lazarusholic

Everyday is lazarus.dayβ

Exploring the North Korean Email Client: Features and Functionality

2024-09-13, NKInternet
https://nkinternet.wordpress.com/2024/09/13/exploring-the-north-korean-email-client-features-and-functionality/

Contents

Now that it’s been leaked, lets take a look at the North Korean email client that was part of the leak. It’s made up of a main executable, a couple of dll files, and a config file. Before even diving into it there’s a couple of interesting things that we can find looking at the strings and some of the associated file names.
.rdata:006E1E80 0000001C C Not a valid Chilkat object.
.rdata:006E2004 00000025 C VHJpYWwgcGVyaW9kIGhhcyBleHBpcmVkLg==
.rdata:006E2030 00000059 C UHJvZHVjdCBpcyBub3QgdW5sb2NrZWQuICBNYWtlIHN1cmUgdG8gY2FsbCBVbmxvY2tDb21wb25lbnQgZmlyc3Qu
.rdata:006E5A88 00000047 C AutoFix: SMTP port 587 requires explicit SSL/TLS for this mail server.
.rdata:007366D8 0000001F C No SSH connection established!
.rdata:007366F8 00000024 C SSH password authentication failed
So it’s using the Chilkat library and there’s references to SSH, FTP, and other protocols in there as well. The base64 encoded strings are decoded to being about an invalid license. If you’re not familiar with Chilkat, it is a cross-language, cross-platform API providing 90+ classes for many Internet protocols, …

IoC

e3144b16b70ca666abcafdcef98b0ea9
[email protected]
https://nkinternet.wordpress.com/wp-content/uploads/2024/09/docker_netstar_email_server.zip
16e8287667a1db5b5645531029d3dfc3
214.6.26.30
[email protected]