The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)
In early January 2019, an email containing malware was distributed to 77 reporters covering topics related to the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server with a Korean domain name using Japanese IP address for at least 27 months continuously.
In addition to these phishing attacks containing malware, phishing attacks were also used to steal email account information. These attacks mainly targeted South Korean government personnel such as employees from the central government, unification ministry, diplomacy, and defense. Recently, they have also expanded their targets to include cryptocurrency exchanges and individual users.
Their main purpose is to capture government confidential information and achieve monetary gain through stealing cryptocurrencies such as Ethereum and Bitcoin. We decided to group these wave of attacks under what we call “Operation Kitty Phishing”. Their attacks have been ongoing on a daily basis, and what we have discovered so far only appears to be the tip of the iceberg.
January 2019 Unification Reporters Attack
On January 7th, 2019, an email containing malware was distributed to 77 reporters who cover topics related to the Unification Ministry of South Korea using the email subject “RE: TF 참고자료”. A “TF 참고.zip” attachment had a password set and the password was sent along with the body of the email. The word “비번” in the body of the email is a slang word is used mainly by South Koreans, so these hackers are proficient in South Korean.
The zip attachment consists of two normal document files and a piece of executable malware disguised using a Hangul Word Processor (HWP) document icon with a lot of spaces in the filename so that the “.exe” extension is not visible to the user, thereby inducing file execution. When the malware is executed as an SFX (self-extracting archive) file type, it decompresses one normal Hangul Word Processor (HWP) document, “2.wsf” and “3.wsf”. What is unique about this is that it uses two different RATs. The first RAT is a DLL downloaded via “2.wsf” and the second RAT is the script-based “3.wsf” file. Even if one of them are detected, the other one gets used.
A. DLL-based RAT (downloaded by ‘2.wsf’)
The purpose of the “2.wsf” script is to download and run the BASE64 encoded “Freedom.dll” malware.
The malware spreads using a Google Drive URL in the “2.wsf” script. The URL of the C2 server is stored in Google Drive, and the C2 URL at the time of analysis was “hxxp://my-homework.890m[.]com/bbs/data/”.
“2.wsf” sends a progress log to the C2 server by the progress step so that the hacker can check the progress of each target user.
|hxxp://my-homework.890m[.]com/bbs/data/board.php?v=a||Finished getting C2 URL|
|hxxp://my-homework.890m[.]com/bbs/data/board.php?v=b||The file name to be saved has been created|
|hxxp://my-homework.890m[.]com/bbs/data/board.php?v=c||The brave.ct file has been downloaded.|
|hxxp://my-homework.890m[.]com/bbs/data/board.php?v=e||Decoded and saved as Freedom.dll|
|hxxp://my-homework.890m[.]com/bbs/data/board.php?v=f||Executed the Freedom.dll file.|
The file downloaded via “2.wsf” is “Freedom.dll”. This file uses Google Drive to get the address of the C2 server, but if it cannot connect to the C2 server or Google Drive, it uses “ago2[.]co[.]kr” as the C2 by default. This C2 server using a Korean Top Level Domain with a Japanese IP address is an important clue to track them.
This “Freedom.dll” file is designed to act as a downloader and has the following roles:
- Check whether OS is 32-bit or 64-bit. If it is a 64bit OS, download and decrypt 64-bit malware (ahnlab.cab) then execute it.
- It periodically sends infection information to the C2 server using the server relative path “/bbs/data/tmp/Ping.php?WORD=com_[MAC Address]&NOTE=[Windows Version]”
- If the hacker uploads additional malware for a specific user, download “Cobra_[MAC Address]” file from C2 and decrypt the “Cobra_[MAC Address]” file then run Cobra.dll.
- “/bbs/data/tmp/D.php?file=Cobra_[MAC Address]” is used to delete files from the C2 server.
- DLL injection to explorer.exe
The “Freedom.dll” file uses a XOR Table to download and decrypt additional encrypted malware hosted on the C2 server. The XOR Table values used is ”
B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B” and this XOR Table has also been used in previous attacks of same hacker organization. More information about this XOR table is covered later in this post.
Depending on the target user, the hacker also selectively sends additional malware binaries under the file name “Cobra_[MAC Address]” which steals user information. This helps them ensure that their more valuable malware is kept only for victims they are interested in.
These additional malware binaries are covered later in this post.
B. Script-based RAT (“3.wsf”)
The “3.wsf” script is a script-based RAT. Unlike other malicious WSF (Windows Script File) scripts, it has its own RAT function and registers itself in the “RUN” registry with an “AhnLab V4” value to the persistent mechanism. AhnLab is a Korean local security vendor.
“3.wsf” downloads the C2 server’s URL from Google Drive.
|hxxp://my-homework.890m[.]com/gnu/ver||Version Check / Update|
|hxxp://my-homework.890m[.]com/gnu/board.php?m=MAC_ADDR&v=VERSION|TIMEOUT||Get C2 command|
The kinds of commands that the attacker makes through the C2 server are as follows.
[C2 command processing logic included in ‘3.wsf’ RAT]
|C2 Control Code||Description|
|download||Download file from C2 server|
|upload||Upload file to C2 server|
|update||Update the “3.wsf” file|
|interval||Change execution cycle (Default value 3 minutes)|
A look at their past
We analyzed the above malware and identified them as SectorA05. Below is a look at their activities and attack methods based on the information from their malware.
Phishing Method of SectorA05 (Initial attack stage)
SectorA05 uses two methods of phishing for gaining initial access. First, phishing attacks to steal passwords of victim e-mail accounts and second, phishing attacks with malware attached to steal information of victim PCs.
A. Phishing attacks that steal passwords of email accounts
They create a phishing site similar to one that the target user uses and sends it to the target. They often mislead the victim using a security-related problem, such as a password reset request, to entice the target user to enter a password.
B. Malware attachment attacks
Malware is delivered via a variety of email attachments – script files, vulnerabilities in HWP documents, and renamed “EXE” executables looking like ordinary documents. These files are usually delivered as compressed files.
(1) Using script files
“WSF” and “VBS” script files are compressed into a single archive, which induces the user to execute the script file in the compressed file. The scripts used in the actual attack are as follows.
- “정보보고.wsf” (Jan 2018)
- “공지사항.png.vbs” (July 2018)
(2) Vulnerabilities in HWP documents
Using vulnerabilities in the HWP software which is widely used in Korea, malware can be executed when the target user views this document which was attached to the email. The HWP file used in the actual attack is as follows.
- “종전선언.hwp” (May 2018)
(3) Executables looking like normal documents
The attacker inserts a lot of spaces in the filename to make the extension of the executable file such as “.exe” or “.scr” to be hidden from the user and misleads them into thinking the executable files are normal document files. The files used in the actual attack are as follows.
- “미디어 권력이동⑥-넷플렉스, 유튜브.hwp [many space] .exe” ( Jan 2019)
- “중국-연구자료.hwp [many space] .scr” (Jan 2019)
Use of Google Drive
SectorA05 used Google Drive as a way to supply malware. Malware binaries, C2 domain information necessary for normal malware operations, and malware configuration files were all uploaded to Google Drive with accounts they created. These binaries will be downloaded through a script executed by the victim during the initial infection, with additional configuration or customized malware downloaded as well afterward. Using Google Drive also allowed them to bypass network security devices which would typically ignore Google services as a white-listed domain.
Here is a screenshot of Google Drive used by them.
The Google Drive URLs identified as used by the organization are:
Gmail Phishing attacks
SectorA05 conducted phishing attacks for each target user’s email service. They used phishing attacks on users who were using Korea’s leading e-mail services and Google’s Gmail service. Through these phishing attacks, they wanted to get the password of the target user account. Here’s a look at some examples of Gmail phishing attacks.
The following screenshot shows phishing emails disguised as being sent from Gmail’s security team. It is actually sent to a specific target user by a hacker in SectorA05. It requests the target user to protect their email account because there was some unusual activity which does not seem to have been performed by the target user – if the link is clicked, the target user is directed to the phishing login site where the target user’s password will be transferred to the attacker’s server if they enter their password and “protect” their account.
[Examples of Gmail phishing mail]
SectorA05 has been using phishing attacks for many years. The phishing email information they used are as follows.
A. Phishing Mail Sender Email Address
They created email addresses that confused victims by using security-related keywords such as protect, privacy, and security.
B. Phishing Mail Subject
Phishing email subject lines used were primarily focused on email security – sending emails in the subject related to topics such as email hijackings, login attempts, security status, recovery emails, and password resetting, to convince victims to verify account information.
