Thursday 5 October 16:30 - 17:00, Green room
Sebin Lee, Sojun Ryu, Hyeokju Gwon & Youngjae Shin (S2W)
Scarcruft Group (a.k.a. APT37), a North Korean APT group, is believed to have been active since 2016 and continues to carry out attacks against institutions and political organizations around the world. In April 2017, a Cisco Talos team disclosed the Scarcruft group's proprietary tool, ROKRAT, a malware that has been continuously modified and used by the group to this day. Initially, only the Windows version of ROKRAT was used, but an Android version of the malware was later identified.
According to a report published by the Financial Security Institute, the Scarcruft group conducted an attack in mid-2017 that distributed mobile version of ROKRAT to specific devices through a watering hole attack.
In following the Scarcruft group's trail, Talon, S2W's threat research and intelligence centre, identified additional samples that perform similar functions to the published samples. They have similar functionality to the malicious APKs released in 2017, but unlike in the past, the ability to use messaging services has been added. We also found that these APKs have been continuously updated to date. S2W Talon named the malicious APKs "Cumulus" and the plugin modules used by Cumulus "Clugin".
We classified the Cumulus into three types based on whether or not Clugin was downloaded and the type of messaging service. We will disclose how the malware behaves according to the type, as well as our analysis of the latest Cumulus and Clugin malware. This will include the strategies they have introduced to target Chinese mobile devices.
During our analysis, we were able to secure the data in the cloud service showing the attacker's mistakes (OPSEC-fail). We analysed the attacker's test device and test data on the cloud service and were able to obtain the latest version of the Clugin malware, which was not publicly available. We also identified artifacts such as the attacker's IP and test cases for distribution. The data includes conversation with victims, and guidance leading to malicious APK installation.
We believe that the IoCs and TTPs of the Scarcruft group's Android malware provided in this presentation can be used to prevent possible threats, and can be used as artifacts to identify attackers in the event of a similar threat case.
Sebin Lee graduated from the ‘Next Generation of Top Security Leader Program’ (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2018, and holds a Master’s degree in information security from Soonchunhyang University in Korea. Sebin worked at AhnLab for 2 years, analysing malware and vulnerabilities. Recently, Sebin has been focusing on threat intelligence at TALON, S2W.
Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analysing malware and responding to incidents, and is one of the authors of "Operation Bookcodes", published by KrCERT/CC in 2020. Recently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at TALON, S2W.
Hyeokju Gwon graduated from the Department of Cyber Security at Ajou University and currently attends the same graduate school. He has entered the finals in international CTFs such as Defcon, Trend Micro CTF, CodeGate. While working at Stealian and Enki, he performed various tasks such as vulnerability analysis, pentesting, malware analysis, and operating CTF. Currently, as a senior researcher in the BLKSMITH team of TALON, the CTI Center of S2W, he is conducting analysis of malware such as ransomware, botnets and stealers, and analysis of vulnerabilities used in the distribution of malware.
Youngjae Shin completed the 10th Best of the Best (bob), a next-generation security leader training program hosted by the Korea Information Technology Research Institute (KITRI) in 2022, and holds a Bachelor's degree in information security from Soonchunhyang University. Youngjae has experience in analysing Windows and Android malware, and is conducting research on analysing voice phishing malware and tracking North Korean APT groups in S2W TALON.