SharpTongue pwning your foreign policy, one interview request at a time - Tom Lancaster (Volexity)

hi everyone uh my name is Tom AER I'm

the threat intelligence lead at the

lexity and today I'm here to talk to you

about a North Korean threat actor that

we call sharine um and it's about how

they basically compromise experts

particularly in the field of foreign

policy uh through clever fishing

techniques so a lot of the talks at this

conference are highly Technical and

they're about the in and ins and outs of

how malware works or like particular

exploits this talk does not touch on

those things ironic for a talk at a

conference called virus bulletin there

is very little discussion of viruses

instead we're going to focus on the

social engineering and the fishing that

these hackers do to install the malware

that ultimately is what they want to

do so a little bit of quick background

about the company I work for VX you

might be like hey how does Tom have

access to so much cool stuff um and so

to know that you've got to understand a

little bit about

VX uh the main reason you may know about

the company is from a memory forensics

perspective so the people who wrote the

vol ility framework primarily work for

vxi now we sell commercial Solutions

around that Sergey and volcano we also

do network security monitoring and

threat intelligence and the network

security monitoring part of the business

in particular has a reasonably good

customer base in the United States

particularly in the NGO sector so uh

think tanks places like that and the

stories I'm going to share with you the

examples I'm going to share with you

today come from our kind of monitoring

of customer networks engaging with

customers uh in that

space

but before we can get to the kind of

interesting fishing techniques the

attack is using um we've got to do some

kind of uh leg workor together so we're

going to talk a little bit about who the

attackers are what they want uh and why

they want it then we're going to talk

about the social engineering and fishing

techniques that the attackers use and

then there's a little bit about the

infrastructure some unique insights we

have had in the past in particular into

how the attackers managed that

infrastructure um some quick overview of

the malware and some Outlook and

thoughts about um what this kind of

means for people who are targeted by

this threat group so who is

sharine so sharp Pine sharp tongue you

may have realized that the agenda is not

the same as what I'm going to use in the

slides today and that's because in the

summer of 2023 my organization decided

to change all of these threat actor

names and so you can basically ignore

the difference between the two they are

the same do not worry um and we can now

move on satisfi that that issue is

resolved so they're are North Korean

threat actor active since around 2012 uh

they use a swath of different maare if

you read the ap43 report there's like

100 maare families listed uh the most

common ones that we see are listed there

and they've got a numerous an

innumerable number of aliases just like

every other threat actor that people

talk about um yeah if you've read about

any of these Mal families or these

threat AC nams before you'll have a

rough idea of what I'm talking

about and for the particular stuff we're

looking at today um I think it's

interesting for any tractor to think

about what success looks like for them

and for this tractor success ultimately

looks like access to a users's mailbox

sometimes they'll go after other data on

the users machine but predominantly what

they want is the email because the email

is where people are sharing the most

interesting information with their peers

particularly in kind of politics and the

NGO space um and the way that they get

access to users mailbox is through two

kind of key things one is credential

theft so that's I send you an email uh

and eventually maybe there's fishing

link and that fishing link takes you to

a login page for some service whether

it's like your actual work email gmail

whatever it might be uh and then you

enter your credentials and heho the

attacker has access and that's becoming

less common for this attacker as a way

of doing things um maybe because of

adoption of tofa maybe for other reasons

um and the second kind of key way they

could do this is through use of malware

so they can deploy any number of malware

families uh and they could use like a

key logger to steal all of the users

passwords and they also have a very

clever piece of malware that works

within Google Chrome or any Chrome based

browser called sharp XT which steals the

mail uh from the context of the users

browser and the key outcomes for the

attacker are basically they want

insights into what the United States uh

some European Union countries and South

Korea are going to do regarding North

Korea so the types of people they're

targeting and the information that those

individuals hold is likely to be key in

times of like negotiations and red lines

so the United States might say one thing

in public about their particular stance

on what North Korea might do in one

scenario but behind the scenes the

United States might actually have like a

different Red Line like they say if you

cross this line we'll punish you but

actually the red line might be much much

deeper and the attackers are interested

in knowing what the actual red line is

not the one you

say um and the second unique outcome or

kind of thing that I don't think I

really hear a lot of other people talk

about is that having stolen one user's

mail data they are very good at

repurposing that mail data to fish other

users so by fishing one user they gain

great insight into what would make good

fishing material or compensation

material to attack a different

user and to really kind of hammer home

the like Publications you might have

read about the same type of thing there

are a number of those in the public

domain so from Google Mandan I think the

