Thallium hacker group targets academics, researchers

The "Thallium" hacking organization sued by Microsoft Corporation is increasing its attacks on South Korea, through the impersonation of research documents related to North Korea's Kaesong Industrial Complex and Asia-Pacific research papers (In Korean),

Signs of new APT attacks by the "Thallium" hacking organization was discovered. The cyber attacks impersonates academic researchers through the creation and dissemination of academic research papers (with malicious code) focused on North Korea's Kaesong Industrial Complex and the Asia-Pacific region.

Thallium is a known hacking organization to the international community. In December of 2019 Microsoft filed a formal complaint with a US Federal Court in Virginia. In fact, Microsoft said on August 26 that it requested a "call trial" in which the Thallium defendants were not present and sent several summonses to the e-mail addresses they used.

Malicious files hidden inside HWP and DOCX documents. (Source=EST Security)

East Security Response Center (ESRC) analyzed that the email account used by Thallium includes some domestic (South Korean) service addresses, uses bitcoin keywords as IDs, and is closely related to malicious files reported from South Korea in the past.

In addition, the ESRC recently discovered several malicious files that were produced by Thallium. They found malicious files are being circulated under the guise of a document titled "Regulations on the Disclosure of Academic Research Paper in Asia/Pacific Region" (아시아/태평양 지역의 학술 연구논문 투고 규정) and documents related to "the characteristics of North Korean workers, experienced workers at the Kaesong Industrial Complex."

Until now, Thallium has only carried out domestic (South Korean) threat activities using so-called spear phishing attacks, which cleverly insert malicious codes into HWP and DOCX documents and send them as e-mail attachments. Newly discovered malicious files use (EXE) executable files as they are, and icons and file extensions are used to trick files into executing them like documents.

The ESRC believes that researchers and workers in research areas related to the bait documents used in the attack may have been exposed to a major advanced persistent threat (APT).

In addition, the analysis found that the files contained multiple malicious codes that did not work. The ESRC is analyzing whether the inoperative malware was carefully intended and inserted for the purpose of pre-detection testing of security products or was an unexpected mistake by the manufacturer. Some of the malicious files found carry out cyber espionage activities that secretly leak information from infected PCs.

Document impersonation screen capture from DOCX (Source: EstSecurity)

In addition, in one of the documents there is the "zhaozhongcheng" account, which is assumed to be a Chinese expression, was found to be related to other Thallium cyber attacks.

Communication systems between command control (C&C) servers and malicious files, such as "pingguo2.atwebpages[.]com", "portable.epizy[.]com", and "ramble.myartsonline[.]com", were found to be the exact same as this "impersonation striker" APT campaign.

Moon Jong-hyun, director of ESRC Center at East Security, said, "Thallium is linked to certain governments which are "Threat Actors" in the U.S. and South Korea. Many professionals in the political, diplomatic, security, unification, national defense, and North Korea field are exposed to these dangerous cyber attacks, which require enhanced security awareness and special attention."

Director Moon also explained, They are using socially engineered e-mails representing official surveys, documents reviews, and invitations to events in order to attack unsuspecting academics and researchers. If you receive e-mails suspected of being similar, you should ask professional security companies for advice or actively report them to related agencies to prevent further damage."

Currently, East Security has completed an emergency update to detect and block malicious files related to its vaccine program (ALYac), and at the same time, it is working closely with related ministries to prevent damage.


[Reporter Kwon Jun (