Multiple researchers are reporting that an increasingly sophisticated North Korean hacking group is responsible for an attack campaign actively exploiting CVE-2018-4878, a critical use-after-free flaw in Flash Player that has not yet been patched by Adobe Systems.
The malicious actor, which Cisco Systems’ Talos threat research team refers to as Group 123, is connected to no fewer than six 2017-18 phishing campaigns that primarily targeted South Koreans, infecting victims with the remote administration tool ROKRAT. However, the use of a zero-day vulnerability to spread ROKRAT in this latest aggression represents a first for this group.
“Group 123 [has] now joined some of the criminal elite with this latest payload of ROKRAT… They did use exploits in previous campaigns but never a… new exploit as they have done now,” states a Feb. 2 Talos blog post written by researchers Warren Mercer and Paul Rascagneres. “This change represents a major shift in Group 123’s maturity level. We can now confidentially assess Group 123 as a highly skilled, highly motivated and highly sophisticated group.”
Researchers at FireEye, who refer to the same actor as TEMP.Reaper, are reporting that the threat group is known to operate on IP addresses assigned to Pyongyang’s STAR-KP network — a joint venture between North Korea’s Post and Telecommunications Corporation and Loxley Pacific, North Korea’s lone ISP.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year,” reads a Feb. 2 FireEye blog post. “They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.”
FireEye claims the group is also associated with the disk wiper malware RUHAPPY, but it has not been observed actively using it against its targets.
Talos and FireEye also revealed more technical details about the attack, which was first disclosed on Jan. 31 by Kr-CERT/CC, South Korea’s national computer emergency response team, before Adobe issued its own security advisory one day later.
According to the researchers, Group123/TEMP.Reaper is distributing the Flash Player exploit via malicious Office documents — especially Excel spreadsheets — that contain an embedded SWF (Shockwave Flash) file. The exploit downloads a shellcode payload from legit, third-party, South Korean websites that have been compromised. The shellcode, in turn, unpacks and executes a ROKRAT (aka DOGCALL) variant.
“DOGCALL is a backdoor commonly distributed as an encoded binary file, downloaded and decrypted by shellcode following the exploitation of weaponized documents,” said Cristiana Kittner, FireEye principal analyst, in an email interview with SC Media. Kittner added that the malware is capable of capturing screenshots, logging keystrokes, evading analysis, and leveraging cloud storage APIs.
Shortly after news broke of the zero-day vulnerability, Simon Choi, director of the Next Generation Security Research Center at Seoul-based computer software company Hauri, Inc., tweeted that the attacks, which started in mid-November 2017, were targeting “South Koreans who mainly do research on North Korea.”
While the Talos researchers did not have further details about the victims, they did point out that using a valuable zero-day exploit suggests that they were a “very specific and high value target” and that the Group 123 actors “were very determined to ensure their attack worked.”