huness article on the left hand side

there uh is a really good example of

what you'll find if you find a user

who's been compromised this group um so

yeah I think there's a lot of previous

reporting you can get your hands

on sometimes we're able to gain insights

into the types of Target the group have

not just within our own customer base

but outside of our customer base um and

the data in this slide and the next one

comes from just one wave of emails but

we think it's relatively representative

of the types of targets that this group

is attacking so you can see

predominantly uh it's kind of think

tanks NOS on the left hand side uh the

next bar is education so there are

professors at universities who are

essentially experts in uh North Korea

and there are various kind of

journalists and government entities as

well and in terms of where those people

live a lot of them are in the United

States they're probably considered one

of the key kind of influences in global

politics regarding North Korea and then

there's obviously South Kore

uh which is probably also a very key

issue for the North Koreans and then a

smattering kind of countries around the

world as

well one thing that's going to come up a

couple times in this talk is the

differential between targeting a users

personal web mail and their corporate

accounts so many of you in the room

might think it's ludicrous that you

would use your personal email to talk

about work stuff however for a lot of

the targets of these attacks that is not

the case that that is actually the

status quo so particularly uh if you

you're a person who is a professor at

one University you also hold a board

position at another place you you end up

having like five or six emails related

to your work and what you don't want is

to log into five or six places so what

these professors and these other kind of

professionals and experts do is they try

to manage all of their email in one

place which is their personal email and

log into their work email as little as

possible and sharine are very good at

taking advantage of this so once they

figure out like someone's my work email

might be T Lancaster of alex.com but if

they figure out that my personal email

is like I don't know T Lancaster h.com

they'll Target that preferentially uh

because ultimately that's where the best

data

is so I uh I said at the start of this

talk that this talk is primarily about

social engineering and fishing um and so

that's what we're going to come on to

now um and I think this is is a topic

worthy of discussion because vity tracks

a a number of different th actors

Distributing like different malware and

some of those Thors are very high

sophistication some of them very low and

when it comes to social engineering uh

Shar Pine are relatively good they're at

the top end of the spectrum I would say

whereas other tr actors might have the

best m in the world but if they can't

convince the user to install it or if

they don't have an exploit they're out

of luck um and basically what I would

just it boils down to is that sharine

subvert a typical user work flow so they

have a real understanding of how the

people they're targeting work on a

day-to-day basis and these people are

typically uh so a typical scenario for

somebody who might be targeted is they

might receive an email out of the blue

this is not this is something that would

happen to them every day they'll receive

an email out of the blue from a Webmail

account and that they'll say hey I'm a

journalist working at this uh newspaper

I'd like to get interview you on the

subject of North Korea China relations

and that is a normal thing to happen to

them and so the target might reply and

say oh yeah sure I would love to do the

interview um and then they might say oh

I'm going to ask you these questions and

they sh send them the questions document

which is going to contain the questions

that I'll ask you during the interview

and all of this is normal and so the

target is quite happy to open the email

and the attackers understand

this and the reason they understand this

is because they have been doing this for

a long time they've read a lot of email

between these people and so they

understand what the conversations look

like uh and they're able to take those

conversations and basically replay them

back to a different user uh and get

success and unlike a lot of attackers

the final point is that they're willing

to spend time building a conversation so

if you ever talk to a user about what

fishing looks like you might often say

oh you'll receive an email and it'll

contain a suspicious link but what you

won't say is you'll talk to this person

for a month and then at the end of that

month they will send you a suspicious

link nobody is taught to identify

fishing that that

way so uh in the top left of my diagram

here I've got the attacker and in the

top right I've got the

Target and this is just one example of

how it might look this isn't how it

looks every time and in some of the

examples later we'll have cases where

the attackers didn't wait for so long um

but this is something that can genuinely

happen so the attacker can send an email

on day one and it contains no malicious

content whatsoever it just says hello

I'm looking to make a contact and so on

and so forth the target replies the

attacker replies this can go back and

forth for a while we can talk about

different things and then eventually the

hook is that they're going to send some

fishing content uh and the result is

that the user either has to log into a

service uh which is a fishing page or

they have to open a file which contains

malware those are the two kind of end

games but that that might take a long

time to get

to and what they've done very well is

they've got these two kind of fishing

principles that I think are kind of key

to their operations and I think a lot of

attackers are very good at the second

one so I think in the previous slides

there was an example of like you've got

