dokkaebi: documents of korean and evil binary · dokkaebi: documents of korean and evil binary...

DOKKAEBI: Documents of Korean and Evil Binary

Jaeki Kim,

Kyoung-Ju Kwak,

Min-Chang Jang

@Financial Security Institute

2018 .10.03

2/133

About Me

▪ JAEKI KIM (a.k.a JACK2)

▪ Malware & Threat Analysis

▪ Computer Emergency Analysis Team @FSI (2016~ )

▪ Main Author of Threat Intelligence Report ‘Campaign DOKKAEBI’ (2018)

▪ Digital Forensic

▪ CECRC @NEC(National Election Commission) (2016)

▪ M.S. degree - Information Security

▪ SANE Lab, Korea University (2014 ~ 2016)

▪ Interest in Analysis

▪ Mentor of Best of the Best(B.O.B) Program

(Vulnerability Analysis Track) @KITRI

▪ Member of “koreanbadass” Team

@DEFCON CTF Finalist (2017, 2018)

▪ SNS(facebook,twitter) @2runjack2

3/133

About Me

▪ Kyoung-ju KWAK

▪ Manager of Threat Analysis Team

▪ Main Author of Threat Intelligence Report

“Campaign Rifle : Andariel, The Maiden of Anguish”

▪ Member of National Police Agency Cybercrime

Advisory Committee

▪ Mentor of Best of the Best(B.O.B) Program

▪ Speaker of {Blackhat, Kaspersky SAS, Kaspersky CSW, PACSEC,

HITCON, HACKCON, ISCR, etc}

▪ SNS(facebook,twitter) @kjkwak12

4/133

About Me

▪ Min-Chang Jang (a.k.a OSIRIS)

▪ A manager of CEAT

▪ Computer Emergency Analysis Team @FSI (2014~ )

▪ Main Author of Threat Intelligence Report ‘Shadow Voice’

▪ It focuses Voice Phishing in Korea, but not yet published

▪ A graduate student (M.S degree)

▪ SANE Lab, Korea University (2014 ~ Now)

▪ Served in the Korea NAVY CERT

▪ Interest in Extreme Sports

▪ Scuba Diving in Guam, Philippines and Taiwan

▪ Paragliding in DanYang

▪ Speaker of {BlackHat, KIMCHI CON, CODE BLUE}

▪ SNS (fb: mins4416, twt: 051R15)

5/133

Contents

▪ Introduction

▪ Threat Groups

▪ Campaign DOKKAEBI (2015 ~ 2018.6)

▪ Profiling of Malicious Hangul Files

▪ Relationships

▪ Recent Trends

▪ Conclusion

6/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

7/133

Introduction

▪ Background

▪ Threat Actor

▪ an individual or group involved in malicious cyber activity

▪ Operation

▪ A incident(intrusion attempts) carried out by Threat Actor

▪ Campaign

▪ A set of activity(Operation) carried out by Threat Actors

using specific techniques (TTP) for some particular purpose

▪ Ddddddd

▪ Dddddddd

▪ ddddd

8/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

9/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

10/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

11/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

12/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

13/133

Introduction

▪ Background

▪ Threat Actor


▪ Operation


▪ Campaign



▪ Ddddddd

▪ Dddddddd

▪ ddddd

Threat Intelligence

14/133

Introduction

▪ Campaign DOKKAEBI

▪ A set of Operation carried out by Threat Groups

▪ using malicious Hangul documents for some particular

purpose

▪ Related Threat Groups

▪ Bluenoroff, Kimsuky, Scarcruft

▪ Ddddddd

▪ Dddddddd

▪ Ddddd

▪ d

Hangul documents and

dropped(downloaded)

malware

=> Documents Of Korean

And Evil Binary

15/133

Introduction




purpose



▪ Ddddddd

▪ Dddddddd

▪ Ddddd

▪ d


dropped(downloaded)

