conf 2018-11-09 10:10 – 11:00 FR

Group123: Korea In The Crosshairs

Name: Black Alps 2018
Start: 2018-11-08
End: 2018-11-09
Location: Y-PARC, Yverdon-les-Bains

Abstract

This talk will present the activities of Group123 during 2017 and 2018. I will present campaigns against South Korean targets (individual users and organizations) and campaigns against non-Korean financial institutions. The purpose of our presentation is to describe the different campaigns by starting with the infection vector (Hangul Word Processor or Office document), the malware installation and the final payload (such as ROKRAT). During the investigation period we discovered that this actor has different capabilities such as espionage and destruction. Finally, we will describe a rise of power concerning this group and the usage of a Flash 0-day (CVE-2018-4878) during months. Additionally I will mention an Android app that Korean malware linked to this group.

Speaker

Paul Rascagneres

Security researcher

Cisco Talos

Paul is a security researcher within Talos, Cisco’s threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and presents his findings as publications and at international security conferences throughout the world. He has been involved in security research for 7 years, mainly focusing on malware analysis, malware hunting and more specially on Advanced Persistence Threat campaigns and rootkit capabilities. He previously worked for several incident response team within the private and public sectors.

Talk

Group123: Korea In The Crosshairs