In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10’s tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a second stage RokRAT shellcode. RokRAT can execute remote C2 commands, data exfiltration, file download/upload, and keylogging. The uncovered lure documents suggest ITG10 may be targeting individuals and organizations involved in foreign policy associated with the Korean peninsula.

Key Findings:

• ITG10 likely targeting South Korean government, universities, think tanks, and dissidents
• Phishing emails spoof legitimate senders to deliver RokRAT via LNK files
• Email attachments mimic legitimate documents
• Additional malware samples possibly related to ITG10 RokRAT campaigns

Decoy documents

In late April 2023, X-Force uncovered several Zip Archives files hosting multiple lure documents likely sent via phishing campaigns operated by ITG10. X-Force assesses that the documents are likely decoys geared toward various personnel within two subsets of activity: South Korean government, communication, and educational centers; and energy, manufacturing, and supply chain. This section provides analysis of the lure documents and potential targets.

South Korean government, communications and educational centers

The first suspected subset of activity revealed Korean-language lure documents. The first titled (0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip [(0722) List of Standing Committee and Standing Special Committee members (final).zip)], contains charts listing the Standing Committee members and assignments associated with broadcast media in South Korea as of July 2022. Examination of the contents suggests that it is a directory of eighteen South Korean parliamentary committee assignments, the number of committee members, their names, and political party affiliation. Committees include Education and Judicial, International and Foreign Affairs, Defense, and Intelligence. The intended targets for this lure are likely to be parliamentary members seeking information on their committee assignment or reporters covering parliament.

(0722)상임위원회 및 상설특별위원회 위원 명단(최종).zip

An additional decoy document titled 계약서내용.pdf (Contract detail.pdf) appears to be associated with a national South Korean broadcaster. The contents detail the company’s approach to radio drama production scheduled for broadcast in May 2023. North Korean sponsored threat actors have previously been known to create accounts posing as broadcasting scriptwriters to deceive watchers. In 2021, North Korean threat actors compromised several email accounts of prominent defectors to send malicious documents to contacts working on DPRK issues. ITG10 has also been known to infect news websites with malware likely to spy on readers.

A third decoy 2023년도 4월 29일 세미나.pdf (April 29, 2023 Seminar.pdf) appears to be an itinerary for an event hosted in April 2023 by a South Korean think tank. The event includes multiple seminars on political theory, military history, and a talk on “Intelligence activities and cyber security of the National Intelligence Service.” Members of this think tank include professors from multiple universities and South Korean government entities. There are two mobile phone numbers and a Zoom link with a password in the decoy document, which can be scraped to launch phishing material over social medial platforms. Based on the document’s content, academic and government employees, especially those in intelligence and cybersecurity, are probable targets for phishing emails containing this type of decoy document.

2023년도 4월 29일 세미나.pdf

Energy, manufacturing and supply chain

The second grouping of lure documents features a zip file projects in Libya.zip containing a LNK file Pipelines Profile (Elfeel- Sharara-Mellitah + Wafa – Mellitah).lnk, as well as additional English-language decoy files. The decoy files are a Microsoft Word Document and PDF copy of a document titled Proposed MOU GTE Korea. The documents appear to be legitimate and establish a written Memorandum of Understanding (MOU) between an authentic privately owned Libyan energy company and a South Korean consulting firm specializing in energy, procurement, construction and finance (EPC&F). In addition, the zip contains a second non-malicious lure PDF titled MFZ Executive Summary Korea detailing a feasibility study regarding the development and expansion of the “sea port free zone of Misurata.”

Based on the decoy content, the likely recipients of this phishing campaign would be organizations or individuals involved with a construction project in the Middle East. The Middle East has been a traditional customer for many large-scale construction projects for multiple South Korean companies, and there has been a recent push by the South Korean administration to what’s known as the ‘2nd construction boom’. These construction projects are part of the South Korean government’s pivot to the Middle East, deepening ties both militarily and economically.