malware


And Evil Binary

Campaign

DOKKAEBI

16/133

Introduction




purpose



▪ Ddddddd

▪ Dddddddd

▪ Ddddd

▪ d


dropped(downloaded)

malware


And Evil Binary

Campaign

DOKKAEBI

17/133

Introduction




purpose



▪ Ddddddd

▪ Dddddddd

▪ Ddddd

▪ d


dropped(downloaded)

malware


And Evil Binary

Campaign

DOKKAEBI

Bluenoroff

Kimsuky

Scarcruft

18/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

19/133

Threat Groups


Threat Group

Target PurposeActivity

TimeMajor Incident

Bluenoroff

Global and Korean domestic financial companiesOfficials and users of crypto-currency exchanges

Confidential information

takeover and monetary gain (SWIFT, crypto-

currency)

2015 ~SWIFT illegal

transaction of central bank of Bangladesh

KimsukyInfrastructure, Government, North Korean defectors and politicians

Information gathering and

social confusion2013 ~

KHNP cyber terrorism (2014)

ScarcruftDiplomatic and North Korean Human Rights Organizations and People

Information gathering and information destruction

purposes

2016 ~

Attack using Flash Zero Day

(CVE-2016-4171, CVE-2018-4878)

20/133

Threat Groups


Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal


21/133

Threat Groups


Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal






22/133

Threat Groups


Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal








purposes

2016 ~


(CVE-2016-4171, CVE-2018-4878)

23/133

Threat Groups


Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal








purposes

2016 ~


(CVE-2016-4171, CVE-2018-4878)

24/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

25/133

Campaign DOKKAEBI (2015 ~ 2018.06)




purpose



▪ Ddddddd

▪ Dddddddd

▪ Ddddd

▪ d


dropped(downloaded)

malware


And Evil Binary

Campaign

DOKKAEBI

Bluenoroff

Kimsuky

Scarcruft

26/133


▪ Timeline

▪ After KHNP Cyber Terror

(2014.12)

27/133


▪ 2015~2016

Politics &

North Korean defectors

Inter-Korean diplomacy

28/133


▪ 2017~2018.06

Finance, Crypto-currency,

Resume

Politics &

North Korean defectors

Inter-Korean diplomacy

29/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

30/133

Profiling of Malicious Hangul Files

▪ Hwp Document File Formats 5.0

31/133



32/133



Name Contents Analysis Information

FileHeaderSignatures called Hangul document files

Check whether the file is a Hangul document file

BodyText- Section0- Section1

- ...

Stores content such as paragraphs, tables, and drawing objects

Within BodyText storage, Check whether an invalid value is inserted in the tag that indicates the paragraph text (HWPTAG_PARA_TEXT)

* Additional use of ViewText storage for distribution documentation

/008HwpSummary

Information

Identify the title, author, creation and last modification date of the HWPs

Can be used as various elements for Threat group profiling

BinData- BinaryData0- BinaryData1

- ..

Within BinData Storage, Save images, OLE objects, and PostScript as separate streams

Identify unhealthy streams (OLE objects and postscript) of saved streams

PrvTextSave preview text as a Unicode string

Understand the contents of the document body

Scripts- DefaultJScript- JScriptVersion

- ...

Saving JavaScript as a Stream in Scripts Storage

Check for malicious JavaScript (Macro)

33/133


▪ Classification - Malicious Hangul Files

▪ Macro

▪ PostScript

▪ Data Link

▪ Distribution

34/133


▪ Classification - 1) Macro

▪ Javascript

35/133


▪ Classification - 1) Macro

▪ Javascript

36/133


▪ Classification - 2) Postscript

▪ Ghostscript engine

37/133




38/133




39/133




40/133



▪ 2-1) Embed File

41/133



▪ 2-1) Embed File

42/133



▪ 2-1) Shellcode

43/133



▪ 2-1) Shellcode

44/133



▪ 2-1) Shellcode (Download & Exec)

