North Korea-linked APT attack advisory aimed at foreign affairs and security experts

East Security (CEO Jeong Sang-won), an integrated security company, said on the 3rd that a new type of intelligent persistent threat (APT) attack that utilizes malicious ‘PDF document files’ is continuously being discovered in Korea, and requested special attention.

According to the analysis of the East Security Security Response Center (ESRC), the newly discovered PDF file vulnerability attack has been used in hacking attacks targeting former and current workers in domestic diplomacy, security, national defense, and unification from May to the present. confirmed to have been

Based on the results of in-depth analysis of the techniques and strategies used in this PDF vulnerability attack, ESRC has identified ‘Thallium’, known as a North Korean-linked hacking organization, as the cause of the threat. Until recently, this organization mainly used an infection technique that exploits the macro function of MS Word document files (DOC, DOCX), but it is estimated that they have recently attempted to change the technique using PDF vulnerabilities.

The ‘Thallium’ organization has continued to attempt hacking attacks against high-ranking government officials at the former and current ministerial levels in Korea until recently, and in fact, during the South Korea-US summit in 2021, DOC documents were sent against experts in the fields of diplomacy, security, unification, and North Korea. It was confirmed that an exploitation hacking attack was attempted.

However, this is the first time that a PDF vulnerability has been used, and it is analyzed that this is an extension of ‘Fake Striker’, one of the representative APT attack campaigns of the thallium organization.

The PDF vulnerability used in this attack can be used secretly for another attack, so experts in the fields of diplomacy, security, defense, and unification should be careful with the recognition that PDF document files are no longer safe.

The malicious PDF file attached to the e-mail is impersonating a guide to the ‘Peace Economy CEO Course’ hosted by a specific domestic association.

If the mail recipient opens the document, the script code hidden inside the PDF file is run. This code executes a Base64-encoded shellcode command, and calls a malicious payload file that is secretly hidden as a separate code unit. Afterwards, it attempts to communicate with the command control (C2) server and executes the commands specified by the attacker in order. Depending on the conditions, additional malicious files may be installed to steal sensitive personal information or to attempt remote control.

If the English domain address of the C2 server used in the attack is replaced with a Korean keyboard, it is converted to a Japanese word called ‘sankei (tksRpdl)’, and it was confirmed that a domain with the expression sashimi (tktlal) was also used. In addition, the ‘WebKitFormBoundarywhpFxMBe19cSjFn’ communication string, which was found several times in a similar attack by the thallium organization, was also found in this attack.

In addition, in order to evade malicious behavior detection and analysis environment, the attacker inquired the domestic security program used by the infected PC and showed the precision of checking the virtual (VMware) environment through the registry key.

The three representative APT campaigns of the thallium organization are ▲Smoke Screen, ▲Blue Estimate, and ▲Fake Striker. All threats are being actively monitored.

Reflecting the recent domestic cyber threat situation, the National Intelligence Service upgraded the ‘public sector cyber crisis alert’ from ‘normal’ to ‘interested’ as of 9 o’clock on the 3rd.

East Security’s ESRC Center Director Jonghyun Moon said, “The thallium organization’s APT attack campaign, which is classified as a fake striker, is intensively targeting high-ranking officials in the field of North Korea research, along with influential figures at the domestic former and current ministerial levels.” In addition to the previously popular DOC malicious document format, attacks using PDF vulnerabilities are also on the rise, so careful attention and preparation are required when PDF files are delivered by e-mail.”

Reporter Hyang-seon Lee [email protected]

Source: 전체 – 넥스트데일리 by

*The article has been translated based on the content of 전체 – 넥스트데일리 by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!