The Korea Internet & Security Agency (KISA) carried out a detailed analysis of various security incidents believed to be the attacks of Lazarus Group. As we analysed security incidents that attacked a Korean company, we identified the signature string "Bookcodes" in the communication between the command server and the malicious codes. After monitoring the communication process with C2 using this signature string, we found that dozens of companies and individuals were chain infected and communicated schematically. Based on this finding, the group of attacks that the Lazarus Group has carried out against South Korea since 2019 was named "Bookcodes."

Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We monitored the attacker's C2 and confirmed that dozens of companies had been infected, so we informed those companies of the infection and provided support to help them develop defence strategies. In this presentation, we will share when Operation Bookcodes began, how the incident investigation was carried out, and what artifacts were found. Also, based on the analysis results, we will describe the attacker's tactics, techniques and procedures (TTPs), and thus share the penetration method of the Operation Bookcodes attacks, information collection method, and internal propagation method.

An attacker takes control of a hosting server that operates a large number of websites in advance to use it as a stronghold to carry out the attack. In general, it targets bulletin boards on vulnerable websites, uploads web shells, and takes control by exploiting the host server's local privilege escalation. It attempts an initial penetration attack on a target company from the hosting server under its control in two ways.

1. Attaching documents in Korean or sending a spear-phishing email attached with a malicious link.
2. Using a watering hole to induce access by inserting a code vulnerability into the stronghold it took control of in advance.

Once it has successfully penetrated, it identifies the internal network structure while collecting system information to determine whether or not to carry out further malicious behaviours. It also connects the remote attackers' drive to the infection system, making it faster and easier to install additional malicious codes and collect the results of each command.

Additionally installed malicious codes perform activities such as service registration and start up program registration to secure continuity, and they use legitimate programs to avoid detection by anti-virus software, if necessary. The attacker also accesses shared networks for internal spread, and if a network separation policy is in effect, it identifies and attacks vulnerabilities by verifying contact points, such as network-linked solutions and DRM solutions.

During the analysis, we further examined the commands (packets) and command structures used by the real attacker, and we learned how they operate organically in the C2 farm, an infrastructure built by the attacker; how the Bookcodes attacks are carried out; and how to respond and reprocess them.

Got a question about this presentation? To get in touch with the speakers, contact Taewoo Lee by email on [email protected] or on Twitter at @heavyrain_89, or Dongwook Kim by email on [email protected] or on Twitter at @88_ryank.