45/133



▪ 2-1) Shellcode (Drop & Exec)

46/133


▪ Classification - 3) Data Link

▪ Like Hyper-link

47/133



▪ Like Hyper-link

▪ HWP, webpage, E-mail, External application document

48/133



▪ Like Hyper-link


49/133



▪ Like Hyper-link


50/133



▪ Like Hyper-link


51/133



▪ Like Hyper-link


52/133


▪ Classification - 4) Distribution

▪ Limit Copy/Print

53/133




54/133




55/133




56/133




57/133




58/133



▪ Shellcode

59/133


▪ Type of Malicious Hangul files

▪ Documents of Korean

60/133



▪ Documents of KoreanType Features

H-JS Embed the file in Macro function

H-PS-F Embed the file in Postscript

H-PS-S-1 Simple downloader-type shellcode

H-PS-S-2 Downloader-type shellcode using dual decoding routines

H-PS-S-3 PostScript with lodear-type shellcode and binary, XOR encoded with 4-byte key

H-PS-S-4 Postscript with loader-type shellcode and encoded binary

H-PS-S-5 PostScript with 1-byte XOR encoded shellcode and encrypted binary

H-PS-S-6 Downloader-type shellcode, XOR-encoded with 1-byte key

H-PS-S-7 Downloader-type shellcode, XOR-encoded with 1-byte key and 0x00 ~ 0xFF

H-DL Abuse the ‘Data Link’ function of linking references with hyperlinks

H-DS “HWP for distribution” encrypts the text stream under ViewText storage

61/133


▪ Type of Dropped/Downloaded Malwares

▪ And Evil Binary

▪ Manuscrypt (Kaspersky)

▪ Core.dll (McAfee)

▪ ROKRAT (CISCO TALOS)

▪ Kimsusky (Kaspersky)

Type Features

M-SD Simple Downloader

M-MS Manuscrypt

M-CD Core.dll (ExportName: CoreDn)

M-RR ROKRAT

M-KS Kimsuky series

62/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

63/133

Relationships

▪ Threat Groups

▪ Related Campaign DOKKAEBI

Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal








purposes

2016 ~


(CVE-2016-4171, CVE-2018-4878)

64/133

Relationships


▪ Documents of Korean

65/133

Relationships


▪ Documents of KoreanType Features

H-JS Embed the file in Macro function

H-PS-F Embed the file in Postscript

H-PS-S-1 Simple downloader-type shellcode

H-PS-S-2 Downloader-type shellcode using dual decoding routines

H-PS-S-3 PostScript with lodear-type shellcode and binary, XOR encoded with 4-byte key

H-PS-S-4 Postscript with loader-type shellcode and encoded binary

H-PS-S-5 PostScript with 1-byte XOR encoded shellcode and encrypted binary

H-PS-S-6 Downloader-type shellcode, XOR-encoded with 1-byte key

H-PS-S-7 Downloader-type shellcode, XOR-encoded with 1-byte key and 0x00 ~ 0xFF

H-DL Abuse the ‘Data Link’ function of linking references with hyperlinks

H-DS “HWP for distribution” encrypts the text stream under ViewText storage

66/133

Relationships


▪ And Evil Binary

67/133

Relationships


▪ And Evil Binary

▪ Manuscrypt (Kaspersky)

▪ Core.dll (McAfee)

▪ ROKRAT (CISCO TALOS)

▪ Kimsusky (Kaspersky)

Type Features

M-SD Simple Downloader

M-MS Manuscrypt

M-CD Core.dll (ExportName: CoreDn)

M-RR ROKRAT

M-KS Kimsuky series

68/133

Relationships

▪ Classification by each Threat Group

▪ Bluenoroff:

▪ PostScript (H-PS-F / H-PS-S-3/4/5/6/7)

▪ Scarcruft:

▪ PostScript (H-PS-S-1/2), Data Link (H-DL)

▪ Kimsuky:

▪ Document for distribution (H-DS)

69/133

Relationships

70/133

Relationships

▪ Classification Timeline

71/133

Relationships


72/133

Relationships


73/133

Relationships


74/133

Relationships


Name Contents Analysis Information

FileHeaderSignatures called Hangul document files

Check whether the file is a Hangul document file

BodyText- Section0- Section1

- ...

