Threat Trend Report on Operation Thumb King – Larva-24001(Threat Group Newly Targeting Korean Corporations)
Overview
Operation Thumb King is a cyberthreat campaign that has been launching attacks against South Korea since May 2023. While the malware structure and file names are similar to a previous Chinese threat group, the specific group has not been ascertained and so it has been given the temporary name Larva-24001.
Although attacks using LNK files were found, the precise infection routes have not been confirmed in most cases.
The malware distribution method can be largely categorized into three types. The first type is where droppers drop normal EXE and malicious DLL files. The second type is where droppers drop normal EXE files, malicious DLLs, and encrypted files. The third type is where droppers drop additional bait documents as well.
When a normal EXE file is executed, it finds and loads the necessary DLL file. The threat actor swaps out the DLL file to make a malicious DLL file or a DLL file that acts as a loader to be loaded. The loader reads the encrypted file and decrypts it to execute it in the memory area. Currently identified malware strains include Thukilector which collects system information and a custom Gh0stRAT backdoor which executes commands remotely.
The Chorege malware strain which steals web browser login credentials was found in some infected systems.
Because there are currently many unidentified encrypted files, it is believed that there would be other types of malware.
Operation Thumb King
1) Introduction
In early January 2024, a malware strain targeting organizations in South Korea was identified. While the basic malware structure was similar to a known threat group that uses Chinese, the specific threat group could not be identified. ASEC tracked related malware strains and determined the campaign to be a new threat activity that has been ongoing since August 2023 in Korea and named it Operation Thumb King. Until a specific group is ascertained, it will be called Larva-24001.
2) Cases of Attacks
Confirmed attack targets are Korean government organizations and universities, and for the rest, the specific targets could not be pinpointed.
|
Date |
Attack Target |
Details |
|
May 2023 |
Unconfirmed Korean target |
Unconfirmed attack target and method |
|
May 2023 |
Unconfirmed Korean target |
Unconfirmed attack target and method |
|
June 2023 |
Unconfirmed Korean target |
Unconfirmed attack target and method |
|
Sep. 2023 |
Korean university |
Unconfirmed attack target and method |
|
Dec. 2023 |
Unconfirmed Korean target |
Unconfirmed attack target and method |
|
Jan. 2024 |
Korean government agency |
Attacked using malicious LNK files |
Table 1. Major attack cases
3) Disguised as Normal Program
Files are created in the following paths and disguised as normal programs.
|
Path |
Description |
|
%ALLUSERSPROFILE%\Certenrollsecurity\certenroll.dll |
Disguised as a Certenroll Security file |
|
C:\Program Files (x86)\IPinside_LWS\I3GprocENU.dll C:\Program Files (x86)\IPinside_LWS\I3GprocKOR.dat |
Disguised as Interezen IPinside LWS Agent files |
|
%ALLUSERSPROFILE%\iobitcrycloud\duser.dll %ALLUSERSPROFILE%\iobitcrycloud\imfsbdll.dll |
Disguised as IObit files |
|
%ProgramFiles% (x86)\Samsung\Samsung DeX\swscale-5.dll |
Disguised as a Samsung DeX file |
|
%ALLUSERSPROFILE%\Truecutsecurity\imjputyc.dll %ALLUSERSPROFILE%\Truecutsecurity\tc_prih.dll |
Disguised as TrueCut Security files |
|
%ALLUSERSPROFILE%\Raonwiz\Raon k\version.dll |
Disguised as a RAONWiZ file |
|
%ALLUSERSPROFILE%\damon\reportx\reportxsvc.enu.dll |
|
|
%ALLUSERSPROFILE%\SmadAVsecurity\smadhook32c.dll |
Disguised as a SmadAV file |
|
%ALLUSERSPROFILE%\Raonsecuremanager\nonelevateddll.dll |
Disguised as a RaonSecure file |
|
%ALLUSERSPROFILE%\ktcallmanager\nonelevateddll.dll |
Disguised as a KTCall file |
|
%ALLUSERSPROFILE%\Syntphelper\smadhook32c.dll |
|
Table 2. The list of impersonated security programs
While the files are mostly disguised as Korean security programs, there is a case of a file being disguised as SmadAV, an Indonesian security product. In the past, a threat group using Chinese disguised its malware file as SmadAV.
Some variants check the running process names and terminate if they do not match. This is believed to be for the purpose of bypassing analytic programs such as sandboxes.
4) Attack Type
The precise attack method has not been confirmed. The droppers used in the attacks in 2023 did not create bait document files, so the attack may not have been launched via emails. On the other hand, the attacks in January 2024 began with malicious LNK files disguised as document files and created bait documents as well, so it is likely emails were involved.
The major attack types are as follows:
|
Type |
Date |
Details |
|
A Type |
June 2023 |
Droppers create normal EXE and malicious DLL files. |
|
B Type |
May – Dec. 2023 |
Droppers create normal files, malicious DLLs, and encrypted files. |
|
C Type |
Jan. 2024 |
Attacks using malicious LNK files. Droppers create normal files, malicious DLLs, encrypted files, and bait documents. |
Table 3. Timeline