Sample analysis

RokRAT has been previously analyzed as having a multi-stage process with two components. The first involves tooling, and the second involves the payload, likely to inhibit researchers from analyzing the final payload, while maintaining the ability to stop delivery once a target system is infected. RokRAT campaigns typically begin with a phishing email with a ZIP file attachment, containing a LNK file disguised as a Word document. When the LNK file is activated, a PowerShell script is executed, opening a decoy document to start the download process of RokRAT which is hosted at OneDrive or similar cloud application. In another campaign, ITG10 was observed delivering RokRAT via HWP and Word files containing LNK files. In X-Force’s analysis of recent RokRAT-related files, in lieu of a ZIP file, we found Optical Disc Image files (ISO) containing LNK files that had slightly modified PowerShell scripts, and Hangul Word Processor decoy documents (HWP).

 ISO files

The ISO files that X-Force observed contained a LNK file disguised as an exe icon, subsequently containing a HWP file, and a batch file. The LNK file contains a PowerShell command, as seen below as an example. Once the LNK file is executed, it extracts and drops a decoy file, and a batch file within the user’s %TEMP% folder. In this instance, the files were 2023년도 4월 29일 세미나.pdf – decoy file, and 230415.bat.

icon_location = C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

PowerShell Commands:

Related malware?

While researching the RokRAT-related files, X-Force also uncovered three LNK files that behave differently than expected. There is no use of OneDrive or similar cloud applications to host a second-stage payload, and instead of dropping a batch file, these LNK files drop VBS, with the obfuscation technique for the dropped files being hex-encoding vs. string concatenation. In addition, the RokRAT LNK files drop batch files and downloads the payload that is decoded using the first byte as a key, then the payload is executed using Windows API functions (VirtualProtect). With these additional LNK files, the VBS downloaders do not perform these actions.

The LNK files analyzed contain an encoded PowerShell, and once the LNK files are executed, the PowerShell script is run, and two files are dropped to the user’s %TEMP% folder. In one analyzed sample, the files dropped were a VBS file (tmp<random-9-digit-number>.vbs ), and a Plaintext file with contents asdfgqwert. The VBS file will get executed via Wscript.exe:

“C:\Windows\System32\WScript.exe” “C:\Users\Usuario\AppData\Local\Temp\tmp<nine-digit-number>.vbs”.  Wscript.exe is a service 

Wscript.exe is a service provided by the Windows system with scripting abilities. Subsequently, two GET requests are initiated. In a third file we analyzed, instead of the LNK file dropping a VBS and a Plaintext file, a VBS file and a JPEG decoy file are dropped to the users %TEMPT% folder. In this case, the JPEG decoy file appears to be a correspondence related to the “Proof of Digital Assets”. At the time of this analysis, X-Force was unable to retrieve the final payload from the servers as they have been taken down; therefore, it is uncertain whether these additional LNK files are related to ITG10 activity. Further research and analysis are needed to determine relevance and attribution.

Encoded PowerShell:

Decoded PowerShell:

tmp1698268529.vbs

GET requests:

Proof of digital assets JPEG

X-Force recommendations

Multiple lure documents uncovered in this campaign suggest ITG10 continues to target individuals and organizations involved in foreign policy, potentially related to shifts in the geopolitical and security environment on the Korean peninsula. IBM X-Force assesses with high confidence that individuals and organizations holding strategic, political, or military information in connection with the Korean peninsula will see elevated threats from the DPRK, given ITG10’s previous and recent activity.

Organizations that may be at elevated risk of targeting from ITG10 have the potential to decrease the risk to their organization by employing heightened vigilance toward potential phishing emails, warning employees of the phishing email threats, employing and closely monitoring endpoint detection and response (EDR) tools, and leveraging behavioral analytics to identify malicious behavior. We also recommend that potentially targeted organizations alert on the following indicators of compromise to detect behavior related to this campaign.

Indicators of compromise

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here: