ファイアウォールの新たなゼロデイ脆弱性が話題になっています。ファイアウォールやVPNについて不安をお持ちの場合は、Zscalerの特別オファーをご活用ください。

Zscalerのブログ

Zscalerの最新ブログ情報を受信

購読する
セキュリティリサーチ

The Unintentional Leak: A glimpse into the attack vectors of APT37

SUDEEP SINGH, NAVEEN SELVAN
3月 21, 2023 - 22 分で読了

Summary

At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or Temp.Reaper) - a North Korea-based advanced persistent threat actor. This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations.

During our threat hunting research, we came across a GitHub repository which is owned by a member of the threat actor group. Due to an operational security (OpSec) failure of the threat actor, we were able to access a wealth of information about the malicious files used by this APT group along with the timeline of their activities dating as far back as October 2020.

Recently, Sekoia shared their findings of the toolset of APT37 here. In our blog, we disclose additional details which we found as a result of our in-depth investigation of the threat actor's GitHub repository.

The large number of samples we identified through the attacker's GitHub repository are not present on OSINT sources such as VirusTotal either. This allowed us to get more insights into this threat actor's previously undocumented attack vectors, motives, targets and the themes used.

In this blog, we will provide a high-level technical analysis of the infection chain, the new loaders we identified and a detailed analysis of the themes used by this APT group, discovered while reviewing the GitHub commit history. Even though the threat actor routinely deletes the files from the repository, we were able to retrieve all the deleted files and do an analysis of them.

Key Takeaways

  • APT37 is a North Korea-based advanced persistent threat actor which primarily targets individuals in South Korean organizations.
  • Its main objective is cyber espionage and it achieves this through data exfiltration of selected file formats of interest to the threat actor
  • It distributes the Chinotto PowerShell-based backdoor using various attack vectors.
  • We discovered the GitHub repository of APT37 and uncovered many previously undocumented attack vectors, artifacts and themes used by this group
  • File formats abused by APT37 include Windows help file (CHM), HTA, HWP (Hancom office), XLL (MS Excel Add-in) and macro-based MS Office files.
  • In addition to distributing malwares, this group is also focused on credential phishing attacks
  • The group has resumed its activity in the second half of Jan 2023 and since then is actively targeting users in South Korea through spear phishing emails
  • For C2 infrastructure, it often compromises South Korea-based bulletin board system (BBS) websites and uses them
  • The group is constantly evolving its tools, techniques and procedures while experimenting with new file formats and methods to bypass security vendors

Attack Chain

There are multiple attack vectors used by APT37 in this campaign. Figure 1 and Figure 2 show 2 examples of the attack-chain. The other attack vectors we have described in the "Recent TTPs" section.

Figure 1: attack-chain using CHM file format to kick start the infection chain
 

Figure 1: attack-chain using CHM file format to kick start the infection chain


Figure 2: attack-chain using the MS Office Excel add-in to kick start the infection chain

Figure 2: attack-chain using the MS Office Excel add-in to kick start the infection chain

Opsec failure by APT37

Threat actor's GitHub repository overview

Our initial discovery was the GitHub repository of APT37 which was used to stage several malicious payloads. Figure 3 shows a preview of the threat actor's GitHub repository

Figure 3: GitHub account of the threat actor
Figure 3: GitHub account of the threat actor

The contents of the Readme file are chosen to appear as an Android software related repository. At the end of the Readme file, we noticed a base64-encoded string, preceded by a tag

While reviewing the commit history, we noticed that the threat actor often updates this encoded string. While we were not able to identify the exact usage of this encoded string, we believe it will be fetched by a payload on the endpoint.

Figure 4 shows a GitHub commit where the threat actor is updating the encoded token.

Figure 4: GitHub commit which shows threat actor updating the encoded token in the README
Figure 4: GitHub commit which shows threat actor updating the encoded token in the README


Recovery of deleted files

When we reviewed the commit history of the GitHub repository, we noticed that the threat actor frequently deleted malicious files from it. Figure 5 shows commit logs related to the delete events.

Figure 5: GitHub commit history showing the files being deleted routinely by the threat actor

Figure 5: GitHub commit history showing the files being deleted routinely by the threat actor

We traced this commit history all the way to its origin, and observed that the first commit happened in October 2020. This was surprising to us since the threat actor was able to maintain a GitHub repository, frequently staging malicious payloads for more than 2 years without being detected or taken down.

Figure 6 shows the first commit in the commit history logs.

Figure 6: First commit in the GitHub account. Activity started in October 2020
Figure 6: First commit in the GitHub account. Activity started in October 2020

Our next step was to retrieve all the deleted files from the GitHub repository. We have included the list of hashes and the original filenames in the indicators of compromise (IOCs) section.

