"Academic Conference Proceedings Sent" Email Found to Be North Korean-Linked Hacking Attempt
Disguised as a PDF Document... Malicious Code Runs Stealthily
Suspected to Be the Work of North Korean-Backed Hacking Group 'APT37'
A hacking attack targeting researchers by impersonating an email containing academic conference proceedings has been discovered. The attack method involves malicious code being secretly executed when researchers attempt to view the actual proceedings. Analysts believe it is highly likely that this attack was orchestrated by 'APT37', a North Korean-backed hacking group.
According to Genian Security Center on July 13, there was recent evidence that an attacker, presumed to be APT37, distributed a variant of the remote access trojan (RokRAT) malware.
Case of phishing attack disguised as an email containing academic conference proceedings. Genians Security Center
View original imageThe center explained that on June 22, the attacker sent emails with the subject "Why Wonsan-Kalma Tourism Now?" to individuals working in research, policy, and academic fields. The email claimed to provide the proceedings from an academic conference of the same name held at COEX in Seoul on June 12. The email misused the event’s actual name and the host organization’s information, and disguised the sender to appear as a company in the unification sector.
The email included a download link that appeared to be a PDF document. Clicking the link downloaded an ISO image file, inside which was an executable file disguised to look like a PDF document. When executed, the file displayed a genuine-looking academic conference proceedings document on the screen, while simultaneously running malicious code.
This malware operates inside legitimate processes without creating separate malicious processes, making it difficult for users to detect the infection. It is also able to evade detection by certain security products.
The final payload was confirmed as a variant of RokRAT. RokRAT is a type of malware frequently used by APT37, capable of stealing information from infected systems and executing remote commands. This new variant is designed to evade network monitoring systems as well.
Genian Security Center assessed that this attack was highly likely carried out by APT37, citing the reuse of the same accounts and high similarity in code structure and other characteristics with previous APT37 attacks.
Genian Security Center stated, "By combining social engineering techniques that exploit real academic event information with a multi-stage payload structure, the attack’s ability to evade detection has been further enhanced." They added, "In addition to detection based on Indicators of Compromise (IoC), a behavior-based response system should be established that links all stages of the attack, including spear-phishing and cloud-based communications, for more comprehensive detection."
Hot Picks Today
Report That Accurately Predicted KOSPI's 20% Plunge Now Says "Buy Now... Path to 11,450 Points Opens"
- Korean YouTuber Shocked by Unexpected Price Difference at Japanese Restaurant
- Hyundai Motor Union Launches Strike for Second Consecutive Year: "Partial Production Disruptions Across All Models"
- "You Could Die Trying to Buy Clothes"... Record-Breaking 'Killer Heatwave' Forces Uniqlo to Close Stores
- "Why the World Should Learn from Korea: Why Foreigners Are Impressed by Riding the Subway"
An attack case impersonating an email containing academic conference proceedings. Appearance. Security Center
View original image© The Asia Business Daily. All rights reserved. Unauthorized AI training and use prohibited.