Group Background
Group123, also known as ScarCruft, QiAnXin’s internal tracking number is A PT-Q-3. It was first disclosed by Kaspersky in June 2016 and is considered to be an attack group from North Korea. It was first active in 2012. It is considered to be related to Operation Daybreak and Operation Erebus in 2016 , and Group123 has overlapping characteristics with the APT Group Kimsuky.
Group 123 mainly targeted South Korea in the early days. After 2017, it extended its attack targets to the peninsula, including Japan, Vietnam and the Middle East. It primarily targets industrial verticals including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities. Group123 will tailor social engineering tactics specifically for the desired target, using customized harpoon emails to deliver compressed attachments containing shortcut files disguised as documents. After the victim clicks to open it, the malicious RTF document will be released, the HTA will be downloaded, and PowerShell will be executed through the HTA file to trigger subsequent stages of attack payload implantation. The group uses file sharing sites to distribute malware and also frequently exploits vulnerabilities in Korean Language Processor (HWP) and Adobe Flash [1] .
Overview of activities
QiAnXin Threat Intelligence Center has been tracking major APT group around the world. When tracking related APT group in East Asia, we found that this group has frequently attacked South Korea recently.
Since Microsoft announced that Office applications will block macros from the Internet, major APT group have changed their attack strategies and technical methods to adapt to new security measures. In this context, the Group123 is actively expanding new attack methods, using LNK files disguised as legitimate documents to carry out attacks. These LNK files are generally relatively large because they contain decoy documents and obfuscated Power Shell commands that can be run with just a double-click. This may be more effective than simply using known Nday vulnerabilities to attack. The attack process is shown in the figure below:
The initial attack file is usually a compressed package containing decoy PDF and LNK files disguised as PDF files.
Based on the TTP commonly used by the Group123, it is speculated that its initial entry payload is a spear phishing email, and part of the execution chain contains Korean and contains Hangul Word Processor (HWP, a popular Korean document format) file, which is enough to indicate that it is based on Korean for related attack targets.
The captured decoy content includes an event schedule for a meeting at the Air Force Hotel in Seoul on May 23, 2023. Attendees included the Deputy Minister of Defense of South Korea, the National Security Strategy Research Institute, and the President of the Korean Defense Industry Association.
As well as recent real-time political content, US President Biden and South Korean President Yoon Seok-yue issued the "Washington Declaration" at the White House on April 26, and South Korea's Jeong Seongjang published an article on May 8 " How the Washington Declaration can help deal with the North Korean nuclear threat?" , which was excerpted from the website by the Group123 and generated hwp documents for use as bait.
There are also content related to North Korea’s democratization network NK net as bait.
The above baits are all hwp documents, and pdf files are also used as bait. For example, the relevant content of the briefing "China's Trade Strategy Changes and Enlightenments in the Era of U.S.-China Conflict " issued by the Korea Foreign Economic Policy Research Institute was used as bait.
There are also themes such as the current trends and social changes in North Korea and the duality of the North Korean regime as bait.
In addition, according to the documents captured in July, the Group123 also used wav audio files as bait, including air defense sirens and the Korean song " 백두와" 한나는 내 조국 -MR(-2 키올림 ) ” and so on.
LNK file
By analyzing the LNK file of the Group123 we found that a BAT file named with a fixed date will be released in %temp% during the execution process . Based on this, we believe that the LNK file used by the Group123 should be generated using a tool.
the Power Shell during sample execution , we found the EmbedExeLnk project [2]. Its function is to create a LNK file embedded in an EXE file without requiring an external download. This is done by creating a LNK file and appending the EXE file to the end. The LNK file executes some PowerShell commands, reads the contents of the EXE from the end of the LNK, copies it to the %temp% folder, and then executes it.
The Group123 used this project to customize the code and embed decoys in the generated LNK files. This project can not only customize the PowerShell command executed, but also modify the generated LNK file icon.
Sample analysis
Here we take a recent attack sample as an example. Double-clicking the malicious LNK file will trigger the execution of PowerShell.
PowerShell extracts the data from the LNK file and places it in the %temp% directory, then opens it. This file is usually a decoy, and the decoy released by the sample is a song.
BAT script named with the date in the %temp% directory .
The script after deobfuscation is as follows:
The function of this script is to download the subsequent payload from One Drive , use the first byte of the subsequent payload as a key to XOR decrypt the subsequent content, and then inject the decrypted data into the PowerShell process for execution .
The decrypted Shellcode first uses the GetTickCount and IsDebuggerPresent functions for anti-debugging. Only after it is determined not to be debugged will it enter the subsequent decryption process.
Decrypt the content embedded behind the Shellcode and use the four-byte key to perform XOR decryption .
