North Korean Hackers Exploit Seoul Intelligence Files
▼ Summary
– APT37, a North Korean-backed hacking group, conducted a large-scale spear-phishing campaign targeting South Korean government and intelligence staff.
– The first campaign used a legitimate-looking National Intelligence Research Society newsletter as a decoy to distribute a malicious LNK file.
– The second campaign exploited a statement by North Korean official Kim Yō-jong to deploy similar malicious techniques, including fileless attacks and data exfiltration.
– Both campaigns delivered the RokRAT backdoor and employed advanced evasion methods like in-memory execution and traffic blending to avoid detection.
– The operation demonstrates APT37’s continued use of highly tailored spear-phishing attacks against South Korean institutions and expanded global targets.
A sophisticated spear-phishing operation has targeted South Korean intelligence and government personnel using deceptively authentic documents as bait. Cybersecurity experts at Seqrite identified this campaign, attributing it to APT37, a hacking collective with strong links to North Korea. Dubbed Operation HanKook Phantom, the attack unfolded in two distinct phases, each designed to infiltrate high-value targets through carefully crafted lures.
The initial wave exploited a trusted internal publication, the National Intelligence Research Society Newsletter. Attackers distributed a malicious Windows shortcut file disguised as the newsletter’s 52nd issue. When opened, the file triggered a hidden payload, deploying RokRAT malware to seize control of the compromised system. This backdoor allowed unauthorized access while employing advanced evasion tactics like in-memory execution and covert data extraction.
Recipients of the newsletter, typically affiliated with institutions such as the National Intelligence Research Association, Kwangwoon University, and the Institute for National Security Strategy, were among the primary targets. The attackers leveraged the newsletter’s legitimate appearance to bypass suspicion, knowing its contents would attract precisely the audience they sought to compromise.
A second campaign utilized a provocative public statement from Kim Yŏ-jong, a high-ranking North Korean official, as bait. The document, which rejected inter-Korean dialogue, was paired with a malicious LNK file that initiated a multi-stage intrusion. Once executed, the attack deployed obfuscated scripts, employed fileless techniques via PowerShell, and exfiltrated sensitive data using disguised network traffic. Targets in this phase included the South Korean cabinet, the Ministry of Unification, and international bodies like APEC.
APT37, also known as ScarCruft or InkySquid, has operated since at least 2012 with a clear focus on espionage against South Korean interests. The group has gradually expanded its reach to include Japan, Vietnam, and various industrial sectors. Their methods reflect a persistent and evolving threat, combining social engineering with technical sophistication to bypass defenses.
This operation underscores the continued use of highly tailored spear-phishing tactics by state-sponsored actors. By blending familiar content with advanced malware, APT37 demonstrates a concerning ability to penetrate secure networks and maintain persistent access.
(Source: InfoSecurity)
