Detailed Analysis of Red Eyes Hacking Group
Contents
2018.05.03
Detailed Analysis of
Red Eyes Hacking Group
220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea
Tel: +82-31-722-8000 | Fax: +82-31-722-8901 | www.ahnlab.com
|
© AhnLab, Inc. All rights reserved.
[Analysis Report] Red Eyes Hacking Group
Table of Contents
Abstract ............................................................................................................................................................................................................ 3
Overview of the Activities of Red Eyes ..................................................................................................................................................... 4
1. Current Status and Characteristics .............................................................................................................................................. 5
2. Main Attacks and Methods ........................................................................................................................................................... 6
Detailed Analysis of Malware ..................................................................................................................................................................... 9
1. Reloader (DocPrint)......................................................................................................................................................................... 9
2. Reloaderx ........................................................................................................................................................................................... 9
3. Redoor (DogCall) ............................................................................................................................................................................10
4. Wiper ................................................................................................................................................................................................10
Possible Association with Other Attack Groups ...................................................................................................................................11
Operation ProgamsByMe (2015) ....................................................................................................................................................11
Malware Created by the User “Pad-1” (2016) ............................................................................................................................16
AhnLab’s Response .....................................................................................................................................................................................19
Conclusion .....................................................................................................................................................................................................19
Appendix........................................................................................................................................................................................................20
© AhnLab, Inc. All rights reserved.
[Analysis Report] Red Eyes Hacking Group
Abstract
Red Eyes attack group has also been tracked as Geumseong121, Group 123, ScarCruft, APT37, Reaper,
and Ricochet Chollima. Based on the contents of malicious files used in the attacks, it appears that its
main targets are organizations and individuals whose work involves North Korea. These include North
Korean defectors, human rights activists for North Korea, …
Detailed Analysis of
Red Eyes Hacking Group
220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea
Tel: +82-31-722-8000 | Fax: +82-31-722-8901 | www.ahnlab.com
|
© AhnLab, Inc. All rights reserved.
[Analysis Report] Red Eyes Hacking Group
Table of Contents
Abstract ............................................................................................................................................................................................................ 3
Overview of the Activities of Red Eyes ..................................................................................................................................................... 4
1. Current Status and Characteristics .............................................................................................................................................. 5
2. Main Attacks and Methods ........................................................................................................................................................... 6
Detailed Analysis of Malware ..................................................................................................................................................................... 9
1. Reloader (DocPrint)......................................................................................................................................................................... 9
2. Reloaderx ........................................................................................................................................................................................... 9
3. Redoor (DogCall) ............................................................................................................................................................................10
4. Wiper ................................................................................................................................................................................................10
Possible Association with Other Attack Groups ...................................................................................................................................11
Operation ProgamsByMe (2015) ....................................................................................................................................................11
Malware Created by the User “Pad-1” (2016) ............................................................................................................................16
AhnLab’s Response .....................................................................................................................................................................................19
Conclusion .....................................................................................................................................................................................................19
Appendix........................................................................................................................................................................................................20
© AhnLab, Inc. All rights reserved.
[Analysis Report] Red Eyes Hacking Group
Abstract
Red Eyes attack group has also been tracked as Geumseong121, Group 123, ScarCruft, APT37, Reaper,
and Ricochet Chollima. Based on the contents of malicious files used in the attacks, it appears that its
main targets are organizations and individuals whose work involves North Korea. These include North
Korean defectors, human rights activists for North Korea, …
IoC
06ae5d62d56f21cd2676989743b9626c
0ff0f3f0722dd122a0f5c3d4c7752675
192.168.100.22
2f0492f53d348bea993b7ae5983508a6
2fdbb9a500143a2dd3d226a1cc3e45b5
44bdeb6c0af7c36a08c64e31ceadc63c
49d30adaab769fbea2ef69e09c6598c5
6Cec7de9d4797895775e2add9d6855ba
7ca1e08fc07166a440576d1af0a15bb1
89c3254aa577d3788f0f402fe6e5a855
8b55d52b12cf319d9785ad8eeeade5ea
9ac2ffd3f1cea2e01ed77c2e7b4a29e7
9cd11aa7872f9cba98264113d3d72893
9f1e60e0c794aa3f3bdf8a6645ccabdc
d00e3196bc847e63fc4b255e8ab06d1c
f0a5385d0d9f7c546b25a7448ca5b1c9
f613c9276d0deb19d0959aa2fbfc737c
f793deeee9dc4235d228e68d27057dcc
fc0a9850f7b6a91f7757d64c86cfc141
0ff0f3f0722dd122a0f5c3d4c7752675
192.168.100.22
2f0492f53d348bea993b7ae5983508a6
2fdbb9a500143a2dd3d226a1cc3e45b5
44bdeb6c0af7c36a08c64e31ceadc63c
49d30adaab769fbea2ef69e09c6598c5
6Cec7de9d4797895775e2add9d6855ba
7ca1e08fc07166a440576d1af0a15bb1
89c3254aa577d3788f0f402fe6e5a855
8b55d52b12cf319d9785ad8eeeade5ea
9ac2ffd3f1cea2e01ed77c2e7b4a29e7
9cd11aa7872f9cba98264113d3d72893
9f1e60e0c794aa3f3bdf8a6645ccabdc
d00e3196bc847e63fc4b255e8ab06d1c
f0a5385d0d9f7c546b25a7448ca5b1c9
f613c9276d0deb19d0959aa2fbfc737c
f793deeee9dc4235d228e68d27057dcc
fc0a9850f7b6a91f7757d64c86cfc141