Everyday is lazarus.dayβ

Operation Bookcodes – targeting South Korea

2021-10-07, KRCERT


The Korea Internet & Security Agency (KISA) carried out a detailed analysis of various security incidents believed to be the attacks of Lazarus Group. As we analysed security incidents that attacked a Korean company, we identified the signature string "Bookcodes" in the communication between the command server and the malicious codes. After monitoring the communication process with C2 using this signature string, we found that dozens of companies and individuals were chain infected and communicated schematically. Based on this finding, the group of attacks that the Lazarus Group has carried out against South Korea since 2019 was named "Bookcodes."
Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We monitored the attacker's C2 and confirmed that dozens of companies had been infected, so we informed those companies of the infection and provided support to help them develop defence strategies. In this presentation, …