The decrypted content is the RokRAT commonly used by the Group 123. Then the RokRAT is expanded in the memory, the import table is repaired, and finally the GetTickCount function is used to determine whether the entire loading process exceeds 700 milliseconds. If it does not exceed, the entry point will be called for execution. If it exceeds, directly call the .text section at file offset 0x400 for execution.
The RokRAT remote control Trojan was first active in 2017 and has undergone a series of evolutions and changes. Typically distributed as encrypted binaries, RokRAT is capable of capturing screenshots, keylogging, anti-VM detection, and leveraging cloud storage services’ APIs as part of its command and control (C&C) infrastructure. It uses cloud storage platforms such as Cloud, Box, Dropbox and Yandex for communication and data exchange, allowing attackers to remotely control infected systems and perform malicious operations. RokRAT 's continued evolution and adaptability enable it to penetrate and control across multiple operating systems and device types. In addition to the campaign against South Korean targets, a macOS version of RokRAT(known as CloudMensis) and an Android version were also discovered.
The RokRAT captured this time was compiled on June 13, 2023, and the bat file released by its attack chain is named 230630.bat. Based on this, We are very confident that this sample is a sample used by the Group123 in recent attacks.
The commands executed by its RokRAT are as shown in the following table:
| - | - |
|---|---|
| instruction | Function |
| i | Send collected information to C2 |
| j , b | Terminate the process after sending the collected information to C2 |
| d | After sending the collected information, execute the cleanup script and then terminate the process |
| f | Execute the cleanup script after sending the collected information, and then terminate the process (different from the script executed by the d command) |
| h | Enumerate files on disk |
| 1, 2, 5, 6 | Download and execute shellcode from URL |
| 3, 4, 7, 8, 9 | Initialize cloud service information, download and execute shellcode |
| e | Execute command using cmd.exe |
| c | Traverse files and steal specified suffix files |
Summary
Through tracking, we found that the Group 123 has been very rampant recently, and its TTPs are complex and changeable. In just the past two months of tracking, we have discovered several TTPs , but the core of the attack is inseparable from bait documents. The extremely large LNK file captured this time was filled with a large amount of junk data. This move is nothing more than an attempt to bypass some anti-virus software or some security monitoring software. RokRAT is a Trojan that has been maintained and used by the Group 123, and its entire execution process communicates with cloud services, thus greatly reducing the risk of discovery.
APT group attacks have always been a huge network security threat to countries and enterprises, and they will maintain a high degree of concealment during long-term attack activities. We need to be vigilant at all times and take corresponding defensive measures to deal with these presence of these ongoing threats.
Protection suggestions
QiAnXin Threat Intelligence Center reminds users to beware of phishing attacks. Do not open links from unknown sources shared on social media, do not click to execute email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install files from unofficial sources. APP. Back up important files in a timely manner and update and install patches.
If you need to run and install applications from unknown sources, you can first identify them through the QiAnXin Threat Intelligence File In-depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page). Currently, it supports in-depth analysis of files in multiple formats including Windows and Android platforms.
Currently, a full range of products based on the threat intelligence data of QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., have been Enables accurate detection of such attacks.
Part IOCs
MD5
487769a19f032e981f33023b2cb7fe10
02685c2ffc30c55667076cfb01033060
484bcb44845946e444f05295cf19e98e
72b3765580c8c8588feccf06f98c090b
5776368e1a8483d11f3ee1c383f193c4
7095811df4cb1ee4135ce605af7f163f
61f4946837d7cd1701eedb3c372121c6
1da701990560b8b0db2c4441145a3ee3
71dbebb8a31ea3de0115851bb15fd2bc
74e3d84492845067a0da6cfa00c064eb
445e7fd6bb684420d6b8523fe0c55228
fe5520783f715549cc3c4df9deaf89bf
44ba46dfff78bc62a3b2619d308ca40c
c14a66e1a039d2e51cb70adb609df872
7504a626993179e5819246234ca6c4c9
PDB
D:\Sources\MainWork\Group2017\Sample\Release\DogCall.pdb
URL
http://vmi810830.contaboserver.net/local/cache-js/f93754e660802d7cc70924cceb4738ef.gz
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBZ0s4V1ZDeXlfX0plNGo4QlRMWWg0bmhZazA_ZT1vMHI1QmQ/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL2kvcyFBbURRNTNEY0xNVUVmRjBjTG5uckhOMGVJcmc_ZT14U083alE/root/content
https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdHp5SUlSR3JuQnhhblU5UW1DZWplU1RNZ1U_ZT14SDY0dks/root/content
Reference links
[1]. https://ti.qianxin.com/apt/detail/5acc5730596a10001ca81c3b?name=Group123&type=map
[2]. https://www.x86matthew.com/view_post?id=embed_exe_lnk