Security specialist company ESTsecurity (CEO 정상원) reported on the 23rd that hacking attempts by North Korea targeting professors in the fields of domestic and foreign diplomacy, national defense, and private sector experts are being detected daily as the presidential election approaches, and special caution and preparedness are required.

The attack attempted on February 21st was characterized by delivering a malicious MS Word DOC document named '[Attachment] Profile Format.doc' to workers in the field, disguised as if it were a Korean military research and Northeast Asia Peace Association.

The attack used a typical spear phishing method sent via email, and was designed to evade behavior analysis of security solutions and detection of known patterns as much as possible by setting a separate password for the malicious DOC document, and sending it via email so that only the recipient could open it.

ESTsecurity's Security Response Center (hereinafter ESRC) is currently analyzing from various angles to accurately identify the intentions of North Korean linked cyber threats that have been consistently detected in February as part of the so-called 'Fake Striker' threat campaign.

Looking at the actual attacks carried out, it has been commonly observed that attackers induce victims to open attached malicious document files quickly by requesting profiles of simple career overviews to be sent by the next day after receiving them.

When the malicious DOC file is opened, after entering the password, a simple profile format screen appears where you enter your name, affiliation, position, mobile phone number, and picture. It does not show the fake MS Office guide screen that typical DOC malicious documents use to induce macro execution for [Content Use].

If the document viewer clicks the [Content Use] button, a macro command hidden inside the malicious file operates, secretly communicating with a foreign command and control (C2) server created by the attacker. This could lead to theft of personal information such as keyboard inputs by the user and unexpected hacking damage from additional malicious file infections.

ESRC revealed that attackers are still actively exploiting the free Webfreehosting service provided overseas for C2 server construction as a hacking attack base.

In particular, the situation requires special attention as victims can suffer double harm when they are lured into sending their major personal information directly to the attacker with supposed compensation information for a reward or profile formats needed for external activities.

This profile format-masked attack has been consistently detected since 2021 and is analyzed to be 100% identical to the macro code and infection methods previously used by North Korean-linked hacking organizations.

ESTsecurity ESRC Center Director 문종현 advised, “In February, cyber threats linked to the North targeting domestic professionals in diplomacy, security, national defense, and unification are continually being discovered,” and “Especially during the upcoming presidential election period, cyber security readiness is more important than ever. It’s safe to confirm with the sender over the phone whether an email was sent if it is from an address you haven’t seen before or was not pre-coordinated.”

Meanwhile, ESTsecurity has completed updates of the related malicious files to the ALYac antivirus program, and is maintaining cooperation with related authorities such as the Korea Internet & Security Agency (KISA) to prevent known threats from spreading.