The ink-stained trail of GOLDBACKDOOR
Contents
The ink-stained trail of
GOLDBACKDOOR
Threat report
Silas Cutler, Principal Reverse Engineer
21/04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
Table of contents
GOLDBACKDOOR deployment
3
Stage 1
4
Kang Min-chol Edits 2.zip
4
Kang Min-chol Edits 2.lnk
5
Stage 2
8
Fantasy injector
8
Final dropper
9
GOLDBACKDOOR
9
Tracking document
10
Conclusion
11
Appendix
12
YARA rules
12
Infrastructure
15
Files
15
2
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
Over the past 10 years, the Democratic People's Republic of Korea (DPRK) has adopted cyber
operations as a key means of supporting the regime. While significant attention has been paid to the
purported use of these operations as a means of funding DPRK’s military programs, the targeting of
researchers, dissidents, and journalists likely remains a key area for supporting the country's
intelligence operations.
Journalists are high-value targets for hostile governments. They often are aggregators of stories from
many individuals – sometimes including those with sensitive access. Compromising a journalist can
provide access to highly-sensitive information and enable additional attacks against their sources.
On 18 March 2022, NK News shared multiple malicious artifacts with the Stairwell threat research team
from a spear-phishing campaign targeting journalists …
GOLDBACKDOOR
Threat report
Silas Cutler, Principal Reverse Engineer
21/04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
Table of contents
GOLDBACKDOOR deployment
3
Stage 1
4
Kang Min-chol Edits 2.zip
4
Kang Min-chol Edits 2.lnk
5
Stage 2
8
Fantasy injector
8
Final dropper
9
GOLDBACKDOOR
9
Tracking document
10
Conclusion
11
Appendix
12
YARA rules
12
Infrastructure
15
Files
15
2
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
Over the past 10 years, the Democratic People's Republic of Korea (DPRK) has adopted cyber
operations as a key means of supporting the regime. While significant attention has been paid to the
purported use of these operations as a means of funding DPRK’s military programs, the targeting of
researchers, dissidents, and journalists likely remains a key area for supporting the country's
intelligence operations.
Journalists are high-value targets for hostile governments. They often are aggregators of stories from
many individuals – sometimes including those with sensitive access. Compromising a journalist can
provide access to highly-sensitive information and enable additional attacks against their sources.
On 18 March 2022, NK News shared multiple malicious artifacts with the Stairwell threat research team
from a spear-phishing campaign targeting journalists …
IoC
120ca851663ef0ebef585d716c9e2ba67bd4870865160fec3b853156be1159c5
142.93.201.77
18c9fd4f781789cd15cee4fcb18fa983897fc9876422d662a2243ff7499f5948
485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028
94ca32c0a3002574d7ea1bef094146a9d3b2ad0018b3e3d3f4ffca8689b89e5a
9eddd99db6f5a7791f7e446792f04b301d29f6b0596920e8b39647cc7585185d
c5369c2ce7f33d6cd209cd61226a0637adc809b864deb73a98d78bfed0883163
http://142.93.201.77
http://dailynk.com
http://dailynk.us
http://mail.dailynk.us
http://main.dailynk.us
https://1drv.ms/u/s!Ar9zfrwxWWEoas5XiW9Me14ia
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBcjl6ZnJ3eFdXRW9hczVYaV
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
https://main.dailynk.us/regex?id=oTks2&file=Kang
https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
rule NK_GOLDBACKDOOR_LNK
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for LNK file used to deploy GOLDBACKDOOR"
version = "0.1"
strings:
$ = "WINWORD.exe" wide nocase
$ = "$won11 =\"$temple=" wide
$ = "dirPath -Match 'System32' -or $dirPath -Match 'Program Files'" wide
condition:
2 of them and uint16(0) == 0x4c
}
rule NK_GOLDBACKDOOR_LNK_payload
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for obfuscated Powershell contained in LNK file that deploys
GOLDBACKDOOR"
version = "0.1"
strings:
$ = "WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]" ascii wide nocase
condition:
all of them
}
rule NK_GOLDBACKDOOR_Main
{
meta:
author= "Silas Cutler"
description = "Detection for Main component of GOLDBACKDOOR"
version = "0.1"
strings:
$str1 = "could not exec bash command." wide
$str2 = "%userprofile%\\AppData" wide
$str3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/90.0.3112.113 Safari/537.36" wide
$str4 = "tickount: %d"
$str5 = "Service-0x" wide
$str6 = "Main Returned"
$b64_1 = "TwBuAGUARAByAHYAVQBwAGQAYQB0AGUAAAA="
$b64_2 = "aGFnZW50dHJheQ=="
$b64_3 = "YXBwbGljYXRpb24vdm5kLmdvb2dsZS1hcHBzLmZvbGRlcg=="
$pdb = "D:\\Development\\GOLD-BACKDOOR\\"
condition:
4 of them or ( $pdb and 1 of them )
}
rule NK_GOLDBACKDOOR_generic_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Generic detection for shellcode used to drop GOLDBACKDOOR"
version = "0.1"
strings:
$ = { B9 8E 8A DD 8D 8B F0 E8 ?? ?? ?? ?? FF D0 }
$ = { B9 8E AB 6F 40 [1-10] 50 [1-10] E8 ?? ?? ?? ?? FF D0 }
condition:
all of them
}
rule NK_GOLDBACKDOOR_inital_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for initial shellcode loader used to deploy GOLDBACDOOR"
version = "0.1"
strings:
//seg000:07600058 8D 85 70 FE FF FF
lea
eax, [ebp+var_190]
//seg000:0760005E C7 45 C4 25 6C 6F 63
mov
dword ptr [ebp+var_3C],
'col%'
//seg000:07600065 50
push
eax
//...
