thallium

Thallium attacks against experts in the field of diplomacy, security, defense and unification

Recently, malicious files disguised as issued by the Ministry of Foreign Affairs have been discovered, requiring special attention from those involved.

thallium

[Figure 1] Normal PDF file containing the news on the cover of the Ministry of Foreign Affairs spokesperson’s office

One behind the forces in the organization, the Government supports the hacker to perform the attack, thallium (Thallium) ‘ was a pointed, the inner string encryption methods existing thallium (Thallium) group’s ‘ Blue Estee Mate (Blue Estimate)’ exactly matches Campaign The. The attack in the last four was found in May, 2021 years Foreign diplomatic missions service related survey ‘ is suspicion that an extension of the related hacking attempts.

Malicious files newly discovered 2021 years 5 Mon 7 summit is gapan with stories of the Ministry of Foreign Affairs issued to date cover daebyeoninsil one PDF minimizes the recipients of the suspect by using the contents of the file. Malicious files inside and contain the data encoded in the script, C: \ ProgramData \ in the path ” Foreign gapan 2021-05-07.pdf’,’glK7UwV.pR9a’, and’efVo8cq.sIhn’ files will be installed. The created’glK7UwV.pR9’a file adds and calls a 64- bit malicious DLL file disguised as an Eastsoft update file in the path C:\ProgramData\Software\ESTsoft\Common\.

The jse file contains data and scripts, and the Ministry of Foreign Affairs edition 2021-05-07.pdf, glK7UwV.pR9a, and efVo8cq.sIhn files are dropped under C:\ProgramData\.

thallium

[Figure 2] jse script screen

The created’glK7UwV.pR9’a file adds and calls a 64- bit malicious DLL file disguised as an Eastsoft update file in the path C:\ProgramData\Software\ESTsoft\Common\.

thallium

[Figure 3] File disguised as an Eastsoft update file

Appropriate DLL file is infected system and perform information transmission and command and control capabilities, registered in the registry autorun items, as shown below in order to run automatically on reboot. This old thallium in the group to perform a ‘ Blue Estee mates ‘ similar to the features used in the campaign.

thallium

[Figure 4] Registry automatic execution registration screen

Then, command and control (C2) server ‘texts.letterpaper [.] Press’ sikimyeo leaked information to the infected system attempts to address a variety of remote control, depending on the intended attacker. Characteristically, the internal string encryption methods existing thallium (Thallium) group’s ‘ Blue Estee mate, and exactly matches the campaign.

Recently impersonating a domestic customer portals or centers, and is a spear phishing attack, a malicious document attached files bringing all rampant, and in addition to the water ring hole attack.

In particular, as the level of cyber attacks by the Thallium and Lazarus groups, which are widely known to be linked to the North Korean authorities, is increasing together, special attention and attention from the public and public are required to avoid exposure to similar threats. Looking carefully examine the authenticity of the email source received for damage prevention, contained in the attached file or text URL, the extra attention is required to address access.

IOCs

texts.letterpaper.Press

e5dddd05e4fbac38fa9f95e269d4233f
609f8450e024ed88b130f13d6d7b213f