Stores content such as paragraphs, tables, and drawing objects

Within BodyText storage, Check whether an invalid value is inserted in the tag that indicates the paragraph text (HWPTAG_PARA_TEXT)

* Additional use of ViewText storage for distribution documentation

/008HwpSummary

Information

Identify the title, author, creation and last modification date of the HWPs

Can be used as various elements for Threat group profiling

BinData- BinaryData0- BinaryData1

- ..

Within BinData Storage, Save images, OLE objects, and PostScript as separate streams

Identify unhealthy streams (OLE objects and postscript) of saved streams

PrvTextSave preview text as a Unicode string

Understand the contents of the document body

Scripts- DefaultJScript- JScriptVersion

- ...

Saving JavaScript as a Stream in Scripts Storage

Check for malicious JavaScript (Macro)

75/133

Relationships

▪ Summary Information - Author

76/133

Relationships

▪ Summary Information - Author (Kimsuky)

77/133

Relationships


78/133

Relationships


79/133

Relationships

▪ Summary Information – Author (Bluenoroff)

▪ alosha, TATIANA, Tiger

80/133

Relationships

▪ Summary Information – Author (Scarcruft)

▪ Lion, SEIKO, Tames

81/133

Relationships


▪ Bluenoroff: alosha, TATIANA, Tiger

▪ Scarcruft: Lion, SEIKO, Tames

▪ Kimsuky : John

82/133

Relationships


▪ Bluenoroff: alosha, TATIANA, Tiger

▪ Scarcruft: Lion, SEIKO, Tames

▪ Kimsuky : John

83/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

84/133

Recent Trends

▪ Abuse of Word Normal function - Scarcruft

▪ DDEAUTO

85/133

Recent Trends


▪ DDEAUTO vs Data Link

File TypeAbusing Function

Common Feature

DifferenceMalware loading method

Malware

HWP Data LinkAbuse of normal

function

Same document

author

Execute VBS Drop

M-RR(ROKRAT)

DOCDynamic Data Exchange (DDE)

ExecutePowershell

Download

86/133

Recent Trends


87/133

Recent Trends

▪ OSMU - Scarcruft

88/133

Recent Trends

▪ OSMU - Scarcruft

89/133

Recent Trends

▪ Wateringhole attack via Malicious APKs - Scarcruft

▪ Landing Page

90/133

Recent Trends


▪ Process

91/133

Recent Trends


▪ Check Environment

92/133

Recent Trends


▪ Write Log file

93/133

Recent Trends


▪ CVE-2015-7888 / CVE-2015-6764

94/133

Recent Trends


▪ CVE-2015-7888 (Path Traversal)

▪ WifiHs20UtilityService (UID : system)

▪ /sdcard/Download/cred.zip

WifiHs20CredFileObserver automatically

extracts the content of the archive in the /data/bundle/

directory and deletes the zip file afterwards

95/133

Recent Trends (2018.07)

▪ New Type of H-PS-S - Bluenoroff

96/133



▪ Like H-PS-S-6 Downloader Shellcode,

But XOR-key change 1-byte to 16-byte

97/133




98/133




But XOR-key change 1-byte to 16-byte

=> Manuscrypt

99/133



▪ Manuscrypt C2

100/133

Threat Groups


Threat Group


TimeMajor Incident

Bluenoroff




currency)

2015 ~SWIFT illegal


101/133



▪ Manuscrypt C2 – Chinese Casino

102/133



▪ Manuscrypt C2

103/133



▪ Manuscrypt C2 -> 404?!

