Thallium attacks against experts in diplomacy, security, defense and unification

In recent years, attempts to hack emails aimed at experts and officials in the fields of diplomacy, security, defense, and reunification are continuing in Korea, so special attention is required.


The groups ‘Thallium’ and ‘Lazarus’, which have long been officially mentioned as being linked to the North Korean authorities in the international community, have been pointed out as the forces behind the attack.
Each group is secretly engaging in cyber threats targeting a specific field in Korea, and it is questionable what purpose is behind it.

As of April, the main activities of the two groups have been in the fields of diplomacy, security, defense and unification in Korea, and some defense industry and military experts are also observed to be exposed to targets.
Attacks are prevalent in the traditional way of sending malicious DOC documents by attaching them to emails, but threat scenarios to deceive recipients are becoming more sophisticated day by day.
The questionnaire guidance file sent in the first e-mail is accompanied by a legitimate document without threats to reduce suspicion and increase reliability.

When responding afterwards, in the name of paying a reward worth 200,000 won, we implemented an intelligent two-track spear phishing strategy that stimulates the recipient’s psychology to induce the reading of malicious documents. In addition, a detailed intrusion attempt that was planned to prevent the security program from detecting by applying its own password setting function to malicious documents was also detected.

After a comprehensive analysis of several cases, the Thallium group introduced the Swiss ProtonMail service to the attack.
Protonmail is an end-to-end encrypted email service established in 2013 in Geneva, Switzerland, and is known for its high security features, making it a representative email service mainly used by producers for bitcoin requests and negotiations. Therefore, if an unusual approach is observed with the Proton email, it is necessary to watch closely.

In addition, the group inserts the manipulated PNG picture file format data into the DOC document file and converts it to the BMP picture file format with the WIA_ConvertImage macro function. Since then, we have implemented a new strategy in which malicious scripts hidden inside are called. The so-called’Steganography’ technique was used to hide malicious code in an image.

These attacks include ” Registration western.doc ‘,’ living expenses paid.doc “, etc. There are many similar cases being captured, malicious macro function [ Content Use ] to make the initial specific to a fake screen design in order to run ” app ” the word Was discovered, and the text itself was changed in the later reported variants.

However, authors of malicious documents commonly used the same name’William’. In addition, part of the Korean web site is abused to the command control (C2) address below, requiring continuous security measures.


See the end of the North for the computer to’app’there is a phrase, just the program (Program) is a typical North Korean English notation meaning.

Geographical factors and linguistic analysis serve as an important basis for investigating behind cyber threats. Traces caused by differences in language, habits and cultures in everyday use can be indicators of evidence.

According to experts, the recent malicious DOC, and bringing all rampant the spear phishing attack using a file, depending on the expertise of damages person has been properly speaking tailored attack scenarios, particularly as widely known thallium in conjunction with North Korea, cyber-attack level of As is increasing together, special attention and attention from the public and private sectors are required to avoid exposure to similar threats.

Also widely allowing seamless existing HWP PostScript document (PostScript) vulnerabilities instead recently, DOC macro (Macro), but the attack that the relative advantage, often HWP malicious internal documents OLE ‘s also observed how to insert an object, be sure to It is important to use the latest version of the office program and to increase the security function.