Themes and target analysis

This wealth of information retrieved from the GitHub repository gave us a lot of insight into the types of themes used by the threat actor as social engineering lures and we were able to make an educated guess about the potential targets of the campaign.

Per our analysis of the file names, and the decoy contents, we have summarized the themes below along with examples. This is not an exhaustive list

 

Theme

Filename

Comments

Geopolitical

[INSS] National Security and Strategy (Winter 2022).rar

 

South Korean companies

LG유플러스_이동통신_202207_이_선.rar

SamsungLife.rar

Themes related to popular South Korean companies - LG and Samsung

Academic institutes

final exam questions 2022 summer  KED.rar

2022 후기 신-편입생 모집요강.rar

Exam questions related to Korean Economic Development (KED)

Related to University of North Korean studies

Finance (income tax, general insurance)

WooriCard_20220401.rar

BoanMail.rar

WooriCard is a popular financial services organization in South Korea

Hanwha general insurance is a major insurer in South Korea


 

Examples of decoy themes

We have included below a few decoy themes used by the threat actor. These are samples not yet documented in the public domain. So, we hope to share more insights into the themes used in the campaign through this information.


Geopolitics

Figure 7 shows a decoy file related to INSS (Institute of National Security Strategy) in South Korea. This decoy PDF was sent along with a CHM file inside the archive file with the name: [INSS] National Security and Strategy (Winter 2022).rar

Figure 7: Decoy related to geopolitics theme
Figure 7: Decoy related to geopolitics theme


Education and academic institutes

Figure 8 shows a decoy file related to examination questions on the topic of Korean Economic Development

Figure 8: decoy related to education theme
Figure 8: decoy related to education theme


Finance

Figure 9 shows a decoy file related to the Hanwha General Insurance - a major insurer in South Korea. This decoy file was sent along with the CHM file in an archive file - BoanMail.rar

Figure 9: decoy related to finance theme

Figure 9: decoy related to finance theme

Recent TTPs

Attack vector - CHM

It is well-known that APT37 uses a Chinotto PowerShell-based backdoor which is deployed on the endpoint through a malicious Windows help file (CHM). These CHM files are distributed inside archive files. Most of these archive files contain two components - the malicious CHM file and the decoy file to be displayed to the victim.

In most cases, the decoy files are password-protected. The password to open the decoy file is displayed by the CHM file.

Figure 10 below shows an example of code inside the CHM file which is responsible for displaying the decoy file to the victim, downloading a malicious HTA file from the attacker's server and executing it.

Figure 10: code inside the CHM file used to launch MSHTA and download HTA
Figure 10: code inside the CHM file used to launch MSHTA and download HTA


New attack vector - MS Excel Add-in

So far in most of the campaigns of APT37 deploying Chinotto PowerShell backdoor, they have leveraged CHM files distributed inside archive files.

Interestingly, on March 15th 2023, around the time of our investigation, the threat actor uploaded a malicious Microsoft Excel Add-in to the GitHub repository. This Add-in is an XLL file. XLL files are DLLs which function as an add-in for the Microsoft Excel application.

We haven't seen this attack vector used by APT37 before and we believe this to be the first case being documented.


Technical analysis of the XLL file

For the purpose of technical analysis, we will use the XLL file with MD5 hash: 82d58de096f53e4df84d6f67975a8dda

XLL files get activated when they are loaded by the MS Excel application. There are various callback functions provided by Microsoft which allow the XLL file to communicate with the Excel application. One of the most common functions is xlAutoOpen() which is called as soon as the DLL is loaded and activated by the MS excel application.

Figure 11 below shows the code present in the XLL file in our case.

Figure 11: xlAutoOpen() subroutine of the malicious MS Office Excel add-in
Figure 11: xlAutoOpen() subroutine of the malicious MS Office Excel add-in

Below are the main steps performed by this XLL file.

  • Extracts an XLS file from the entry called "EXCEL" in its resource section and drops it on the filesystem in the path: C:\programdata\20230315_SejeongSupport.xls
     
  • Displays the above dropped XLS file that is a decoy and used as a social engineering lure
     
  • Launches MSHTA to download an HTA file from the URL: hxxp://yangak[.]com/data/cheditor4/pro/temp/5.html

This HTA file contains the PowerShell backdoor called Chinotto

Ultimately, we see that the goal of this XLL file is also to deploy the Chinotto PowerShell backdoor. However, instead of using the CHM file, it now uses the XLL file.


Attack vector - LNK

We recovered some LNK files from the GitHub repository which were uploaded in August 2022 and apparently used in in-the-wild attacks around the same timeframe. These LNK files were present inside RAR archives. Along with the LNK file, an HTML file was present masquerading as a sign-in page of the South Korean company - LG.

The two LNK files we observed, both used dual extensions - "html.lnk" and "pdf.lnk".

These LNK files were used to execute MSHTA and download the malicious HTA file from the attacker's server. Rest of the attack-chain is similar to other cases which finally leads to the Chinotto PowerShell-based backdoor.

We analyzed the metadata of the LNK file with LECmd tool and noticed that both the LNK files were generated on a Virtual Machine running VMWare and with a Mac address of: 00:0c:29:41:1b:1c

Since the threat actor reused the same Virtual Machine to generate multiple payloads, this information could be useful for threat hunting and threat attribution purposes in future.

Figure 12 and 13 show the outputs of LECmd tool highlighting the target command executed by the LNK and other important metadata

Figure 12: LNK target command line and metadata extracted using LECmd
Figure 12: LNK target command line and metadata extracted using LECmd

Figure 13: LNK machine details extracted using LECmd

Figure 13: LNK machine details extracted using LECmd

Figure 14 shows the decoy HTML file which is packaged along with the LNK file inside the same archive.

Filename: LG유플러스_이동통신_202208_이_선.html
Translation: U+_Mobile_Communication_202208_Lee_Seon.html

Figure 14: decoy file related to LG
Figure 14: decoy file related to LG


Attack vector - Macro-based MS office file

In March 2022, a macro-based MS office Word file was uploaded to the GitHub repository. This macro would launch MSHTA to download the PowerShell-based Chinotto backdoor as well. The target URL from where the HTA file is fetched is also the same as the previous case. This shows that the threat actor uses multiple initial file formats and attack vectors to deploy the same backdoor.

Filename: NEW(주)엠에스북스 사업자등록증.doc
Filename translation: NEW MS Books Business Registration Certificate.doc

Figure 15 shows the relevant VBA macro code.

Figure 15: VBA macro used to launch MSHTA to download the malicious HTA file
Figure 15: VBA macro used to launch MSHTA to download the malicious HTA file


Attack vector - HWP file with embedded OLE object

Another attack vector used by APT37 to deploy Chinotto PowerShell-based backdoor on the endpoint is using HWP files with embedded OLE objects. These OLE objects contain a malicious PE32 binary which executes MSHTA to download a PowerShell-based backdoor from the C2 server.

When viewed with Hancom Office, the embedded OLE objects take the form of a clickable element in the document's body.

APT37 makes use of misleading bait images to entice the user to click on the OLE object elements, an action required to cause the execution of the malicious PE payloads inside these objects.

Figure 16 shows an example of such a document, as it appears in Hancom Office.

Figure 16

Figure 16: Malicious HWP document by APT37. The Korean-language dialog is fake - it’s in fact an OLE object represented by a static image of a dialog. When it’s clicked, a real dialog pops up - prompting the user to confirm the execution of the payload.

Rest of the attack-chain is similar to the previous cases.

For the purpose of technical analysis, we will consider the HWP file with MD5 hash: a4706737645582e1b5f71a462dd01140

Filename: 3. 개인정보보완서약서_북주협.hwp
Translated filename: 3. Personal Information Security Pledge_Bukjuhyeop.hwp

Figure 17 shows the OLE object stream present inside the HWP file.

Figure 17: malicious OLE object stream present inside the HWP file

Figure 17: malicious OLE object stream present inside the HWP file

Object streams in HWP files are zlib compressed. After decompressing, we extracted the PE32 binary from it.

MD5 hash of the extracted binary: d8c9a357da3297e7ccb2ed3a5761e59f
Filename: HancomReader.scr
PDB path: E:\Project\windows\TOOLS\RunCmd\Release\RunCmd.pdb

Figure 18 shows the relevant code in HancomReader.scr

Figure 18: Relevant code in HancomReader.scr used to download and execute the PowerShell backdoor

Figure 18: Relevant code in HancomReader.scr used to download and execute the PowerShell backdoor

Zscaler Sandbox Detection

Figure 19 shows the HTA file detection in the Zscaler sandbox.

Figure 19: Zscaler Cloud Sandbox report
Figure 19: Zscaler Cloud Sandbox report


Figure 20 shows the detection for the macro-based MS Office Word file in Zscaler sandbox.

Figure 20 shows the macro-based document file detection in Zscaler sandbox.
Figure 20 shows the macro-based document file detection in Zscaler sandbox.

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels:

HTA.Downloader.Chinotto
VBA.Downloader.Chinotto
Win32.Backdoor.Chinotto

Conclusion

As we discussed in this blog, APT37 is a threat actor heavily focused on targeting entities in South Korea. It is constantly updating its tactics, techniques and procedures as is evident from the multiple file types used in the initial stages by it. The themes used by this threat actor range from geopolitics, current events, education to finance and insurance.

It is also particularly interested in current events and activities related to the Korean peninsula.

We will continue monitoring the activities of this threat actor and ensure our customers are protected against APT37.

Indicators Of Compromise (IOCs)

Archive file hashes
 

MD5 hash

Archive filename

3dd12d67844b047486740405ae96f1a4

(20220120)2022년 총동창회 신년인사001.rar

e9cd4c60582a587416c4807c890f8a5b

(양식) 제20대 대통령 취임식 재외동포 참석자 추천 명단(국민의힘당원 000).rar

6dc7795dde643aae9ced8e22db335ad1

1.rar

e3879ea3f695706dfc3fc1fb68c6241d

2017-APEC.rar

17bc6298bf72fa76ad6e3f29536e2f13

2022 후기 신-편입생 모집요강.rar

54a99efd1b9adec5dc0096c624f21660

2022-01-27-notification.rar

f3f4cf7876817b1e8a2d49fe9bd7b206

2022-03-22.rar

bb182e47e1ffc0e8335b3263112ffdb1

2022-04-14.rar

9d85c8378b5f1edefb1e9837b3abb74f

2022.04.27.rar

cb33ef9c824d16ff23af4e01f017e648

2022.rar

75fe480a0669e80369eaf640857c27cd

20220315-112_Notice.rar

6db5f68b74c8ba397104da419fcc831d

202203_5_06.rar

cfd73942f61fbb14dded15f3d0c92f4a

20220510_115155.rar

5c67c9266e4267d1bf0862bf2c7bd2a5

20220913.rar

1531bba6a8028d38d36c0a91b91159c3

20220916093205755684_TSA.rar

afdc59ec36ac950de08169162783accd

2022년 국방부 부임이사 안내(몽골리아).rar

06c112968cdde43c3424bdf0a2a00928

20230302_Guide.rar

6ab401c83095129a182b9be0359d602d

3사복지업무.rar

93e94b673c6d1ea6d615c0102dc77610

Ambassador Schedule Week 6 2023.rar

e32f59fd5acbe01d2171ba6c2f24e3ca

Announcement.rar

7b60dc663e1025e8892b96fa9fc34f00

BoanMail.rar

5e95023c6ac3f3fefe00cfc2b4b1d093

CR_20230126.rar

353370ade2a2491c29f20f07860cf492

CV.rar

120a677df1c4d1f0792b6547d3b60183

DBLife-2022_08_05.rar

02baa23f3baecdc29d96bffea165191b

Details.rar

c3325c43b6eea2510f9c9f1df7b7ce22

Documents.rar

04a7290e04fd1855140373aa3d453cef

DriverSet.rar

87c3e8e4308aac42fed82de86b0d4cb6

Estimate.rar

328dc6e7acce35abaaf3811bac2bc838

H2O 견적서.rar

e9230cf7615338ab037719646d67351b

HealthDoc.rar

cf012ca48b5e1f6743be7e0d10cdfd2e

Introduce.rar

34d3e5306cff0bfe831ccd89d095ef33

Invoice_1514_from_Evo3_Marketing_Inc.rar

717dab257423d5fd93d0d02f3ff242e7

KB_20220111.rar

0164d8a2d27cfd312fb709c60c351850

KB_20230126.rar

c23c17756e5ccf9543ea4fb9eb342fde

KN0408_045 정영호.rar

31793153b12f1187287007578017abd4

KakaoTalk_20220419_103447534.rar

030df9bca0a35bcd88d5897482ee226d

LG유플러스_이동통신_202207_이_선.rar

8eb56493d984b3c2fa4c2dedb6871dd7

LG유플러스_이동통신_202208_이_선.rar

0c2375825dcae816a1f9b53f8f82d705

MAIL_20230125151802.rar

93817f6dfe3a7596eeef049eda9c8b18

Message.rar

3fe6722cd256d6d5e1d5f5003d6a01a5

NTS_eTaxInvoice.rar

c1b6390f0ef992571fa9ed3c47eb0883

News about Foreign affairs, The High North and Ukraine.rar

6dc7795dde643aae9ced8e22db335ad1

Oxygen_Generator.rar

3b52f149e220da28bf9cd719570979ce

Payment.rar

e5c509a33db926f3087c3a52546b71f2

Provincil's letter.rar

d5ad2c1790c715d88b5e05ca4329417d

References.rar

4d27d6b01f85a4b40650e6bc7cc18ed3

SamsungLife.rar

3a4f4b1fb30fbb70c14dea600a56ca68

SecureMail.rar

5a8bdfb0008767cdb05dfcc3223e9a70

TermsOfService.rar

881ccfd6c11b774b80b304ab78efef53

Transaction.rar

f2be2c1e80769a45761d0b69a46a627f

TransactionGuide.rar

f7a73eaf15ee8d8f3257a359af5987eb

WooriCard_14day_20220609.rar

b6c4137868e2c305241093e967b2d60b

WooriCard_20211222.rar

715d408b45e5334a985e7e6279fa80ac

WooriCard_20220401.rar

b2ce0ba21ae1e982a3a33a676c958bec

XQQ-2022-D27.rar

b9f423b42df0df0cb5209973345d267c

[INSS] National Security and Strategy (Winter 2022).rar

ab0dc3964a203eea96a233c8d068de95

[붙임] 제20대 대통령선거 제1차 정책토론회 시청 안내문.rar

fbc339cd3f4d39af108b4fdb70202b22

boanmail-202101-j08.rar

fbc339cd3f4d39af108b4fdb70202b22

boanmail_202201_2_505824.rar

0db43beb06845026cf33c59baa66b393

boanmail_202201_5_02-10424.rar

237bcbe07219eb24104815205cc01d24

boanmail_202201_5_80222982.rar

2bf05e2526911b3bdb7f77cbbe4155f3

db-fi.rar

0923c69808352feb9a57a766c611b7d4

dbins_secure.rar

8c3bb54dcd4704a0f0b307863345c5d1

email_1649225531086.rar

0947efee85596a17bdd1e798826d48aa

enkis.rar

93675086f33fb0708982eafea5568f05

final exam questions 2022 summer  KED.rar

8faabae5e6766a6a93a56014cca5c295

hi_security_mail.rar

9e7099b32f6bd36724a71f6c3cb21d17

issue.rar

9c6d553682813724424a7fcc7af8729d

mmexport1638437859483.rar

6da10cc37edee7e16c520f2f95cd9304

pay_202111_5_00-10290.rar

f07a3d146f32bfa8f53e5cae7178559e

pay_202111_5_01-10104.rar

0beeb858734cd7da03b1284e7fe00b22

pay_202111_5_02-12972.rar

8c4cbe900cf69c739882cef844b1ac11

pay_202111_5_04-10220.rar

31da11dbf80715138261904b2249a7f8

pay_202111_5_04-14213.rar

1803d81e1d0ccb91c752ecb4bc3b6f0c

pay_202111_5_12-11985.rar

06b7207879bd9ed42b323e16bb757a3c

pay_202202_5_06-10325.rar

28b807be70e49ebc0c65455f430d6408

pay_202205_5_01-10104.rar

c97a32c7555fc81f296fee0a65fec079

pay_202209_5_01-502479.rar

1e05dbe1846c1704b9a7a1db13fdd976

samsungfire.rar

38d9ff50b68144a9a40d1e7e3d06adb0

security-guide.rar

f0b7abea21984790d2906adf9653c542

securityMail.rar

04802790b64d66b9257ae119ee7d39a5

security_20220813.rar

a8bcbb34e11d7b23721ec07eadb5ddc5

shinhancard_20220218.rar

eecf78848dde0d41075e35d3aa404697

제39기 모집요강 및 입학지원서-재송.rar

ef5aa1dfbfc4c9128a971e006da0cb8b

새로 바뀐 COVID-19 시기 자가격리 정책.rar

e5865d8cee159ac02ee53ef52f4058ac

오피스 365 + 설치설명서 입니다.rar

882d4d6528404c3ceacee099f59bfab4

텅스텐 W 99.rar

b7275a3931fb85f723a4ceec9478c89e

다문화 문제 답.rar

f96fa367261df9cc2b021318ce361ec6

취임식 관련 자료.rar

8d7141882a95be5dcfa8ce90d7079541

공고문(기술관리).rar

ff2ccc12007bbf3f5934a5dfdc8430ee

황선국-차예실의 요르단 이야기-34.rar

3c3fc3f47abf0ec7a3ab797b21b123e2

공고문.rar

acf9bad00bc1d2649ad918b0524c7761

계약사항 안내문.rar

cb33ef9c824d16ff23af4e01f017e648

문의사항.rar

802bf381dd7f7f6cea077ab2a1814027

보안메일.rar

89d1888d36ff615adf46c317c606905e

협조요청.rar

0d15b99583b3b9638b2c7976b4a1d2ef

통일교육11.rar

8113798acc4d5690712d28b39a7bb13a

백산연구소 (830 LNG) 22.01.17.rar

4987ed60bb047d4ca660142b05556125

백산연구원 소방서.rar

b840485840480d42b3b8e576eecdf2ee

제로깅크루_명단.rar

e8ab4f80ebad24260869e89bca69957d

