Unmasking a North Korean IT Farm: Exposing the Tradecraft Behind Their Global Disguise
Contents
This session exposes a real-world covert remote-control system developed by a North Korean IT worker operating undetected within a legitimate organization. The forensic investigation revealed a sophisticated ecosystem that leveraged Address Resolution Protocol (ARP)-based payload delivery, WebSockets for stealthy command and control, and Zoom for covert persistence and remote access.
Through technical analysis and a live attack demo, we'll unpack how the attacker:
-Built an advanced C2 infrastructure using WebSockets to control infected machines.
-Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication.
-Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques.
-Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging.
-Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active.
By reverse-engineering the threat actor's toolkit, the investigation …
Through technical analysis and a live attack demo, we'll unpack how the attacker:
-Built an advanced C2 infrastructure using WebSockets to control infected machines.
-Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication.
-Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques.
-Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging.
-Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active.
By reverse-engineering the threat actor's toolkit, the investigation …