to respond to this RFQ it's like a you

have to do this now and so a lot of like

commodity spam is very good at making

people people feel time pressured into

responding to a fishing message but what

commodity fishes are less good at doing

is making people feel comfortable about

responding to that uh and by engaging in

that conversation first the attackers

are able to make people feel not only

comfortable but feel like they have to

do it

now and so now I've got a series of

examples of Real World Fishing examples

from this group that hopefully

illustrate the points I've been trying

to

make so we'll start with the simplest

possible case which is uh sharing a

document so um the fonts a little small

so I'll just kind of explain what's

happening in the emails um on the left

hand side the attacker sends an email to

the Target and it says hello did you

receive my email from three days ago and

the the gotcha is that there was no

email three days ago uh this is just to

see if the person is willing to reply

and then in the second case the uh in

the second uh screenshot the target has

replied and said no I didn't receive

your email what was it about uh and then

they say oh sorry here it is again and

they create an email that looks like

it's being forwarded again and it

contains a link to one drive which is

hosting the maware file and this is the

kind of simplest rules that the

attackers will

use stepping things up to be a little

bit more maybe maybe you think it's kind

of lame that's not what he described I

think this is more along the lines of

the type of thing you might have been

expecting so in this case the attack

opposes as a researcher at the kinu

which is the Korean Institute for

National unification Korean Think Tank

that's focused on making sure or trying

to make uh unification happen in Korea

um and they say hello I would like you

to submit to an upcoming conference this

is a real event that's happening uh

please could you uh give me an idea of

the paper you'd like to submit and

you're abstract and the target replies

and says hey yeah I'd like to submit and

so on and they have a little bit of a

conversation and eventually the target

says oh what would you like me to submit

about what topics you need

covered and the attacker says thank you

so much for accepting our invitation

we'd like you to choose your Pap's topic

but please review our guidelines and

code of ethics and they are once again

hosted on one drive with a password this

time and generally the password protects

the content on the uh the one drive or

whatever it is has become much more

prevalent for the thr actor and I figure

that's because they were being kind of

thwarted by attempts by Microsoft to

detect their M on one drive and other

platforms so now they simply password

protect it meaning the cloud providers

are unable to um easily detect their M

being hosted

there possibly the best example I have

is an example where the attacker

proposes an inall life Meetup between

the attacker the Target and a third

party so in this example the attacker

says hello I am a government official at

the embassy of South Korea in Washington

DC and our Target also lives in

Washington DC but does not know this

person and they say I'd like you to

organize a meeting they're asking for an

introduction because they know that our

Target knows another person who is

visiting Washington CC from South Korea

this is a relatively informed attacker

here who wants to organize a fake in

real life meeting between these three

people and asked for a proposal of a

date they exchange a number of emails

over a course of a week maybe more and

they agree a time and a place for this

in real life meeting to take take place

and you might be wondering how they can

convert this into a malware infection

and just one day before the meeting the

attackers say oh oh by the way uh could

you p uh here's the list of the other

people that will be attending the

meeting uh please click on this Google

Drive Link uh which actually I think the

font a little small but it's not hosted

on Google Drive at all it's hosted on

attacker infrastructure in this

case but in this case the attacker has

done something fairly outlandish I could

never have guessed that an attacker

would ever try to organize an in real

life Meetup to facilitate a fish the day

before and by doing it the day before

they really make sure the attacker has

to click it I mean the the target has to

click it that day because they need to

know the information before the next

day and because there's no malicious

content in any of the emails leading out

to this we only are able to kind of

piece this back together on the final

fish so on the final day we're able to

find the fish but then all the stuff

coming before we're completely blind

to another example of a kind of uh

technique that we've seen use more than

once is asking people to write a

paper so in this case the attacker says

hello I'm a researcher at the sang

Institute which is a Korean Think Tank

and says could you please write a 1,200w

piece for our website on China and North

Korea relations and they set them a

deadline by which to do

so and because this is this is not an

out of the ordinary request these

experts are frequently asked to give

opinion articles for various news

outlets um and so that is exactly what

the target does the Target spends a few

hours writing a long long winded opinion

piece about the current state of China

North Korea

relations and sends it to the

attacker and the attacker says thank you

before publishing on this on our website

I'd like you to review the comments I've

made on your document uh could you

please review them and then once more

you guessed it it's a one Drive Link and

the one Drive Link has a password and

within that is the

malare so to recap the kind of workflow

that the attackers have here they ask

the user to do something they would

usually do for work they maybe engage

them in a little bit of conversation

