Analysis Report on APT Attack Cases Using noMu Backdoor
AhnLab SEcurity intelligence Center (ASEC) has recently identified attack cases where an unknown threat actor installed various remote control malware targeting Korean users and systems. The threat actor used a range of reverse shells, backdoors, and VNC malware strains, and also utilized RDP for remote screen control. Among the malware strains assumed to be created by the threat actor, some include codes that convert output results to Korean encoding, suggesting that the primary targets are Korean-speaking users.
Figure 1. noMu’s Korean encoding routine
The direct initial infiltration method has not been confirmed, but in cases of attacks targeting individual users, it is suspected that a malware strain was attached to emails using spear phishing techniques. Additionally, there have been cases where Korean vulnerabilities in IIS web servers and MS Exchange servers were exploited to install malware.
Figure 2. Word document found on the malware distribution site
The malware strains used in the attacks include a reverse shell malware type presumably created by the threat actor, a Python-developed backdoor named noMu, and the publicly available Chinese backdoor Fxfdoor. Most of the remote control malware strains employed include AsyncRAT, Tight VNC, Netcat, and AnyDesk. Proxies for RDP access and launcher malware responsible for executing backdoors were also used.
Fxfdoor is also known to have been used in the past by a threat actor suspected to be part of the North Korean Kimsuky threat group. This attack case was an attack campaign that has been targeting cryptocurrency exchanges and users since early 2018, and the details are covered in the “Operation Moneyholic” report. A distinctive feature of this malware is that it transmits the string “fxftest” during communication with the C&C server.
Figure 3. The fxftest string used in the C&C communication process
The threat actor was able to gain control over infected systems using these malware tools. While the precise ultimate goal of the threat actor remains unclear, there have been no instances of ransomware or CoinMiners being additionally installed. The threat actor’s purpose is suspected of exfiltrating information, given the history of installing WebBrowserPassView to steal credentials stored in web browsers and the general focus on gaining control over infected systems.
| Overview Analysis of Attack Cases 1. Initial Infiltration Process 2. Analysis of Malware Used in the Attack 2.1. Remote Control Malware 2.2. Proxy 2.3. Launcher 3. Post Infection 3.1. Looking Up Information 3.2. Maintain Persistence 3.3. RDP Related 3.4. Information Theft AhnLab Response Overview Conclusion Indicators of Compromise (IoCs) Key File Names File Hashes (MD5s) Related Domains, URLs, and IP Addresses |