- “[경고] 구글은 귀하의 비밀번호를 이용해 계정에 접근하려는 수상한 로그인 시도를 차단했습니다.”
- “[경고] 누군가가 내 계정에 접근하려는 로그인 시도를 차단했습니다. 즉시 보호상태를 확인하세요.”
- “[경고] 누군가가 내 비밀번호를 이용해 계정에 접근하려는 시도가 있었습니다”
- “[중요] 누군가가 내 계정에 접근하려는 시도를 차단했습니다.”
- “[중요] 즉시 보안상태를 확인하세요.”
- “누군가가 내 이메일 주소를 복구 이메일로 추가했습니다”
- “비밀번호 재설정 요청이 접수되었습니다.”
- “연결된 Google 계정 관련 보안 경고”
The next part is translated into English.
- “[WARNING] Google has blocked suspicious sign-in attempts to access your account using your password.”
- “[WARNING] Someone has blocked sign-in attempts to access your account. Please check the protection immediately.”
- “[WARNING] Someone tried to access your account using my password”
- “[IMPORTANT] Someone has blocked an attempt to access your account.”
- “[IMPORTANT] Check your security status immediately.”
- “Someone added my email address as a recovery email”
- “Your password reset request has been received.”
- “Security warnings associated with linked Google Accounts”
C. Phishing Server Domain Address
The sub-domain name of the phishing page was also made to try to confuse the target user by using names similar to the target user’s email provider, such as using “qooqle” instead of “google”.
- hxxp://myaccounnts-goggle[.] esy[.]es
Domains used as phishing servers were used not only for phishing but also for servers that distributed malware and servers that collected information from the victims.
In January 2019, the malware distributed to the reporters downloaded files which obtained C2 information from Google Drive. The hacker’s Google Drive account is “countine[.]protector[.]mail@gmail[.]com”. This email account was also used for Gmail phishing attacks in September 2017 which asked for a password reset. This is an example of one of the Gmail accounts they create and use for both phishing and hosting Google Drive malware content.
Building a nest in ‘Agora’
“Agora” was an open meeting place in ancient Greek cities. In one of South Korea’s famous portal sites, the name “Agora” was used as an online space for articles and public discussion. A similar site called “Agora 2.0” was created to mimic this but had been neglected for a long time. The site has a domain called “ago2[.]co[.]kr” and has a Japanese IP address.
[Description of the site ‘Agora 2.0’]
SectorA05 hacked the “ago2[.]co[.]kr” server and used it as a C2 server. In January 2019, malware distributed to the reporters used “ago2[.]co[.]kr” as one of the C2 servers. As we continued investigating, we found that the server has been used as a malicious C2 server for at least 27 months. For example, the malware hash “2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433” used “ago2[.]co[.]kr” as a C2 server in “Operation Kitty Phishing” in November 4th, 2016.
Thus, they have built an illegitimate nest at “ago2[.]co[.]kr” and have used it as C2 for more than 27 months since at least 2016. In 2017 and 2018, malware from SectorA05 was still using that domain as a C2 server.
The Constant XOR Table
SectorA05 uploads encrypted malware to their C2 server, and the existing malware decrypts it with a XOR Table and then executes it. As we tracked usage of this XOR Table, we confirmed that malware using the same XOR table was used for the attack in June 2017. There are two kinds of XOR tables used as follows.
[January 7, 2019 XOR Decode function used in malware against reporters]
“Case A” refers to the group of malware samples used to attack the reporters, and this XOR Table was already in use in 2017.
|Case||HASH (SHA256)||Timestamp (UTC+9)||XOR Table|
|2017-06-02 10: 09:19||051BC852ED4D1E4BD44030D6BF3187D0
Here, Kitty, Kitty!
After initial infection, SectorA05 performs reconnaissance first, such as taking the entire file list of the target user. If the target user has important information related to the Korean government or information related to cryptocurrency, they send additional malware and continuously monitor and collect information.
Additional malware we collected includes screen capture, keylogger, and Chrome Browser Password Stealer.
A. Screen Capture Module
This module periodically captures the victim screen, compresses it, and then sends it to a specific folder on the C2 server. An example of the file name to be transmitted is “[MAC Address]_imgscr_20190124_235450161”.
