Friday 30 September 2022, 11:30 - 12:00
Tae-woo Lee (Korea Internet & Security Agency (KrCert/CC))
Dongwook Kim (Korea Internet & Security Agency (KrCert/CC))
Seulgi Lee (Korea Internet & Security Agency (KrCert/CC))
The Korea Internet & Security Agency (KISA) were conducting investigations into various security incidents aimed at personal data exfiltration. In the process, we were able to capture information collection activities targeting people living in South Korea, which seems to be ScarCruft's activities.
We carried out a detailed analysis of various security incidents believed to be the attacks of ScarCruft. This activity continued from 2021 to the first quarter of 2022.
The characteristics of this attack were (personal PC, mobile) attacks for collecting personal activity information, not corporate information and money.
As the initial access method, the attacker delivers a spear-phishing email with a malicious Word document attached. After that, the next payload is downloaded from the remote server by executing the malicious document. The downloaded code executes the Powershell malware on the victim's system.
The attacker was able to perform remote control through this Powershell malware. In addition to the Powershell malware, Windows malware for the purpose of information gathering was also used in this attack. The Windows malware periodically delivered screen captures of the victim system to the attacker's server through a screen capture function.
The attacker's C2 server was exploiting the domain that hacked Korean companies as a base.
We were able to obtain and investigate the server the attacker was exploiting.
During this process, we were able to identify malicious activities of attackers (webshells, command control codes, leaked information) that were identified on an attacker's server.
In this presentation, we will share when this operation began, how the incident investigation was carried out, and what artifacts were found. Also, based on the analysis results, we will describe the attacker's tactics, techniques and procedures (TTPs), and thus share the penetration method of the operation and information gathering method.
Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working in the KISA, he was a malware analyst at an anti-virus company in Korea. Currently, he is conducting research into groups carrying out attacks, like ransomware, supply chain attack and information leakage, which is threatening cybersecurity in Korea. In particular, he is interested in research related to preventing cyberattacks by groups of attackers who speak Korean.
Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. His team has a lot of experiences related to internet security incident response (supply chain attacks, cryptocurrency exchange hacking and so on). Recently, he has been tracking and analysing specific hacking group targeting Korea.
Seulgi Lee is currently a malware analyst at Korea Internet & Security Agency. He has carried out research into cybersecurity such as cyber threat intelligence, SIEM for seven years from 2012 in the R&D department. Since moving to KrCERT/CC, he has been analysing threats targeting Korea and sharing insights based on the results to prevent infringement cases and minimize the damage in Korea.