폴리프라자Ⅲ, 4월 근무 현황.rar

87aaf50fc5024b5e18f47c50147528b4

조성호기자님_마키노기자책소개.rar

11b0c0577e12400cddc7b62b763a1dd1

사업유치제의서-PC모듈러pdf.rar

fa797b29229613f054378c8a32fcefbc

통일미래최고위과정_입학지원서.rar


CHM file hashes
 

MD5 hash

Filename

914521cb6b4846b2c0e85588d5224ba2

(20220120)2022 - 001.chm

2ffcb634118aaa6154395374f0c66010

(양식) 제20대 대통령 취임식 재외동포 참석자 추천 명단(국민의힘당원 000).chm

24daf49d81008da00c961091cbfc8438

0-Introduction.chm

624567dae70fc684b2a80b5f0f1de46d

1.Brefing.chm

2ab575f9785239d59395ec501ceaec2e

2017 - APEC.chm

684a61eedb2ec26d663c3d42a107f281

2022 - Guide.chm

a48ac5efd350341beab9a4fdfb7f68d7

2022-01-27-notification.chm

030c3873f1a45eab56dca00fa8fa9a14

2022-04-14.chm

a6b30fc17d6ff9aa84fb93c3f05a4171

2022-06-24-Document.chm

b4adb4fede9025f6dd85faac072a02e7

2022-Important.chm

b2d7c047dc1c7fb7074111128594c36e

2022.04.27.chm

edb87c2cabcc402173fa0153f4e8ae26

2022.chm

d020d573d28e3febb899446e3a65e025

20220315-112_Notice.chm

7058661c3f944f868e5a47c4440daa9b

20220510_115155.chm

d431c37057303e5609f0bffa83874402

20220623103203983_6_조사표_기업용.chm

820d302655d5cd5dd67859f7a5cb74fe

20220913_Main.chm

8db5578f5245c805c785ae38ea8a1363

20220916_Password.chm

c29d11961b9662a8cb1c7edd47d94ae5

20230302_Guide.chm

cae4d578b1bdaa4e193095f035cecbc6

Account Information.chm

9bf4576a1381c15c08060ca6cfd59949

BoanMail.chm

c0bfb9f408263c1bc574a08fa164a61f

BookBriefing.chm

e9562655c36d46f4b6534f189ae453a0

Content-Introducing.chm

6bd63cf73cab3305686f2ee41d69bd42

Covid-19-Notice20211028.chm

012f0dd04c9c810c14cdde08cfbca3c5

DBLife-2022_08_05.chm

00a7c9ad2e975e19034838a14f73a46a

Details.chm

77a6f57ccefeda14d5faf44cc37b69da

Estimate.chm

211b412fe5c4b207eb39384499b93342

H2O Note.chm

3a23ee36f792e241772e81aeeccf8aa8

Introduce.chm

532ec6d88c728afecfcf8fbb38fb8add

Invoice_1514_from_Evo3_Marketing_Inc.chm

2a982b843cf92081fc4202e11a1f7234

KB_20220111.chm

aa68044e16a115af4ea1de3d062c4e41

KB_20230126.chm

0bf53a165b2bd64be31093fefbb9fb51

KakaoTalk_20220419_103447534.chm

f11b9fb8208b9949859785810f251334

KakoBank-N202111.chm

097edc04368d411593fff1f49c2e1d9c

LG유플러스_이동통신_202207_이_선.chm

45bd3001517f5e913ddde83827f4cc29

MAIL_20230125151802.chm

0bf993c36aac528135749ec494f96e96

Message.chm

549162b9ec4c80f9a0ca410ff29c8e98

NTS_eTaxInvoice.chm

c09939e972432968976efc22f556bd0f

News about Foreign affairs, The High North and Ukraine.chm

79d5af9d4826f66090e4daf6029ed643

Password.chm

9e1a2b331fd1e4ee77880d8f62025cd1

Password12.chm

5f2dcb1e51c8d574f43c8f7c7f84d9fa

Related to the inauguration ceremony.chm

a5ce8fe31da94fdea9c25f3abcdd5982

SamsungLife.chm

8a74a931e6ed4ae477547707da2fd76c

SecureMail.chm

0012f5bfe97421d39751eb20d857ae09

TermsOfService.chm

22652b383d9ea880a4644a35cd5fadaf

Transaction.chm

73715c82e31702f56858226557f98444

WooriCard_14day_20220609.chm

b34761f5272c9109c47780f415d28631

WooriCard_20211222.chm

2c697d27cd2e455ae18b6744a47eef4f

WooriCard_20220401.chm

