North Korean Hackers Weaponize Seoul Intelligence Files to Target South Koreans

A large-scale spear-phishing campaign targeting South Korean government and intelligence staff has exploited a national intelligence newsletter to lure victims, according to a report published on August 29 by cybersecurity firm Seqrite. The effort, dubbed Operation HanKook Phantom, involved two campaigns during which APT37, a nation-state hacking group believed to be backed by North Korea, was behind the malicious attacks.

The spear-phishing campaign used legitimate-looking PDF documents and Windows shortcuts to deceive victims into downloading malicious payloads. Once the payload was executed, it triggered a series of methods to obfuscate the attack and evade detection, including in-memory execution, disguised decoys, and hidden data exfiltration routines. The attackers also delivered RokRAT, a backdoor commonly distributed as an encoded binary file that is downloaded and decrypted by shellcode following the exploitation of weaponized documents.

The primary targets of this spear-phishing campaign included recipients of the national intelligence newsletter, who were typically members of one or several of the following South Korean institutions: National Intelligence Research Association, Korea Atomic Energy Research Institute, Korea Nuclear Safety Institute, Korea Aerospace Research Institute, and Korea Electronics Technology Institute. However, the attackers also targeted individuals with ties to these institutions.

The attack was further tailored by using a statement issued by Kim Yō-jong, the Vice Department Director of the Central Committee of the Workers' Party of North Korea and sister of Supreme Leader of North Korea, Kim Jong-un, as a decoy. This statement rejected any reconciliation efforts from South Korea, labeling them as meaningless or hypocritical. The attackers also used a July 28 statement issued by Kim Yō-jong to lure victims into downloading malicious payloads.

The attack chain mirrored the first campaign, starting with a malicious LNK file that dropped a decoy while deploying obfuscated components (tony33.bat, tony32.dat, tony31.dat) to %TEMP%. The attackers also used fileless attacks, PowerShell execution, and disguised POST requests to exfiltrate data. APT37 has been observed delivering RokRAT in previous campaigns.

APT37 is a cyber espionage group known under many names, including InkySquid, ScarCruft, Reaper, Group123, RedEyes, and Ricochet Chollima. The group has been active since at least 2012 and is believed to be associated with the North Korean regime.

"The analysis of [the Operation HanKook Phantom] campaign highlights how APT37 continues to employ highly tailored spear-phishing attacks, leveraging malicious LNK loaders, fileless PowerShell execution, and covert exfiltration mechanisms," concluded Seqrite researchers. "This highlights the threat posed by APT37 and emphasizes the need for robust security measures to protect against these types of attacks."

Read More About APT37

North Korean Hackers Sniffing for US Defense Secrets