Welcome to the VB2021 conference!

arrow left Back

Operation Bookcodes – targeting South Korea

Tae-woo Lee (Korea Internet & Security Agency), Dongwook Kim (Korea Internet & Security Agency) & Byeongjae Kim (Korea Internet & Security Agency)
The Korea Internet & Security Agency (KISA) carried out a detailed analysis of various security incidents believed to be the attacks of Lazarus Group. As we analysed security incidents that attacked a Korean company, we identified the signature string "Bookcodes" in the communication between the command server and the malicious codes. After monitoring the communication process with C2 using this signature string, we found that dozens of companies and individuals were chain infected and communicated schematically. Based on this finding, the group of attacks that the Lazarus Group has carried out against South Korea since 2019 was named "Bookcodes."

Most of the C2 farms used in the Operation Bookcodes attacks used domains that hacked South Korean companies. We monitored the attacker's C2 and confirmed that dozens of companies had been infected, so we informed those companies of the infection and provided support to help them develop defence strategies. In this presentation, we will share when Operation Bookcodes began, how the incident investigation was carried out, and what artifacts were found. Also, based on the analysis results, we will describe the attacker's tactics, techniques and procedures (TTPs), and thus share the penetration method of the Operation Bookcodes attacks, information collection method, and internal propagation method.

An attacker takes control of a hosting server that operates a large number of websites in advance to use it as a stronghold to carry out the attack. In general, it targets bulletin boards on vulnerable websites, uploads web shells, and takes control by exploiting the host server's local privilege escalation. It attempts an initial penetration attack on a target company from the hosting server under its control in two ways.

1. Attaching documents in Korean or sending a spear-phishing email attached with a malicious link.
2. Using a watering hole to induce access by inserting a code vulnerability into the stronghold it took control of in advance.

Once it has successfully penetrated, it identifies the internal network structure while collecting system information to determine whether or not to carry out further malicious behaviours. It also connects the remote attackers' drive to the infection system, making it faster and easier to install additional malicious codes and collect the results of each command.

Additionally installed malicious codes perform activities such as service registration and start up program registration to secure continuity, and they use legitimate programs to avoid detection by anti-virus software, if necessary. The attacker also accesses shared networks for internal spread, and if a network separation policy is in effect, it identifies and attacks vulnerabilities by verifying contact points, such as network-linked solutions and DRM solutions.

During the analysis, we further examined the commands (packets) and command structures used by the real attacker, and we learned how they operate organically in the C2 farm, an infrastructure built by the attacker; how the Bookcodes attacks are carried out; and how to respond and reprocess them.

Got a question about this presentation? To get in touch with the speakers, contact Taewoo Lee by email on [email protected] or on Twitter at @heavyrain_89, or Dongwook Kim by email on [email protected] or on Twitter at @88_ryank.
Tae-woo Lee
Korea Internet & Security Agency (KrCert/CC)

Tae-woo Lee is in charge of analysis of malicious code and IR at the Korea Internet Security Center (KISC) of the Korea Internet & Security Agency (KISA). Before working at the KISA, he was a malware analyst at an anti-virus company in Korea (ROK). Currently, he is researching groups carrying out attacks (like ransomware, supply chain attacks and information leakage) that threaten cybersecurity in Korea. He is particularly interested in research related to preventing cyber attacks by groups composed of attackers who speak Korean.

Dongwook Kim
Korea Internet & Security Agency (KrCert/CC)

Dongwook Kim has been working for Korea Internet Security Agency since 2013 as a computer incident analyst. The team has a lot of experiences related to Internet security incident response (supply chain attacks, cryptocurrency exchange hacking and so on). Recently, Dongwook has been tracking and analysing specific hacking groups targeting Korea.

Byeongjae Kim
Korea Internet & Security Agency (KrCert/CC)

Byeongjae Kim has been doing intrusion analysis and malware analysis for 10 years at the Ministry of Defense and Korea Internet Security Agency. The agency team has analysed various cases of supply chain attacks recently and continue to think about how to respond. Byeongjae is currently analysing the TTPs of attack groups.