(SHA256 : 98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63)
[Code to capture screen]
B. Keylogger Module
This module periodically sends user’s keystrokes together with the window name of the program keystrokes were entered into to the hacker.
(SHA256 : 71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4)
[Code to store the victim’s keyboard input value]
[Keylogging information sent to the C2 server]
C. Chrome Browser Password Stealer Module
This module steals information from the Chrome Browser and sees the value of the cookie and login data file in the “\AppData\Local\Google\Chrome\User Data\Default\”.
(SHA256 : 08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8)
[Code to steal cookies from Chrome Browser]
In some cases, by identifying the user name of the victim PC during the initial infection, the additional malware sent is compiled on a per victim basis. For example, the malware might make use of a fixed username and only steal information related to that specific user.
[Code to steal the login data of CEO user’s Chrome Browser]
Stealing Coins – a personal purpose or a nation state goal?
As we watched SectorA05’s theft activity, we realized that they divided their targets into two classes. The purpose of targeting the first target class was to steal information from South Korean government officials and the purpose of targeting the second target class was to steal cryptocurrency. SectorA05 is an organization that traditionally seeks to seize confidential information from South Korea and neighboring countries. In recent years, however, we found that they are spending a lot of time trying to steal cryptocurrency as well.
We wonder whether SectorA05 is expanding its official role from spying to also including stealing cryptocurrencies, or whether some of SectorA05 staff are deviating from their official interests.
In any case, they continued to actively steal cryptocurrency-related coins from both classes. Their goals are employees of cryptocurrency exchanges, normal users of cryptocurrency, and cryptocurrency-related developers.
They searched the victim’s directory for the cryptocurrency wallet and private key as follows:
[Navigate the file path where the cryptocurrency wallet and private key are stored]
Then, in order to take the control of the cryptocurrency wallet and corresponding private keys stored in the file path, additional malware (“59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e”) which compresses the files in the file path is distributed to the target users.
We see that they are responsible for monitoring and managing additional post-infection actions such as manually compiling and distributing additional malware to collect files.
[Malware that compresses files in a path with a wallet and a private key]
They also stole the Ethereum Keystore file issued by MyEtherWallet.
Thus, they are not only interested in confidential information of the government but also in stealing cryptocurrencies.
Kitty? Why? Who?
During the course of constantly tracking SectorA05, we found a management script that they use to manage victims. In the script file itself, they referred to their victims as “Kitty”. We decided to call their operation name “Operation Kitty Phishing”.
[Administrative scripts that an attacker manages victims]
They never stop working
We were surprised at their endless hacking activities as we track them down. They spread phishing e-mails to target users without rest, and their malware continued to spread. Even after distributing malware to reporters covering the Unification Ministry in early January 2019, they then distributed malware to potential users of cryptocurrency.
In addition, if the infected victim’s PCs were scanned and files related to cryptocurrency were found, malware would be compiled and distributed to individual users. The malware hash “f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586” is an example of a malware compiled and created solely for a single user. As the user name of the victim PC is exposed, the malware for stealing cryptocurrency is tailored for the individual user and distributed in real time.
[Steal a specific file from the victim’s PC username folder]
After they sent malware to the reporters, they continued to use the following URLs containing malware.
We have been constantly tracking “Operation Kitty Phishing” activity of SectorA05, which is targeting key government officials, cryptocurrency exchanges, and users in South Korea. We were amazed that their activities are older and last longer than we thought.
It was very difficult initially to judge whether the organization conducting email account phishing and the organization distributing malware were part of the same organization, but after tracking them over a long period, we can say with high confidence that they are both part of SectorA05 and are running both operations simultaneously.
While we write this article, they are continuing their malicious activities. We will still keep track of them. Therefore, if new activity is confirmed, our ThreatRecon Team will continue reporting on our findings.
Indicators of Compromise (IoCs)
MITRE ATT&CK Techniques
The following is a MITRE ATT&CK matrix that applied the “Operation Kitty Phishing” of the SectorA05 group.
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
Registry Run Keys / Startup Folder
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
Credentials in Files
Application Window Discovery
File and Directory Discovery
System Information Discovery
System Owner/User Discovery
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Exfiltration Over Command and Control Channel
Command And Control
Commonly Used Port
Remote Access Tools
Standard Application Layer Protocol