ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)
Contents
In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a second stage RokRAT shellcode. RokRAT can execute remote C2 commands, data exfiltration, file download/upload, and keylogging. The uncovered lure documents suggest ITG10 may be targeting individuals and organizations involved in foreign policy associated with the Korean peninsula.
Key Findings:
- ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
- Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
- Email attachments mimic legitimate documents
- Additional malware samples possibly related …
Key Findings:
- ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
- Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
- Email attachments mimic legitimate documents
- Additional malware samples possibly related …
IoC
00d88009fa50bfab849593291cce20f8b2f2e2cf2428d9728e06c69fced55ed5
06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d
1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3
1ec4d60738a671f00089a86eeba6cb13750bce589e84fd177707718a4cc7d8f1
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
3d1d2d0464013d9e1dd7611d73176f3a31328a41d6474d5b6d0582ad09d3b17d
50fe8a981a7d4824f0b297f37804b65672ed4484e198e7c324260a34941ddac7
5678196f512f8a531c7d85af8df4f40c7a5f9c27331b361bb1a1c46d317a77d8
5815a6f7976e993fcdf9e024f4667049ec5a921b7b93c8c8c0e5d779c8b72fcc
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494
6bab11d9561482777757f16c069ebef3f1cd6885dbef55306ffde30037a41d48
7529eaeeb29c713f8e15827c79001a9227d8bc31c9209bf524a4ff91648a526e
76d0133d738876f314ae792d0cf949710b66266ba0cebefbd98ce40c64a9b15b
7aa7233feb8e8a7b71ae6cdd0ddb8c2b192d4b6e131fed1ade82efdcb8096c57
7ef2c0d2ace70fedfe5cd919ad3959c56e7e9177dcc0ee770a4af7f84da544f1
88c219656f853b2dc54ae02d32a716e10c8392ed471d1c813e57de2dc170951e
9854750f3880c7cee3281d8c33292ca82d0d288963f0f2771d938c06ccaffaa9
cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286
cc6ae9670e38244e439711b1698f0db3cff000b79bec7f47bc4aa5ab1f6177c0
ce56b011ac4663a40f0ba606c98c08aaf7caf6a45765aa930258fe2837b12181
f1289e7229ace984027f29cf8e2dd8fdd19b0c4b488da31ff411ee95305eaecc
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753
fa2ebcdfce8bbe4245ed77b43d39e22c0c7593ca3f65be3fd0ccdf7ee02130a9
http://partybbq.co.kr
http://xn--vn4b27hka971hbue.kr
https://1drv.ms/i/s!AhXEXLJSNMPTbfzgUMxNbInC6
https://1drv.ms/i/s!AhXEXLJSNMPTe6qVk7C4zvc-R
https://1drv.ms/u/s!AhQMP6eg8aRFb7LU1COCf3xNo
https://1drv.ms/u/s!AjQNLvEE_CUObPWg-xOdo1EqX
https://1drv.ms/u/s!Au2my1xh6t8XgR2Mzms8nhRwo-6B?e=jHHC6y
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRlNnFWazdDNHp2Yy1SekU_ZT1SSFZJSk4/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
06431a5d8f6262cc3db39d911a920f793fa6c648be94daf789c11cc5514d0c3d
1c5b9409243bfb81a5924881cc05f63a301a3a7ce214830c7a83aeb2485cc5c3
1ec4d60738a671f00089a86eeba6cb13750bce589e84fd177707718a4cc7d8f1
240e7bd805bd7f2d17217dd4cebc03ac37ee60b7fb1264655cfd087749db647a
3d1d2d0464013d9e1dd7611d73176f3a31328a41d6474d5b6d0582ad09d3b17d
50fe8a981a7d4824f0b297f37804b65672ed4484e198e7c324260a34941ddac7
5678196f512f8a531c7d85af8df4f40c7a5f9c27331b361bb1a1c46d317a77d8
5815a6f7976e993fcdf9e024f4667049ec5a921b7b93c8c8c0e5d779c8b72fcc
6753933cd54e4eba497c48d63c7418a8946b4b6c44170105d489d29f1fe11494
6bab11d9561482777757f16c069ebef3f1cd6885dbef55306ffde30037a41d48
7529eaeeb29c713f8e15827c79001a9227d8bc31c9209bf524a4ff91648a526e
76d0133d738876f314ae792d0cf949710b66266ba0cebefbd98ce40c64a9b15b
7aa7233feb8e8a7b71ae6cdd0ddb8c2b192d4b6e131fed1ade82efdcb8096c57
7ef2c0d2ace70fedfe5cd919ad3959c56e7e9177dcc0ee770a4af7f84da544f1
88c219656f853b2dc54ae02d32a716e10c8392ed471d1c813e57de2dc170951e
9854750f3880c7cee3281d8c33292ca82d0d288963f0f2771d938c06ccaffaa9
cb4c7037c7620e4ce3f8f43161b0ec67018c09e71ae4cea3018104153fbed286
cc6ae9670e38244e439711b1698f0db3cff000b79bec7f47bc4aa5ab1f6177c0
ce56b011ac4663a40f0ba606c98c08aaf7caf6a45765aa930258fe2837b12181
f1289e7229ace984027f29cf8e2dd8fdd19b0c4b488da31ff411ee95305eaecc
f92297c4efabba98befeb992a009462d1aba6f3c3a11210a7c054ff5377f0753
fa2ebcdfce8bbe4245ed77b43d39e22c0c7593ca3f65be3fd0ccdf7ee02130a9
http://partybbq.co.kr
http://xn--vn4b27hka971hbue.kr
https://1drv.ms/i/s!AhXEXLJSNMPTbfzgUMxNbInC6
https://1drv.ms/i/s!AhXEXLJSNMPTe6qVk7C4zvc-R
https://1drv.ms/u/s!AhQMP6eg8aRFb7LU1COCf3xNo
https://1drv.ms/u/s!AjQNLvEE_CUObPWg-xOdo1EqX
https://1drv.ms/u/s!Au2my1xh6t8XgR2Mzms8nhRwo-6B?e=jHHC6y
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRiZnpnVU14TmJJbkM2Q0k_ZT1WZElLSjE/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBaFhFWExKU05NUFRlNnFWazdDNHp2Yy1SekU_ZT1SSFZJSk4/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBaFFNUDZlZzhhUkZiN0xVMUNPQ2YzeE5vVFU_ZT1wZ2liaUM/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalFOTHZFRV9DVU9iUFdnLXhPZG8xRXFYckU_ZT1BM1QwV2Q/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content