Cybersecurity corporation Genians noted on the 5th that a connection was partially identified between North Korean reconnaissance general bureau's hacker organization "KimSooki" and document-based malware disguised as the "Army Intelligence Command emergency document" shortly after the state of emergency in December last year.
According to a report titled "Analysis of the APT attack themed on the state of emergency and its relevance to the KimSooki group" posted on the Genians blog, it was stated that "traces of the resource language of the malicious files used in the hacking attacks were observed to contain Korean," suggesting that the programming development environment of the malware creator is based in Korean.
The report explained that the "Emergency Military Command - Joint Operation Headquarters operating reference materials" file showed similarities with files previously used by KimSooki, including registry display methods, C2 domains that command infected PCs or servers to perform actions desired by attackers, and email sources.
The report added that while addresses similar to the IP information of the email sender used in phishing attacks have been classified as related to KimSooki phishing, it cannot be conclusively linked to this attack.
The Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) had warned on December 12 last year that hacking emails impersonating information related to the state of emergency were being widely circulated. They specifically advised against opening emails containing attachments related to the emergency state, as document-based malware disguised as documents written by the Army Intelligence Command had been discovered.