2cf2805529ebc68884979e582e12cf8d

XQQ-2022-D27.chm

67cc91e889b4a597a6486db0e92fa4d1

[INSS] Briefing and Guide.chm

1f4038a9c6266b60f784c37efbb832f5

[붙임] 제20대 대통령선거 제1차 정책토론회 시청 안내문.chm

ac7f8e5245f9736a1323509a537e54eb

baeksan (830 LNG) 22.01.17.chm

ee06a0d6e5645248db88c279ec0e8624

contents.chm

a13fb4e11b31d109a1b145f20ea4b929

db-fi.chm

0fb698efce9476c3f2b603b30f5e35d5

dbins_secure.chm

d942353d15077352dcae83dd04869e1a

email_1649225531086.chm

ac51f29d609c73cce8db67c86aa49ba0

enkis_choe.chm

7f030cbf7ce41b9eb15693ee92b637a5

hi_security_mail.chm

a85dc5403cb1fe7d0ae692a431e1eae3

issue.chm

5e2e5b71503adedf786bc69f3849750f

jungsan_202203_5_06-10325.chm

7cba0c911b74d889f05f8b954926aa67

jungsananne_202201_2_505824.chm

174ae3db1dd4c61037bc7a5bf71d1366

jungsananne_202201_5_02-10424.chm

498b20e20af190c6650f03e8adf9a5b7

jungsananne_202201_5_80222982.chm

92974d1677fa840fcc3d6599df86d38f

mmexport1638437859483.chm

19c0583e57385f574c9986de6a26adae

pay_202111_5_00-10290.chm

e73b6c906f1070d569a0e9b70304be01

pay_202111_5_01-10104.chm

b1d2c6233d56ef3aeaa08cff7a7d2971

pay_202111_5_02-12972.chm

c0d25429f924016765711cd860fd03f9

pay_202111_5_04-10220.chm

8a5e7f281b51c2b9e364c26e3f699019

pay_202111_5_04-14213.chm

faf6139671f07db49056f4e0470ab188

pay_202111_5_12-11985.chm

a372e8dfd1940ef4f9e74095a8bf3bd7

pay_202201_2_505824.chm

561b29a5650ff7fe6e63fa19c29ee240

pay_202201_5_02-10424.chm

093ad28a08314e8fe79c26828137ab0a

pay_202201_5_80222982.chm

d32ccdcf79932dd9d7eaf4fd75bfade2

pay_202202_5_06-10325.chm

deed5eb8b19dae07720e97b485a5f1e4

pay_202203_5_06-10325.chm

886702585a3951882801b9eecb76c604

pay_202205_5_01-10104.chm

6ac4b333e6d7f64aee5c32e20d624f2e

pay_202209_5_01-502479.chm

441adf67527915c09cfe29727b111a6a

samsungfire.chm

122208301a3727c5fc7794ff0f7947bf

security-guide.chm

79e158af8ded991ee95a0f10654576ce

securityMail.chm

e7104d3e388530a43623981138112e03

security_20220813.chm

af89179ef2c8365ca413fed8553159fa

shinhancard_20220218.chm

b7b1095620b8629c73191d5c05afc446

z email content.chm

681a21cb83e82da88f42f9fb0dd764b6

다문화 문제 답-추가.chm

5f2dcb1e51c8d574f43c8f7c7f84d9fa

취임식 관련 자료.chm

72a38aa3e128d2ffca141a41a4101dca

황선국-차예실의 요르단 이야기-34.chm

632104e97870c1177c211f5e2d963b75

요약문.chm

ffba3072600a1f06d260137f82371227

공지사항.chm

e557693cc879beeb1a455cac02724ea7

보안메일.chm

71389f565a5ebe573c94d688fa6f23ea

통일교육11.chm

920ccffa488d2b0e9aa19acc5f31fc3a

제로깅크루_명단.chm

7c53f15614d5f9cf2791cb31811893a7

폴리프라자Ⅲ, 4월 근무 현황.chm

fb60a976bbed174effa6081a35abee87

사업유치제의서-목차.chm

bca3f0b4a5a1cbcd3efa1ca0df7f0d4b

통일미래최고위과정_입학지원서.chm


LNK files

MD5 hash

Filename

eb7a6e3dc8bbc26f208c511ec7ee1d4c

LG유플러스_이동통신_202208_이_선.html.lnk

c5f954436e9623204ed961b9b33e769d

계약사항 안내문_1.pdf.lnk


 

Appendix

# Please note that most of the HWP files mentioned below are clean decoy files used by the threat actor. The original filenames are included to give the reader insights into the themes used.