//seg000:0760008F C7 45 D8 6F 6C 64 2E
mov
dword ptr
[ebp+var_3C+14h], '.dlo'
//seg000:07600096 C7 45 DC 74 78 74 00
mov
dword ptr
[ebp+var_3C+18h], 'txt'
$ = { C7 45 C4 25 6C 6F 63 50 8D 45 C4 C7 45 C8 61 6C 61 70 8B F9 C7 45
CC 70 64 61 74 50 B9 BD 88 17 75 C7 45 D0 61 25 5C 6C 8B DA C7 45 D4 6F
67 5F 67 C7 45 D8 6F 6C 64 2E C7 45 DC 74 78 74 00 }
// Import loaders
$ = { 51 50 57 56 B9 E6 8E 85 35 E8 ?? ?? ?? ?? FF D0 }
$ = { 6A 40 68 00 10 00 00 52 6A 00 FF 75 E0 B9 E3 18 90 72 E8 ?? ?? ?? ?? FF D0}
condition:
all of them
}
rule NK_GOLDBACKDOOR_injected_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for injected shellcode that decodes GOLDBACKDOOR"
version = "0.1"
strings:
$dec_routine = { 8A 19 57 8B FA 8B 51 01 83 C1 05 85 D2 74 0E 56 8B C1 8B F2 30 18 40 83
EE 01 75 F8 5E 57 }
$rtlfillmemory_load = {B9 4B 17 CD 5B 55 56 33 ED 55 6A 10 50 E8 86 00 00 00 FF D0}
$ = "StartModule"
$log_file_name = {C7 44 24 3C 25 6C 6F 63 50 8D 44 24 40 C7 44 24 44 61 6C 61 70 50 B9 BD
88 17 75 C7 44 24 4C 70 64 61
74 C7 44 24 50 61 25 5C 6C C7 44 24 54 6F 67 5F 67 C7 44 24 58 6F 6C 64 32 C7 44 24
5C 2E 74 78 74}
13
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
$ = { B9 8E 8A DD 8D 8B F0 E8 E9 FB FF FF FF D0 }
condition:
3 of them
}
rule NK_GOLDBACKDOOR_obf_payload
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for encoded shellcode payload downloaded by LNK file that drops
GOLDBACKDOOR"
version = "0.1"
strings:
$init = { e6b3 6d0a 6502 1e67 0aee e7e6 e66b eac2 }
condition:
12
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
$init at 0
}
142.93.201.77
18c9fd4f781789cd15cee4fcb18fa983897fc9876422d662a2243ff7499f5948
485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028
94ca32c0a3002574d7ea1bef094146a9d3b2ad0018b3e3d3f4ffca8689b89e5a
9eddd99db6f5a7791f7e446792f04b301d29f6b0596920e8b39647cc7585185d
c5369c2ce7f33d6cd209cd61226a0637adc809b864deb73a98d78bfed0883163
http://142.93.201.77
http://dailynk.com
http://dailynk.us
http://mail.dailynk.us
http://main.dailynk.us
https://1drv.ms/u/s!Ar9zfrwxWWEoas5XiW9Me14ia
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBcjl6ZnJ3eFdXRW9hczVYaV
https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
https://main.dailynk.us/regex?id=oTks2&file=Kang
https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
rule NK_GOLDBACKDOOR_LNK
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for LNK file used to deploy GOLDBACKDOOR"
version = "0.1"
strings:
$ = "WINWORD.exe" wide nocase
$ = "$won11 =\"$temple=" wide
$ = "dirPath -Match 'System32' -or $dirPath -Match 'Program Files'" wide
condition:
2 of them and uint16(0) == 0x4c
}
rule NK_GOLDBACKDOOR_LNK_payload
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for obfuscated Powershell contained in LNK file that deploys
GOLDBACKDOOR"
version = "0.1"
strings:
$ = "WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4[0]" ascii wide nocase
