Operation HanKook Phantom: APT37 Spear-Phishing Campaign
Contents
Table of Contents:
- Introduction
- Threat Profile
- Infection Chain
- Campaign-1
- Analysis of Decoy:
- Technical Analysis
- Fingerprint of ROKRAT’s Malware
- Campaign-2
- Analysis of Decoy
- Technical analysis
- Detailed analysis of Decoded tony31.dat
- Conclusion
- Seqrite Protections
- MITRE Att&ck:
- IoCs
Introduction:
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims. The attackers are distributing this legitimate-looking PDF along with a malicious LNK (Windows shortcut) file named as 국가정보연구회 소식지(52호).pdf .LNK is typically appended to the same archive or disguised as a related file. Once the LNK file is executed, it triggers a payload download or command execution, enabling the attacker to compromise the system.
The primary targets appear to be individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers in the newsletter. The attackers likely aim to steal sensitive …
- Introduction
- Threat Profile
- Infection Chain
- Campaign-1
- Analysis of Decoy:
- Technical Analysis
- Fingerprint of ROKRAT’s Malware
- Campaign-2
- Analysis of Decoy
- Technical analysis
- Detailed analysis of Decoded tony31.dat
- Conclusion
- Seqrite Protections
- MITRE Att&ck:
- IoCs
Introduction:
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the “국가정보연구회 소식지 (52호)” (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims. The attackers are distributing this legitimate-looking PDF along with a malicious LNK (Windows shortcut) file named as 국가정보연구회 소식지(52호).pdf .LNK is typically appended to the same archive or disguised as a related file. Once the LNK file is executed, it triggers a payload download or command execution, enabling the attacker to compromise the system.
The primary targets appear to be individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers in the newsletter. The attackers likely aim to steal sensitive …
IoC
https://content.dropboxapi.com/2/files/upload
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500
https://api.pcloud.com/listfolder?path=%s
https://api.pcloud.com/deletefile?path=%s
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
https://content.dropboxapi.com/2/files/download
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
http://daily.alltop.asia/blog/article/d2.php?downfname=abs.tmp&crc32=0
https://api.dropboxapi.com/2/files/list_folder
http://daily.alltop.asia/blog/article/up2.php
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
[email protected]
443a00feeb3beaea02b2fbcd4302a3c9
f6d72abf9ca654a20bbaf23ea1c10a55
d035135e190fb6121faa7630e4a45eed
051517b5b685116c2f4f1e6b535eb4cb
da05d6ab72290ca064916324cbc86bab
591b2aaf1732c8a656b5c602875cbdd9
2dc20d55d248e8a99afbe5edaae5d2fc
f34fa3d0329642615c17061e252c6afe
1aec7b1227060a987d5cb6f17782e76e
cc1522fb2121cf4ae57278921a5965da
https://api.pcloud.com/uploadfile?path=%s&filename=%s&nopartial=1
https://cloud-api.yandex.net/v1/disk/resources?path=%s&limit=500
https://api.pcloud.com/listfolder?path=%s
https://api.pcloud.com/deletefile?path=%s
https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
https://content.dropboxapi.com/2/files/download
https://api.dropboxapi.com/2/files/delete
https://api.pcloud.com/getfilelink?path=%s&forcedownload=1&skipfilename=1
https://cloud-api.yandex.net/v1/disk/resources/download?path=%s
http://daily.alltop.asia/blog/article/d2.php?downfname=abs.tmp&crc32=0
https://api.dropboxapi.com/2/files/list_folder
http://daily.alltop.asia/blog/article/up2.php
https://cloud-api.yandex.net/v1/disk/resources?path=%s&permanently=%s
[email protected]
443a00feeb3beaea02b2fbcd4302a3c9
f6d72abf9ca654a20bbaf23ea1c10a55
d035135e190fb6121faa7630e4a45eed
051517b5b685116c2f4f1e6b535eb4cb
da05d6ab72290ca064916324cbc86bab
591b2aaf1732c8a656b5c602875cbdd9
2dc20d55d248e8a99afbe5edaae5d2fc
f34fa3d0329642615c17061e252c6afe
1aec7b1227060a987d5cb6f17782e76e
cc1522fb2121cf4ae57278921a5965da