104/133



▪ Manuscrypt C2 -> 404?!

105/133



▪ Manuscrypt C2 -> View Source

106/133



▪ Manuscrypt C2 -> Hidden Malware!!

107/133



▪ Manuscrypt C2 -> Hidden Malware!!

Hidden Malware (Ramnit)

- Repeat : .*.html + VBScript

108/133


▪ New Type of H-OLE-S - Scarcruft

109/133



▪ Like H-PS-S-1 Downloader Shellcode (XOR : 0xD5)

110/133




111/133




112/133



▪ Like H-PS-S-1 Downloader Shellcode (XOR : 0xD5),

But OLE

113/133




But OLE

114/133




But OLE

115/133




But OLE

116/133




But OLE

117/133




But OLE

▪ VT ITW First Submission : Same Title, Author, Date

▪ 2017-09-12 06:23:55

f0c3269a68136c9349f82c479822943dd37ba6af36ae93e22832e5b1a83e1f09

▪ 2018-03-07 07:55:29

cd1496d2dc2e27ac4fde9c98646ed0ac5049eada5e0c652e73465a84f1faee06

▪ 2018-08-14 03:10:36 8bb3d97a37a6c7612624a12f8ff60eb8dd130f9e8f9af4f4f2cf8fca4f1dd964

118/133


▪ (Before) Type of H-PS-S-2 – Scarcruft

▪ Downloader Shellcode - dual decoding routines

119/133


▪ Again! Type of H-PS-S-2 – Scarcruft


120/133


▪ (Before) Type of H-PS-S-2 – Scarcruft


121/133


▪ Again! Type of H-PS-S-2 – Scarcruft


122/133


▪ Again! New Type of H-OLE-S - Scarcruft

123/133



124/133




But OLE

125/133




But OLE

126/133




But OLE

127/133




But OLE


▪ 2017-09-12 06:23:55

f0c3269a68136c9349f82c479822943dd37ba6af36ae93e22832e5b1a83e1f09

▪ 2018-03-07 07:55:29

cd1496d2dc2e27ac4fde9c98646ed0ac5049eada5e0c652e73465a84f1faee06


128/133




But OLE


▪ 2017-09-12 06:23:55 f0c3269a68136c9349f82c479822943dd37ba6af36ae93e22832e5b1a83e1f09

▪ 2018-03-07 07:55:29 cd1496d2dc2e27ac4fde9c98646ed0ac5049eada5e0c652e73465a84f1faee06


▪ 2018-10-01 00:49:53 74bf82f2faa1fce36a8f3509b20ff30aa055911cf78eac51181644d2beb10b33

129/133

Contents

▪ Introduction

▪ Threat Groups



▪ Relationships

▪ Recent Trends

▪ Conclusion

130/133

Conclusion

▪ Malicious Hangul files

▪ Government and public institutions are using the

Latest Version

▪ However, General User?

131/133

Conclusion

▪ Malicious Hangul files

▪ Government and public institutions are using the

Latest Version

▪ However, General User?

▪ For Threat Intelligence

▪ Start to weave

▪ Share Information

▪ Cooperate with

Relevant agency (ex: C2)

132/133

Q&A

Thank you ^^

Full Report : bit.ly/2LIRS7E

E – mail : [email protected]

133/133

References

1. http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/1063.do

2. http://stixproject.github.io/documentation/idioms/campaign-v-actors/

3. https://medium.com/@markarenaau/cyber-threat-intelligence-comparing-the-

incident-centric-and-actor-centric-approaches-f20cfba2dea2

4. https://www.hancom.com/etc/hwpDownload.do

5. http://www.oss.kr/news/show/3285ffa4-1722-4991-8bd0-0bffa58ba604

DOKKAEBI: Documents of Korean and Evil Binary

Jaeki Kim,

Kyoung-Ju Kwak,

Min-Chang Jang

Financial Security Institute

2018 .10.03