Welcome to the VB2021 conference!

Operation Bookcodes – targeting South Korea

Tae-woo Lee (Korea Internet & Security Agency), Dongwook Kim (Korea Internet & Security Agency) & Byeongjae Kim (Korea Internet & Security Agency)
partner message

Amazon Information Security - come build the future with us!


Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions


DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Looking for performance validation for your product?


Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

Stay ahead of threats with VirusTotal


Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Ransomware prevention starts with zero


Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

We don’t just talk about sharing. We do it every day.


Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

F5 helps find malware hiding in plain sight


Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity


QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Calling all Hackers!


We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?


At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

VirusTotal: Actionable crowdsourced threat intelligence


Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

Threat Intelligence and Cyber Resilience


Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

IoT security begins with your Smart TV


CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

The Korea Internet & Security Agency (KISA) carried out a detailed analysis of various security incidents believed to be the attacks of Lazarus Group. As we analysed security incidents that attacked a Korean company, we identified the signature string "Bookcodes" in the communication between the command server and the malicious codes. After monitoring the communication process with C2 using this signature string, we found that dozens of companies and individuals were chain infected and communicated schematically. Based on this finding, the group of attacks that the Lazarus Group has carried out against South Korea since 2019 was named "Bookcodes."

Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We monitored the attacker's C2 and confirmed that dozens of companies had been infected, so we informed those companies of the infection and provided support to help them develop defence strategies. In this presentation, we will share when Operation Bookcodes began, how the incident investigation was carried out, and what artifacts were found. Also, based on the analysis results, we will describe the attacker's tactics, techniques and procedures (TTPs), and thus share the penetration method of the Operation Bookcodes attacks, information collection method, and internal propagation method.

An attacker takes control of a hosting server that operates a large number of websites in advance to use it as a stronghold to carry out the attack. In general, it targets bulletin boards on vulnerable websites, uploads web shells, and takes control by exploiting the host server's local privilege escalation. It attempts an initial penetration attack on a target company from the hosting server under its control in two ways.

1. Attaching documents in Korean or sending a spear-phishing email attached with a malicious link.
2. Using a watering hole to induce access by inserting a code vulnerability into the stronghold it took control of in advance.

Once it has successfully penetrated, it identifies the internal network structure while collecting system information to determine whether or not to carry out further malicious behaviours. It also connects the remote attackers' drive to the infection system, making it faster and easier to install additional malicious codes and collect the results of each command.

Additionally installed malicious codes perform activities such as service registration and start up program registration to secure continuity, and they use legitimate programs to avoid detection by anti-virus software, if necessary. The attacker also accesses shared networks for internal spread, and if a network separation policy is in effect, it identifies and attacks vulnerabilities by verifying contact points, such as network-linked solutions and DRM solutions.

During the analysis, we further examined the commands (packets) and command structures used by the real attacker, and we learned how they operate organically in the C2 farm, an infrastructure built by the attacker; how the Bookcodes attacks are carried out; and how to respond and reprocess them.

Got a question about this presentation? To get in touch with the speakers, contact Taewoo Lee by email on [email protected] or on Twitter at @heavyrain_89, or Dongwook Kim by email on [email protected] or on Twitter at @88_ryank.
Tae-woo Lee
Korea Internet & Security Agency (KrCert/CC)

Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK). Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyber attacks by groups composed of attackers who speak Korean.

Dongwook Kim
Korea Internet & Security Agency (KrCert/CC)

Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, cryptocurrency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea.

Byeongjae Kim
Korea Internet & Security Agency (KrCert/CC)

Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.