Jan 11 2018

North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver malware.

The McAfee Mobile Research Team has acquired malicious APK files that were used in the targeted attacks. According to the articles, Google-shortened URLs were used to spread malware. We analyzed those statistics.

There are two versions of the dropper malware: “북한기도” (Pray for North Korea) and “BloodAssistant” (a health care app). In both cases, most clicks originated in South Korea and the most common browser and operating system combination was Chrome and Windows. (Android was the second most common.) The referrers diagram of BloodAssistant shows Facebook was used in 12% of cases to send the link to its targets.

In the case of the journalist who was targeted, the attacker sent a shortened link showing a thumbnail of another story written by the journalist, according to the news article. The link directs to ihoodtec[.]com/upload/newslist[.]php (now offline), which seems to be used for redirecting to links in other domains. This shortened URL was clicked by someone with an account at mail[.]police[.]go[.]kr, suggesting the shortened URL was also sent via email to the police address.

The number of clicks might not be meaningful because it can include access from malware researchers, but what is meaningful is that malware-download links were spread using different platforms: Facebook, KakaoTalk, email, etc.



All the malicious APK files (including additional variants) dropped the Trojan on the victim’s device. Although the apps look different, the dropper mechanism is identical. The following screens show the execution of the dropper files.

Figure 1: Screenshots of droppers.

When the dropper APK executes, it first checks whether the device is already infected. If not infected, it phishes the victim to turn on the accessibility permission. If the victim clicks the pop-up window, the view changes to the accessibility settings menu so the app can acquire the permission.

When the accessibility service starts, it overlays the window (by playing a video, for example) to hide the process of turning on required settings and dropping and installing the Trojan. The overlay is removed after the Trojan is installed. The following diagram explains the flow after executing the dropper malware.

Figure 2: Execution flow of the dropper.


The dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. The following diagram explains the execution flow of the Trojan. The names of broadcast receivers and services (with some misspellings) may vary between samples but the execution is the same.

Figure 3: Execution flow of the Trojan.

When the dropped Trojan is installed, it saves device information in a temporary folder and uploads it to the cloud. It then downloads a file containing commands and other data to control the infected device. (We’ll explain the format of the downloaded file in the next section.) Most of the malicious behaviors—such as saving SMS, contact information, etc.—are implemented inside a separate dex file “core,” which is downloaded from the control server. This dex file is referenced in many places in the malware. The malicious functionality can be extended, as we’ll explain in the following section.

Command file structure

The command file has its own format. The following diagram explains the types of values. Offset designators are used to retrieve each value when parsing the file. The next table explains each value.

Figure 4: Command file format.

Figure 5: Command file values.

The handler for command code received from the cloud (CMD value) is implemented as a separate dex file and is downloaded either before or after the malware parses the command file. This mechanism allows the attacker to easily extend its malicious functionality without needing to update the whole malware.

Our analysis shows that only some of the commands are implemented now and uploaded to the cloud control server. Note Command 12 captures KakaoTalk chat logs.

Figure 6: Implemented commands.


We have found variants of the APKs that news articles initially reported on Google Drive. (The APKs on Google Drive are marked as malware and cannot be downloaded.) Some variants use different cloud services as their control servers while others drop the separate call-recording app “com.toh.callrecord” (assets/bbb). The following graph shows the relationships among variants and dropped files.

Figure 7: Relationships among variants.

The Actors

Initial malicious APKs we found were uploaded to Google Drive by the same account, and we found a connected social network account. By following activities of this account, we conclude with high confidence that this account was used to send shortened URLs to victims to get them to download malicious APK files.

The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama, and the language because the account names associated with the cloud services are from Korean drama and TV shows, including the following:

Figure 8: Cloud service accounts.

We found the use of an interesting word, “피형” (“blood type”), which is not used in South Korea but is used in North Korea. (“혈액형” is the word for blood type in South Korea.) We also found a North Korean IP address in test log files of some Android devices that are connected to accounts used to spread the malware. However, Wi-Fi was on so we cannot exclude the possibility that the IP address is private.

By looking at the list of deleted folders in the cloud, we found one with the name “sun Team Folder,” possibly the name of the actors. This group has been active since 2016, according to the cloud storage creation date.

Figure 9: Deleted folder in the cloud.


This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors.

McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

Jan 06 2018

Malicious Document Targets Pyeongchang Olympics

McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.

Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).

The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign.

The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.


The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea. The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games. The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.

Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker’s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word.

The malicious document with instructions to enable content.

The enable content message.

The document contains an obfuscated Visual Basic macro:

Visual Basic macro.

