A North Korea-linked hacking attack that infects devices with malware when opening a Hangul (HWP) document has been identified in Korea. The operation used targeted phishing impersonating professors and broadcast writers and a sophisticated technique of hiding malicious files inside documents.
Genians Security Center said on the 22nd that it identified signs that APT37, a hacking group linked to North Korea, carried out the so-called "Artemis operation," which inserts a malicious object into a Hangul document.
According to Genians, the attacker sent a Hangul document by email, then induced execution of a malicious OLE object embedded in the document to seize access privileges to the user's system. In the initial intrusion stage, a spear-phishing method impersonating specific individuals or institutions was used.
After infection, concealment techniques were used to evade detection. A steganography method that hides malicious files inside JPEG images and a DLL side-loading technique disguised as a legitimate program were applied together. Analysts found that the image concealed a RoKRAT module, a piece of malware for information theft.
Genians said APT37 has continuously advanced its attack methods over several months since last summer. In fact, cases were confirmed in which the attackers stole the identities of a specific university professor or a writer at a major domestic broadcaster, maintained conversations over an extended period to build trust, and delivered the malicious Hangul document only at the final stage.
Genians said, "Attack scenarios using the name of a broadcast writer have been continuously observed before," and added, "Given the characteristics of a threat actor with strategic objectives, it is highly likely that a considerable number of infiltration attempts have yet to come to light."