SUMMARY
Even after the inter-Korean summit, it was
recently confirmed that North Korean hacking group was distributing malware to experts in unification, diplomacy and security using the ActiveX
vulnerability of groupware solution.
A malware from North Korea has been
circulated through the watering hole technique on the website of "sejong
research Institute". This institute is a private think tank that studies
unification, diplomacy and security.
The malware connects to the C&C
server and sends information of the PC, downloads and executes additional
malware. And the malware is the latest variant of the
"GoldenAxe organization" known for its attacks by North Korea.
The "GoldenAxe organization" is a
malicious organization that has attacked Korean companies and organizations
through certain web sites for about 12 years from 2007 to May 2018 by
exploiting ActiveX vulnerabilities in Korean software.
North Korea targeted the weak points of
major ActiveX modules that are installed not only in the South Korean public
institutions and companies but also in the national PC. Due to the nature of
ActiveX, vulnerable versions often remain on your PC without being deleted.
The malware execution is possible
using the "ShellExecute" function in " AcubeFileCtrl.ocx",
which is included in ActiveX modules for groupware solutions.
This vulnerability is patched and disabled
in “AcubeFileCtrl.ocx 2.3.0.4”.
About
watering hall script
The following malicious scripts were injected
on the main web page of the think tank website.
The script "jquery-1.5.3.min.json"
is encoded as follows and contains information collection codes, such as
browser information and whether a specific ActiveX is installed.
The following malicious code is encoded in "jquery-1.5.3.min.json".
The following are some of the malicious
codes that have been decoded "jquery-1.5.3.min.json"
The collected information, such as browser
information and whether or not to install a specific ActiveX, is encoded into
base64 and sent to a specific site("alphap1.com").
Parameter
|
Meaning
|
Parameter
|
Meaning
|
w
|
Site name
|
Fv
|
Flash version
|
r
|
<?=$referer?> value
|
Silv
|
Silverlight version
|
o
|
OS version
|
Ez
|
EasyPayPlugin installed
|
lv
|
Accept-Language(ex, KO)
|
Ac
|
ACUBEFILECTRL installed
|
bt
|
Browser Information
|
Si
|
SIClientAccess installed
|
bv
|
Browser Information
|
Du
|
DUZONERPSSO installed
|
bdv
|
Browser Information
|
Iw
|
INIWALLET61 installed
|
North
Korea's "sejong Institute (www.sejong.org)" Attack History
collected information - Jan 12, 2017
* hxxp://www.sejong.org
-> hxxps://www.srider.net/www/custom.asp?id=sj (collection of visitor
information)
1st watering hole attack - April 18, 2018 ~
April 19, 2018
* hxxp://www.sejong.org
-> hxxp://www.sejong.org/pub/inc/config.php (ActiveX vulnerability, Deobfuscated)
2nd watering hole attack - April 23, 2018
* hxxp://www.sejong.org
-> hxxp://www.sejong.org/js/menu.js
-> hxxp://www.sejong.org/_lib/conf/config.php (ActiveX vulnerability, Change malicious code path, Deobfuscated)
An
inter-Korean summit - April 27, 2018
* Agreed to work together to ease the acute
military tensions on the Korean Peninsula
3rd watering hole attack - May 7, 2018 ~
May 8, 2018
* hxxp://www.sejong.org
-> hxxp://www.sejong.org/_lib/conf/config.php (ActiveX vulnerability, obfuscated)
Groupware
ActiveX vulnerabilities
The exploit code for a groupware solution
is as follows.
Exploit uses "ShellExecute" function
to download and execute malware.
A vulnerability exists in the execution of
entered data without any verification.
When exploit runs, the file "temp.vbs" appears in the "%temp%" directory and runs after downloading the RAT malware.
When exploit runs, the file "temp.vbs" appears in the "%temp%" directory and runs after downloading the RAT malware.
