Security company ESTsecurity (CEO Jungsangwon) announced on the 4th that a hacking attack linked to North Korea has emerged in the country, disguised as a domestic hospital certificate issuance, and requires special attention and preparedness.

The attack cleverly disguised as an internet inquiry and issuance service for health checkup results and distributed malicious files. It is characterized by using a trick based on trust by combining it with a legitimate plugin program necessary for the issuance of certificates at domestic hospitals and medical institutions.

Therefore, if the program is installed, the issuance of hospital certificates can proceed normally, but at the same time, one is exposed to unexpected cybersecurity threats.

According to analysis by the ESTsecurity Security Response Center (hereinafter ESRC), the malicious file was created on February 25, but the actual attack took place in March and was developed based on Windows 64-bit.

The file contains two encrypted resources, one of which is a legitimate hospital certificate issuance program, and the other is a malicious file that stealthily performs Backdoor functions. With this structure, both malicious and normal modules are installed simultaneously, but only the normal installation screen is visible on the computer screen.

ESRC has officially confirmed through analysis of similarity and associations of the discovered malicious files that it is an extension of an attack that impersonated an annual report on North East Asia's military tensions and Japan's response strategy by the Japan Institute of International Affairs, a Japanese diplomatic and security think tank, which was performed in February as 'In-house Financial Business Details.zip' file for a domestic broadcaster journalist and North Korea-related media.

Among the threat indicators found in the attack on domestic broadcasters, traces unique to North Korea, such as the word 'hyunsi' and the 'Freehunter' account used by the attacker, and the command and control (C2) server 'ms-work[.]com-info[.]store' were discovered. In particular, the initial 'KGH' was found in a related breach incident.

The C2 server used in this attack is the 'ms-work[.]com-pass[.]online' domain, which is similar to the address of the specific broadcasting company mentioned earlier, and the main function structure is also analyzed to be identical. Additionally, a variant discovered around July 2021 was disguised as a Whale browser extension, and the 'KGH_Backdoor.dll' export function name and 'support-hosting[.]000webhostapp[.]com' address were used.

ESRC is investigating several materials that have used the 'KGH' keyword as an account or folder name and is conducting a detailed investigation into the background of the threat with all possibilities in mind, including the English initials. Similar threats have been reported to have accessed specific overseas services from North Korean IP addresses around 2012.

ESTsecurity Center Director Moon Jonghyun said, "While destructive data malware known to be Russian-made has been reported in Ukraine, cyber threats linked to North Korea are consistently being discovered in Korea," and especially with the upcoming presidential elections in South Korea, there is a need for special attention and preparedness against potential social engineering hacking attacks.

Meanwhile, ESTsecurity has completed updating the related malicious file in the ALYac antivirus program and is closely sharing cyber threat information with related authorities such as the Korea Internet & Security Agency (KISA) to maintain cooperation to prevent the spread of known threats.