beforehand the user does that thing and

then the user gets something back from

the attacker and that thing uh is the

malware and essentially often it's a

document but there are other formats

used as well but essentially all that

stands between the user being

compromised and not is the enable

content bar in Microsoft

Word so all the examples so far took

place with real users but in some cases

vity has been able to insert itself into

the fishing conversation and try to get

fished

ourselves so because of the uh kind of

workflow that this attacker and some

others use if you identify the fish

early on it's kind of disappointing

because you don't get any malware which

is maybe what you're interested in and

so in those cases we will often ask the

users who are targeted to actually

follow along in the conversation and

engage with the attacker until they

actually give them the malware but

sometimes the users are not confident

with that and they don't want to talk to

a hacker is kind of the way they're

thinking of it and in those cases

sometimes we say okay well if you don't

want to talk to the hacker perhaps you'd

be willing to introduce them to us and

we'll create like some kind of fictional

identity either at the organization or

on web mail and that's what we've done

here and here we're talking to Melanie

who is the attacker and Melanie says she

works for NK news which is a North

Korean specific News website and we've

been talking for Melanie for a while now

and eventually she says there's kind of

a security problem with the NK news

accounts which we've told her we

have uh and she says you need to

register your IP to keep your account

secure by visiting this link and the

Curious Thing here is that the link that

she sent is to the real NK News website

but it's just a 404 because this page

doesn't exist so we kind of play along

we say oh Melanie this link doesn't

exist and she says oh sorry I didn't

mean to make a mistake here's the real

link and then link number two uh is the

one for that fishes for your NK Pro

credentials now unfortunately in this

case we don't actually have a

subscription to NK news so we cannot

continue playing along uh so we simply

tell her that when we open up the page

uh it says that the page is malicious

like you know that Chrome this is an

unsafe website uh page and we say oh

maybe you should scan your website uh

and Melanie says don't worry about that

that's okay just send me your username

and password and I'll sort it out for

you uh so if all else fails the

attackers are perfectly happy just to

ask for your username and password and

presumably they do this on the basis

that they've been successful with it at

least

once in terms of infrastructure uh there

is kind of a broad summary that I can

give you which is that in the past they

often use compromised websites to

particularly for the fishing campaigns

I've described whereas today often

they're using websites they've

registered themselves and I figure this

is mainly around making their fishes

look better so that the URLs that the

users see if they were to look at them

look close to real

organizations so those are some of the

organizations uh that they kind of

impersonated recently in the bottom

right so they're a mixture of us Korean

and uh educational and news kind of

organizations but looking at that older

cluster

um we have kind of one interesting story

to share which is around C2

management so I don't know how many of

you work in the kind of or how many of

you have ever tried to tell somebody you

do not know that their website is

compromised but generally is a fruitless

task because you will tell them that

their website is compromised and they

will assume that you were the one who

did it somehow and therefore they will

not engage with you but in 2019 we tried

our luck and we contacted a large range

of compromised websites explaining that

their websites were compromised and in

use by attackers could we help you clean

it up and we struck gold in one case the

website owner looked us up figured out

we were probably legitimate and gave us

root SSH access onto their web server

and we were able to basically do

whatever we wanted for a period of

around a month and then and then we

cleaned it up after that and we notified

everybody we could see was compromised

through that particular compromised

website um and there were a few

interesting things we learned about the

way the attackers did stuff on the C2

that maybe worth

sharing so the first is around logging

so if you're a threat researcher and

maybe you interact with c2s every so

often I think this is like an

interesting thing about what even a

relatively low technical skill thre

actor is doing regarding logging of

requests to their C2 so let's say it's a

WordPress site and they've compromised

suite.com WordPress content and they'll

have all of their files buried like five

directories deep and if you make a

request in that root directory they will

just log your request your IP and your

user agent and put it in a file and what

we would see them do is periodically

they would review that file copy lists

of ips from it and add them to the ban

list and if your IP or user agent got

added to the ban list no matter what

your request you were given a for for

and so it was a way for the attackers to

try and stop people monitoring their

activity and the second thing that I'm

going to use in the slides there's more

detail in the paper is around help. text

so what the attackers would do is

because it's a compromised website they

would upload a zip file for every attack

so they were going to fish a virus

bulletin for example they would create a

folder called VB and in VB they would

dump VB do zip they would unzip it and

then they would be all of the files that

they were planning to use in that

particular

campaign but the interesting aspect at

least in 9 is that each zip file

contained a file named help. text and

help. text explained to a user how they