condition:
all of them
}
rule NK_GOLDBACKDOOR_Main
{
meta:
author= "Silas Cutler"
description = "Detection for Main component of GOLDBACKDOOR"
version = "0.1"
strings:
$str1 = "could not exec bash command." wide
$str2 = "%userprofile%\\AppData" wide
$str3 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/90.0.3112.113 Safari/537.36" wide
$str4 = "tickount: %d"
$str5 = "Service-0x" wide
$str6 = "Main Returned"
$b64_1 = "TwBuAGUARAByAHYAVQBwAGQAYQB0AGUAAAA="
$b64_2 = "aGFnZW50dHJheQ=="
$b64_3 = "YXBwbGljYXRpb24vdm5kLmdvb2dsZS1hcHBzLmZvbGRlcg=="
$pdb = "D:\\Development\\GOLD-BACKDOOR\\"
condition:
4 of them or ( $pdb and 1 of them )
}
rule NK_GOLDBACKDOOR_generic_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Generic detection for shellcode used to drop GOLDBACKDOOR"
version = "0.1"
strings:
$ = { B9 8E 8A DD 8D 8B F0 E8 ?? ?? ?? ?? FF D0 }
$ = { B9 8E AB 6F 40 [1-10] 50 [1-10] E8 ?? ?? ?? ?? FF D0 }
condition:
all of them
}
rule NK_GOLDBACKDOOR_inital_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for initial shellcode loader used to deploy GOLDBACDOOR"
version = "0.1"
strings:
//seg000:07600058 8D 85 70 FE FF FF
lea
eax, [ebp+var_190]
//seg000:0760005E C7 45 C4 25 6C 6F 63
mov
dword ptr [ebp+var_3C],
'col%'
//seg000:07600065 50
push
eax
//...
//seg000:0760008F C7 45 D8 6F 6C 64 2E
mov
dword ptr
[ebp+var_3C+14h], '.dlo'
//seg000:07600096 C7 45 DC 74 78 74 00
mov
dword ptr
[ebp+var_3C+18h], 'txt'
$ = { C7 45 C4 25 6C 6F 63 50 8D 45 C4 C7 45 C8 61 6C 61 70 8B F9 C7 45
CC 70 64 61 74 50 B9 BD 88 17 75 C7 45 D0 61 25 5C 6C 8B DA C7 45 D4 6F
67 5F 67 C7 45 D8 6F 6C 64 2E C7 45 DC 74 78 74 00 }
// Import loaders
$ = { 51 50 57 56 B9 E6 8E 85 35 E8 ?? ?? ?? ?? FF D0 }
$ = { 6A 40 68 00 10 00 00 52 6A 00 FF 75 E0 B9 E3 18 90 72 E8 ?? ?? ?? ?? FF D0}
condition:
all of them
}
rule NK_GOLDBACKDOOR_injected_shellcode
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for injected shellcode that decodes GOLDBACKDOOR"
version = "0.1"
strings:
$dec_routine = { 8A 19 57 8B FA 8B 51 01 83 C1 05 85 D2 74 0E 56 8B C1 8B F2 30 18 40 83
EE 01 75 F8 5E 57 }
$rtlfillmemory_load = {B9 4B 17 CD 5B 55 56 33 ED 55 6A 10 50 E8 86 00 00 00 FF D0}
$ = "StartModule"
$log_file_name = {C7 44 24 3C 25 6C 6F 63 50 8D 44 24 40 C7 44 24 44 61 6C 61 70 50 B9 BD
88 17 75 C7 44 24 4C 70 64 61
74 C7 44 24 50 61 25 5C 6C C7 44 24 54 6F 67 5F 67 C7 44 24 58 6F 6C 64 32 C7 44 24
5C 2E 74 78 74}
13
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
$ = { B9 8E 8A DD 8D 8B F0 E8 E9 FB FF FF FF D0 }
condition:
3 of them
}
rule NK_GOLDBACKDOOR_obf_payload
{
meta:
author= "Silas Cutler ([email protected])"
description = "Detection for encoded shellcode payload downloaded by LNK file that drops
GOLDBACKDOOR"
version = "0.1"
strings:
$init = { e6b3 6d0a 6502 1e67 0aee e7e6 e66b eac2 }
condition:
12
04/2022
The ink-stained trail of GOLDBACKDOOR
Threat report
$init at 0
}