‘Request for payment of case expenses’… North Korea sends malicious MS Word documents to target

hacking_ impersonation
Documents used in the attack by the North Korean hacking organization Thallium. When the user presses the use content (red square) button, the malicious code is executed. / Photo = Provided by East Security Security Response Center

While North Korea continues its cyberattacks that deceived domestic government and institutional officials, this time an attack impersonating a specific university newspaper was caught. Particular attention is required for phishing attacks disguised as acquaintances or related organizations.

On the 27th, Director Moon Jong-hyeon, who is in charge of East Security’s Security Response Center, told Daily NK, “A malicious MS Word document disguised as a request for payment of compensation from Dongguk University was found.” appeared as the North Korean hacking organization Thallium.”

Thallium is known as the same organization as Kim Soo-ki, who is known to be behind the 2014 Korea Hydro & Nuclear Power hack.

“The attacker induced some professors in the North Korean research field to open the malicious file by using a small fee for writing the manuscript,” said the head of the center.

Spear phishing is an attack that targets a target user, not a random person. Spear phishing attacks apply social engineering techniques based on detailed information about the target, so if you are a little vigilant, you will fall into a hacker’s trap.

The method the hacker used to attack was to use the macro function of the Word document to cause malicious code to be executed. In general, when a document is opened, a security warning message appears at the top to block malicious macros. Accordingly, the hacker induces the user to activate the macro function with a screen prepared in advance. At this time, if you press the ‘Enable Content’ button, a malicious command is activated.

When the malicious command works, additional encrypted malicious code is installed on the remote server created by the hacker, and various personal information, including the contents of the keyboard input, is stolen.

Thallium is continuously attempting hacking attacks against officials in the field of foreign affairs, security, defense, and unification. Recently, along with the PDF vulnerability, DOC malicious documents are being used as the main weapon.

Center Director Moon said, “(Hackers) are cleverly deceiving recipients with actual events, seminar attendance fees, and contribution fees. It is an important time to open it.”

Current status of domestic web browser usage from July 2020 to July 2021. Although the number of people using IE, which has been discontinued, is steadily decreasing, a small number of people are still using IE. / Photo=StatCounter Capture

On the other hand, hackers are attempting attacks by exploiting browser vulnerabilities as well as vulnerabilities in Word (DOC), PDF, and Hangul (HWP) documents.

Microsoft has stopped supporting its Internet browsers, ‘Internet Explorer (IE)’ and ‘Edge Legacy’. This means that we will no longer provide technical support for browser vulnerabilities. Web browsers that have stopped supporting the developer’s security are abused by hackers, and users are at high risk of being hacked. Microsoft restricts the use of IE in the new operating system Windows 11 and recommends the use of the new Edge browser based on Chromium.

However, according to Statcounter, an Irish company that analyzes internet usage trends such as internet web browsers and operating systems, in July, 2.61% of all users in Korea used IE. Users who have been using IE for a long time due to the influence of ActiveX continue to use the existing browser. They are all defenseless and exposed to the invisible threat of hackers.

The malicious code recently inserted by North Korean hackers into our site also works only in IE and Edge Legacy. You should stop using IE and Edge Legacy right now.

Experts are arguing that it is virtually impossible to completely respond to an attack as hackers’ methods are becoming more sophisticated and intelligent day by day. Even global cybersecurity companies have been hacked.

However, many countries, institutions and companies are making various efforts to minimize damage from cyber attacks. U.S. President Joe Biden held a “National Cybersecurity Conference” with key officials and business representatives at the White House on the 25th. At this event, major U.S. IT companies promised public-private cooperation for cyber safety and promised to strengthen security through massive investments.

In Korea, as major security agencies, governments, corporations, and private organizations continue to be exposed to hacking attacks, discussions are underway to install a public-private integrated control tower called ‘Cyber ​​Security Agency’.

Adding a minimum of individual effort to this will further help prevent hacker attacks. There are many areas that individuals can make efforts in the computer use environment, such as updating vaccines, using genuine programs, prohibiting viewing of suspicious e-mails, and using a safe Internet browser. A careful effort is needed to protect information from the global cyber-attack threat, especially the world’s top-notch North Korean hackers.


Source: DailyNK by www.dailynk.com.

*The article has been translated based on the content of DailyNK by www.dailynk.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!