APT Attacks Using PDF Files, Possibly by North Korea Related Group

Targeted attacks using PDF files have been confirmed, and it seems the group related to North Korea is behind these attacks. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The related information was already reported in the press, but this post will additionally reveal previously undisclosed IOC and analysis information such as environments for vulnerabilities.

The attacker used PDF files as bait. Malicious JavaScript included in the PDF file is executed through the vulnerability of Adobe Acrobat programs. The JavaScript then runs the malicious EXE file (file 2 and 4) in the system memory. It appears that the Use-After-Free vulnerability CVE-2020-9715 was used. A security update has fixed the vulnerability, but users with Adobe Acrobat programs that are not updated may suffer from attacks.

There were a total of 7 malicious PDF document files found. Besides those for vulnerability assessments (PoC), the 4 files that were probably used for the actual attack seem to be file 1, 3, 11, and 12. Because they all contain content for South and North Korea relations, it is assumed that the attacker targeted relevant individuals or organizations. As attacks exploiting PDF files were not often found in previous targeted attacks, they can be seen as belonging to a new attack method.

Additionally, 3 malicious DLL files were found (file 8, 9, and 10) and their distribution paths were not clearly identified. Their features are extremely close to those of EXE files (file 2 and 4), but their types and distribution forms were different. They may have been distributed through currently undiscovered PDF files or other paths.

NumberFilename (details)File Type
14th AMP Guide.pdfPDF File
2None (fileless)EXE File
3Details related to Debate on Consent of National Assembly for Inter-Korean Summits and Establishing Peace System on Korean PeninsulaPDF File
4None (fileless)EXE File
5Adobe DC Manual DetailsPDF File
6Adobe DC Manual DetailsPDF File
7Adobe DC Manual DetailsPDF File
8ccom1.downDLL File
9ccom2.downDLL File
10ccom3.downDLL File
11Interview Questionaire-Eunyol Choi (Korean).pdfPDF File
1205_64_1A Yeonbong Jung Critical Analysis on ROK Defense Reform Utilizing Evolving Management Theories.pdf (file not collected)PDF File

PDF Document Files

These are malicious PDF files used for the attack. Their distribution paths, as well as attack targets, were not discovered. Yet as the files all contain content related to South and North Korea relations, it is assumed that the attacker targeted relevant individuals or organizations. Also, it appears that the attacker found actual documents online and added malware to them. – File 1, 3, 11, and 12

The malicious PDF files that seem to be used for vulnerability assessments (PoC) have the Adobe DC manual as the original versions. There were 3 files in total. Since the included JavaScript and the feature that is ultimately run only amounts up to running simple calculator programs, they are thought to be files for testing. They were uploaded in VirusTotal on May 2021, and the attacker may have prepared the attack from that point.

Upon looking at objects within the PDF file, there is a JavaScript object. The attacker exploited the vulnerability CVE-2020-9715 that occurs when the Adobe Acrobat program that did not get updated processes the JavaScript object. The JavaScript code which creates the vulnerability uses the API ‘this.createDataObject’ that is not supported from the free version of Acrobat Reader people normally use. Seeing that their target uses the paid programs such as Acrobat Pro DC, it appears that the group made the vulnerability code work only on paid programs.


this.createDataObject("abname","qwer");

The JavaScript codes included in files 1 and 3 are scripts with similar sizes and obfuscated in an almost identical way. Below is a part of the JavaScript code. The code allows decoding encoded strings, and its final feature is to run the malicious EXE file inside the memory. – Executes file 2 and 4 respectively

PE Executable – EXE File

The EXE file that starts from the PDF file and runs in memory is a file created with Microsoft Visual C++. Its main feature is to access the external C&C URL, download and run a file with a certain filename. In essence, they aim to download additional files. As the URLs are not working at the moment the team could not find out what files get downloaded.