The malicious document launches a PowerShell script when the user clicks “Enable Content.” The document was created on December 27 at 15:52 by the author “John.”

The malicious document launches the following PowerShell script:

Manually executing the PowerShell script at the command line.

The script downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.

The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server. The following script can be identified as generated by Invoke-PSImage to execute the attacker’s implant in an image from a remote server.

The initial PowerShell script.

The image that contains the hidden PowerShell code.

To verify the usage of steganography, we employed the tool StegExpose to check the file:

The result confirms the presence of hidden data in our file.

Once the script runs, it passes the decoded script from the image file to the Windows command line in a variable $x, which uses cmd.exe to execute the obfuscated script and run it via PowerShell.

&&set  xmd=echo  iex (ls env:tjdm).value ^| powershell -noni  -noex  -execut bypass -noprofile  -wind  hidden     – && cmd   /C%xmd%

The extracted script is heavily disguised, using a combination of string-format operator obfuscation and other string-based obfuscation techniques.

The obfuscated PowerShell implant script.

The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.

Obfuscated control servers.

When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:


Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware. Ultimately this PowerShell implant will be set to automatically start daily at 2 am via a scheduled task (shown below). The view.hta contains the same PowerShell-based implant and establishes a remote connection over SSL to hxxps://

C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\Users\Ops03\AppData\Local\view.hta

The contents of view.hta.

During our research, we discovered a cached Apache server log for the IP address, which is shared hosting. This log contained information for the control server thlsystems.forfirst.cz, which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants. This indicates that the implant was active in South Korea and targets were likely being infected.

Apache server log from December 29, 2017.

While investigating thlsystems.forfirst.cz we discovered that the webpage belongs to a legitimate entity, suggesting this is a compromised server being used as both an encrypted backchannel for the attacker and the distribution of implants. The server also hosts a copy of the obfuscated PowerShell implant.

The implant establishes an encrypted channel to the following URL path:


An image from December 30, 2017.

When investigating the IP address from the PowerShell implant we found a server in Costa Rica that resolves to mafra.go.kr.jeojang.ga. The domain jeojang.ga was registered via Freenom, a free anonymous domain provider. It appears the attacker is using parts of a domain that belong to the South Korean Ministry of Agriculture and Forestry, which is in line with the attached document name in the email, but this domain has nothing to do with this government agency.

A version of the malicious document from December 22 embedded the PowerShell implant directly into the Word document in the form of an HTA file. McAfee Advanced Threat Research analysts discovered another document that was hosted at this domain; its original title is 위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx, which also appears to come from the Ministry of Agriculture and Forestry. This document was created on December 22 by the same author, “John.” The document does not contain macros, rather OLE streams for the embedded HTA files. When the Korean-language docx icon is clicked, it launches the embedded HTA file Error733.hta. This file contains the same script code to launch the PowerShell implant as in the view.hta example.

An earlier malicious document that relies on OLE streams.



The basic method in this case, an in-memory implant using PowerShell along with obfuscation to avoid detection, is a common and increasing popular fileless technique used in cyberattacks. We have not previously seen this kind of attack targeting victims in South Korea.

The use of the steganography tool shows how quickly the adversary has adapted to new tools. On December 20, the tool Invoke-PSImage was released to the public and within seven days was tested and deployed in a campaign targeting organizations involved in the 2018 Pyeongchang Olympics.

With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information. In this case the adversary is targeting the organizations involved in the Winter Olympics by using several techniques to make it more tempting to open the weaponized document:

  • Spoofed email address from South Korea’s National Counter-Terrorism Council
  • Use of Korean language
  • Asking users to open the content because the document is in protected mode
  • Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent

The Advanced Threat Research team has discovered an increase in the use of weaponized Word documents against South Korean targets in place of the traditional use of weaponized documents exploiting vulnerabilities in the Hangul word processor software.


Indicators of compromise


  • c388b693d10e2b84af52ab2c29eb9328e47c3c16
  • 8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c


  • 122.181.63


  • forfirst.cz
  • go.kr.jeojang.ga

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

Dec 20 2017

McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

Today, with the arrest of individuals suspected of infecting computer systems by spreading the CTB Locker malware, a clear message has been sent—involvement in cybercrime is not zero-risk.

CTB Locker

CTB Locker, also known as Critroni, is known as one of the largest ransomware families—helping to drive a new ransomware surge of 165 percent in 2015 as one of the top three ransomware families, and earning a spot as No. 1 just a year later. Operation Tovar, in which law enforcement agencies took down the infrastructure responsible for spreading CryptoLocker, created a need for more malware—CTB Locker and CryptoWall malware families helped to fill the gap.

In June 2014, the CTB Locker authors began to advertise the malware family on the underground scene at a cost of $3,000USD, where people could buy the first versions for $1,500USD. The authors also offered an affiliate program, which made CTB Locker infamous. By sharing a percentage of the received ransoms, the affiliates ran the greater risk—because they had to spread the ransomware—but they also enjoyed the higher profits. By using exploit kits and spam campaigns, the malware was distributed all over the world, mostly targeting “Tier 1” countries, those in which the victims could afford to pay and most likely would pay the ransom. Midway through 2015, we gained unique information from an affiliate server that helped us tremendously in the subsequent investigations.

A CTB Locker affiliate server.
An example of CTB Locker source code.

Besides the use of an affiliate server in CTB Locker’s infrastructure, two other components complete the setup: a gateway server and a payment server.

Attacks Begin to Grow

During 2016, a massive spam campaign struck the Netherlands. Emails in Dutch seemed to originate from one of the largest telco providers. The emails claimed to have the latest bill attached. There was no bill, of course, rather CTB Locker asking for around $400USD of ransom to return files. The grammar and word usage was near perfect—not what we commonly observe—and the names in the email were proof of a well-prepared campaign. More than 200 cases in the Netherlands alone were filed with regards to these infections.

With attacks growing in number, the Dutch High Tech Crime Unit began an investigation. The unit approached McAfee’s Advanced Threat Research team to assist in identifying samples and answering questions.

Following our research, we were kept updated and were informed that in the early morning of December 14 operation “Bakovia” started. The initial research was on the CTB Locker ransomware but based on information from the U.S. Secret Service, it was determined that the same suspected gang was also linked to distribution of Cerber ransomware—another major family.

The Arrests

During the operation in East Romania, six houses were searched whereby the investigators seized a significant amount of hard-drives, laptops, external-storage, crypto-currency mining rigs, and hundreds of SIM cards. Suspects were arrested for allegedly spreading CTB Locker ransomware, and other suspects allegedly responsible for spreading Cerber were arrested at the airport in Bucharest.

Watch video of arrests. 

The law enforcement action emphasizes the value of public-private partnerships and underscores the determination behind the McAfee mantra “Together is power.”

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

Dec 18 2017

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

Going Beyond Energy

Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

One of the starting points was a Trojan in the 2017 campaign with the following hashes:

  • MD5: da9d8c78efe0c6c8be70e6b857400fb1
  • SHA-256: fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9

Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:

  • MD5: 4bfdda1a5f21d56afdc2060b9ce5a170
  • SHA-256: 07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4
  • Filename: fl.exe

The file was downloaded after a Java exploit executed on the victim’s machine, according to the 2013 attack report. After analyzing the 2013 sample, we noticed that some of the executable’s resources were in Russian.

Comparing the code, we find the 2017 sample has a large percentage of the same code as the backdoor used in the 2013 attacks. Further, some code in the 2017 backdoor is identical to code in the application TeamViewer, a legitimate remote administration tool used by many around the world. By incorporating the code and in-memory execution, the attackers avoid detection and leave no trace on disk.

The correlating hash we discovered that contained the same TeamViewer code was reported by Crysys, a Hungarian security company. In their report on about ‘“TeamSpy,” they mentioned the hash we correlated as well: 708ceccae2c27e32637fd29451aef4a5. This particular sample had the following compile date details: 2011:09:07 – 09:27:58+01:00

The TeamSpy attacks were originally aimed at political and human right activists living in the Commonwealth of Independent States (the former Soviet Union) and eastern European countries. Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?

But that’s not all of interest. We also discovered that the 2017 sample contained code blocks associated with another interesting malware family: BlackEnergy. Let’s look at an example of the code similarities we discovered:

A BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017.

Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.

The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.

Actor Sophistication

Our analysis of this attack tells a story about the actors’ capability and skills. Their attack precision is very good; they know whom and what to attack, using a variety of efforts. Their focus is on Windows systems and they use well-known practices to gather information and credentials. From our research, we have seen the evolution of the code in their backdoors and the reuse of code in their campaigns.

How well do the actors cover their tracks? We conclude they are fairly sophisticated in hiding details of their attacks, and in some cases in leaving details behind to either mislead or make a statement. We rate threat actors by scoring them in different categories; we have  mentioned a few. The Dragonfly group is in the top echelon of targeting attackers; it is critical that those in the targeted sectors be aware of them.

The Dragonfly group is most likely after intellectual property or insights into the sector they target, with the ability to take offensive disruptive and destructive action, as was reported in the 2015 attack on the Ukrainian power grid by a BlackEnergy malware family.


We would like to thank the team at Intezer for their assistance and support during our research.

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.