 

MD5 hash

Filename

808fda00b7aa114182ba0ad9668ad4fb

(227183-F)_사업진행상태보고서.hwp

6566697d2b2b7b562f3e4f74986ae341

1.일반설계기준.hwp

70b327e1a2cf7863004436080848eddc

2020_normal_ko.hwp

b8addd3c9e0c7f1ed8d4aafcb582e755

2021년 ICT융합 스마트공장 구축 및 고도화 사업 최종감리보고서(엠플러스에프엔씨, 인버스, 정찬혁)_초안.hwp

07ad22218f9dc7da63b880ae5a65a177

2022년 외국인 주민교류를 통한 기술인으로 진로 직업지도사업.hwp

de5319b8a5674994e66b8668b1d9884f

220915 수정.hwp

a4706737645582e1b5f71a462dd01140

3. 개인정보보완서약서_북주협.hwp

d49ef08710c9397d6f6326c8dcbf5f4e

3사복지업무홍보.hwp

96900e1e6090a015a893b7718d6295dd

K-MOOC 수기 공모 이벤트.hwp

b35c3658a5ec3bd0e0b7e5c6c5bc936f

RFQ_소각 및 발전설비 건설공사-보고-0614-Ver1.hwp

0ccb1c52b3de22b49756a2608cddd2e9

UN 대북제재위원회 전문가 패널 보고서.hwp

d891219a50b17724228f9ae8c7494bbf

UN 대북제재위원회 전문가 패널 보고서」요약.hwp

cac2d25c8e173c896eff0dd85f09c898

[붙임] 제20대 대통령선거 제1차 정책토론회 시청 안내문-복사.hwp

ad922c7f0977c4aefcbc2c089cce8b66

제39기 모집요강 및 입학지원서-재송.hwp

48153ac26eb10473b60e4011f5e004e9

제8회 전국동시지방선거 제1차 정책토론회 시청 안내.hwp

0de54a8109f54c99d375fc0595649175

논문 자료.hwp

0de54a8109f54c99d375fc0595649175

사업 제안.hwp

bf478b6b500c53e05741e3955630182f

오피스 365 + 설치설명서 입니다.hwp

7b29312a0f8d9a7d2354843f7c9c21ea

텅스텐 W 99.hwp

6b8acab4941dcfb1dbe04bc9477e7605

다문화 문제 답(12. 5 업데이트).hwp

8591125c0a95f8c1b1e179901f685fa3

인터뷰(22. 9. 14).hwp

f1bd01dc27fe813aeade46fe55bd9e2e

황선국-차예실의 요르단 이야기-34.hwp

ff072f99ea6d04c0a4ff0ab9d23440fc

접수증-삼주글로벌 법인세 신고서 접수증.hwp

35f9802b98105fa72ec34d2b02649655

공고문.hwp

5228e631cdd94ec8d8c9d68e044236f1

위임장.hwp

5bdd6ad0c17ee2a1057bf16acb86f371

확인서.hwp

c09bedb49199b09bcb362ba5dadcd22a

함께가는 평화의 봄_과업지시.hwp

a2aeb5298413c2be9338084060db3428

동남아와 국제정치(기말레포트).hwp

f8f994843851aba50ca35842b4cca8a3

행사안내.hwp

6deceb3e2adff0481b30efe27e06542e

백산연구원 소방서 제출용.hwp

0fd7e73e6672adaa1e5cf2dfca82e42e

서식1, 4 강사이력서 및 개인정보동의서_북주협.hwp

e5afbbfa62efd599a1ab2dade7461d62

폴리프라자Ⅲ, 4월 근무 현황.hwp

2e57c30259e5c33779940ce9a9f91378

산업가스용도.hwp

c775aef36bc4b1b9a2b14fae46521c0e

서영석고객님.hwp

aa84bdaf877d70c744ce1982395ad37c

자문결과보고서(양식).hwp

19dabc553ee3c3bcd166411365e2dd56

비대면_서비스_보안_취약점_점검_신청서.hwp

6bf6de967ca6324106a0700715a9e02b

중고맨거래명세서.hwp

0bcda05d3f4054dd5fb571a634afe10a

정기총회안내공문_2022.hwp

68603ba44b58f4586deeb571cf103e0c

통일미래최고위과정_입학지원서_양식.hwp

670f8697d7c46757745be0322dfdd2ab

노원도시농업네트워크.hwp

c47428fe38bec9424b75aa357113d9dc

사단법인 공문 (2022.12호)_2022년도 평화통일교육사업 함께가는 평화의 봄.hwp

form submtited
お読みいただきありがとうございました

このブログは役に立ちましたか?

dots pattern

Zscalerの最新ブログ情報を受信

このフォームを送信することで、Zscalerのプライバシー ポリシーに同意したものとみなされます。