Number 2 EXE file
Accesses http://tksRpdl.atwebpages.com/ccom2/download.php?filename=ccom2
Downloads a file as %AppData%\adobe\AdobeAdv.dll

Number 4 EXE file
Accesses http://dktkglrkshqhfn.atwebpages.com/ccom2/download.php?filename=ccom2
Downloads a file as %Appdata%\$tmp~1\window

PE Executable – DLL File

There were also 3 malicious DLL files that are uncertain whether they were distributed along with PDF files or not. They may have been distributed through undiscovered PDF files, but it is possible that they were distributed through separate paths. Yet as they were found along with other files in a similar period and perform nearly identical features to that of EXE files, it appears that the files are all related.

The DLL files all have one thing in common: instead of being complete PE executables, they have binaries encoded with XOR with the 0xFE key. Neither the subject of the decoding process nor the process execution information that enables the Export function ‘FirstFunction’ to be run was found. In addition, the attacker used the VMProtect protector to make it difficult to analyze codes.

The files’ main feature is also to access the external C&C URL and download and run a file with a certain filename. In essence, they aim to download additional files. As the URLs are not working at the moment the team could not find out what files get downloaded.

Number 8 DLL File – Filename ccom1.down
Accesses http://dkekftks.atwebpages.com/ccom1/post.php
Accesses http://dkekftks.atwebpages.com/ccom1/download.php?filename=ccom1
Downloads a file as %AppData%\window\tmp~223\SecAv.dll

Number 9 DLL File – Filename ccom2.down
Accesses http://tktlal2.atwebpages.com/ccom2/post.php
Accesses http://tktlal2.atwebpages.com/ccom2/download.php?filename=ccom2
Downloads a file as %AppData%\window\tmp~897\SecAv.dll

Number 10 DLL File – Filename ccom3.down
Accesses http://tktlal3.atwebpages.com/ccom3/post.php
Accesses http://tktlal3.atwebpages.com/ccom3/download.php?filename=ccom3
Downloads a file as %AppData%\window\tmp~897\SecAv.dll

Background on Attack Group Assumption

AhnLab is assuming that the group behind this attack is related to North Korea. While the attack group is thought to be either Kimsuky or Thallium, it might be another group that mimicked those two. The reasons for the assumption are as follows.

  1. According to the result of total inspection on previous malicious files that used Export DLL Name of DLL files ‘Tran_dll.dll’ and the Export function name ‘FirstFunction,’ the code style is identical to that of the same creator or group
  2. The attack group for previous malicious files is thought as either Kimsuky or Thallium
  3. The C&C server method using the atwebpages.com domain or the C&C access method pattern is similar to that of previously known groups such as Kimsuky or Thallium

Detection and IOC Info

File Detection
Exploit/PDF.FakeDocu (2021.08.03.03)
Exploit/PDF.FakeDocu.S1627 (2021.08.06.03)
Exploit/PDF.FakeDocu.S1628 (2021.08.06.03)
Trojan/BIN.EncPE (2021.08.03.03)
Trojan/Win.Agent (2021.08.03.03)
Trojan/Win.Akdoor (2021.08.04.00)

Behavior Detection
Fileless/MDP.Thallium.M3808 (2021.08.06.03)
Exploit/MDP.CVE-2020-9715.M3809 (2021.08.06.03)

Relevant IoC
70294ac8b61bfb936334bcb6e6e8cc50
ffe39eb91e0247fb13bd8fd8152f61a3
de2a8a728f81d44562bfd3e91c95f002
df2ea74328ad43c4225cb6c8aa56f340
a0c7e9dc69e439cb431e6dea9f0d5930
a67b0c89812e9517178b8581ff830a38
906b43cb893e0a57404c8f17085a1f24
be4daa6400a6e417270e17b67a44ca97
aa5a3f19e5f7d15b6af37a4f2c8215ee
8b1606f4f2df5d95e00411b4057b3da1
29b28e79d86e4395e223d44d60b14ff4
c9c7d70174e8be8b2cebfeb125be2672
b31aaabc8b39f2854ace7680b34322fe
http://tksRpdl.atwebpages.com
http://dktkglrkshqhfn.atwebpages.com
http://dkekftks.atwebpages.com
http://tktlal2.atwebpages.com
http://tktlal3.atwebpages.com
hxxp://rhwkdlaktm[.]atwebpages[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments