a particular app developer’s name or infect mobile phone users’ devices when they update their apps.

ESRC found that when devices are infected with the malicious code, the collected information is sent to two Korean language websites, koreaweek.us and directone.co.kr.  

Koreaweek.us is based in Washington, D.C., and directone.co.kr is registered in Daegu, South Korea, according to a search through Whois, a domain search engine operated by the Korea Internet and Security Agency (KISA). These two sites have likely been compromised and are acting as “mid-way stations” for stolen information to be sent to other online locations.  

“In the beginning, hackers set up servers themselves through individual hosting services to steal information, so some of the personal information relating to the hackers was released during this process,” said Mun. “Now, however, they don’t set up their own servers but focus instead on hacking into poorly secured sites in South Korea and abroad to use the sites’ command and control servers (C2).”

“[The hackers] have been disguising the malicious code in a South Korean security program for the past several months and are using the C2 servers of South Korean and foreign websites,” Mun continued, cautioning that people need to “use proactive security protocols to ensure their digital security is not compromised.”

SHARE