Information
of the RAT
The C&C server's IP and port are stored
in the binary.
The initial authentication protocol is as
follows. Authenticate with the C&C server with a fixed base64 encoded
value.
data sent to server(decoded string)
data sent from server(decoded string)
The RC4 algorithm is used to communicate
with the C&C server. Rc4 key is "1234567890".
Malware sends information about
ComputerName, UserName, IP Address, MAC Address, and OS version to C&C
Server.
Execute a command sent from C&C server
using "cmd.exe". Then send the results to the server.
Creates a file that is sent by the C&C
server
About
"Operation GoldenAxe"
The "GoldenAxe” organization has been
using ActiveX vulnerabilities in Korea software for about 12 years from 2007 to
June 2018 to malware inside Korean companies and organizations through
a specific website.
List of ActiveX modules used in
"Operation GoldenAxe"
ActiveX programs used
|
explanation
|
Xman.CXmanObj.1
|
Daum Portal ActiveX Manager Module
|
SKCOMMAX.SKCommAXCtrl.1
|
SignKorea Certificate ActiveX
Control Module
|
FileUpload.FileAccess.1
|
Softforum XECUREWEB PKI Solution
File UP/Down Control Module
|
IDEFENSE.IdefenseCtrl3.1.1
|
Kings Information I-DEFENSE Online PC Firewall ActiveX Control Module
|
KMCWEBMANAGER.KMCWebManagerCtrl.1
|
KMS InfoScan Privacy Web
Manager Control Module
|
KCPPaymentUX.KCPUX.1
|
KCP Electronic payment Module
|
XPAYUPDATER.XPayUpdaterCtrl.1
|
LG U+ Electronic payment Update Module
|
DownMgr.DownMgrCtrl.1
|
Fasoo DRM Download Manager
Module
|
HShell.WShell.1
|
HANDYSOFT Groupware
HShell Module
|
KBINSTALLER.KBinstallerCtrl.1
|
Naravision Kebi Mail Webmail
Control Module
|
npenkIEInstall5
|
INCA nprotect Netizen Firewall ActiveX Install Module
|
EasyPayPlugin.EPplugin.1
|
EasyPay Electronic Payment Plug-in Module
|
MagicLoaderX.MagicLoaderX.1
|
Dream Security MagicloaderX Authentication Plug-in Module
|
NVERSIONMAN.NVersionManCtrl.1
|
Nanoom Groupware Smart Flow NVersionMan Module
|
admctrl.FileIO.1
|
Dream Security Administrator Privilege Processing Component Modul
|
RDVistaSupport.VistaSupport.1
|
M2 Soft Reporting Solution Report Designer Module
|
JxVistaDll.JXVistaUtil.1
|
Soft 25 Zone Encryption Solution JX - CEAL Vista Module
|
JXFILEBOX.JxFileBoxCtrl.1
|
Soft 25 JXFILEBOX Module
|
JXORGTREE.JXOrgTreeCtrl.1
|
Soft25 Webmail JXMAIL Module
|
INIWALLET61.INIwallet61Ctrl.1
|
INISYS INIWALLET Browser extension module
|
INIUPDATER.INIUpdaterCtrl.1
|
Initec INISAFE Encryption Solution Update Module
|
INISAFEWeb60.INISafe6Ctrl64.1
|
Initec INISAFE Encryption Solution Control Module
|
INCITERX.InciterXCtrl.1
|
SoftRun InciterX Patch Manager
System Control Module
|
SIClientAccess.SIClientAccess.1
|
Softforum IAM Safeidentity Module
|
ACUBEFILECTRL.AcubeFileCtrlCtrl.1
|
Samsung SDS Groupware ACUBE Solution Control Module
|
DUZONERPSSO.DUZONERPSSOCtrl.1
|
Duzon Groupware IAM Control
Module
|
[0x01] nkeconomy, http://www.nkeconomy.com/news/articleView.html?idxno=135