Kt, Lg 외에 국군, 외교부, 정부 등도 해킹 당함.

[
1.1
Defense
CounterinteLLigence
Command
(dcc,miLkr)
Location:
vpslvarlwwwlhtmu
The Defense Counterinteligence
Command
(DCC)
is
an
inteLLigence
organization
Of
the
South
Korean
Armed
Forces
The DCC
is
primarily
responsible
for
inteLLigence
missions
such
as
clandestine
and
covert
operations,
and
counterinteligence.
The Logs
show
phishing attack against
the dcc.miLkr
as
recently
as
three
days
ago.
The
same Logs
contain
The Supreme
Prosecutor
Office (spo.go.kr) ,
korea.kr,
daum.net,
kakao. com
and
naver com.
It
should
be
noted
that
the
Admin-C
for
dccmiLkr
is
registered
to hyuny19gz@naver.com.
Drop

[
1.2
Access
to
South
Korea
Ministry of
foreign
Affairs repository
copy
Of
South
Korean Ministry
Of
foreign
affairs
emait platform
was
found
inside
file
named:
mofa,go kr.7z.
The
source
code
was
Likely
taken very
recentLy:
1923
Apr
07:15 ,gitignore
96
Apr
07:15
gitmodules
4096
Apr
1
07:15
kebi-batchl
4096
Apr
07:15
kebi-corel
4096
Apr
07:15
kebi-resourcesl
4096
Apr
07:15
kebi-web-adminl
4096
Apr
07:15
kebi-web-archivel
4096
Apr
07:15
kebi-web-maiu
4096
Apr
07:15
kebi-web-mobitel
4096 Apr
07:16
kebi-web-parentl
7528
Apr
07:16
pom.Xmt
14099
Apr
1
07:15
README . txt
Given
the
format
Of
the files,
this
is
probably
dump
from
GitHub
repository
which
appears
to
be parts
Of
an
emait
server
The
source
code
contains
multiple
references
to government
domains
Ikebi-web-parentlmaiuldocumentlinfotxt
/homel ksignlagent
http:
/emaitmofa,gokr:8080/maiusso?type-Login
http:
mait
mofa,gokr:8080/maitlsso?type-unseenMaits
http:llemaitmofa,gokr8190/maiulsso?type-Login
http:
Imaitmofa.
kr:8080/maiulsso?type-unseenMaits
g0.

7”
[
1.3
Access
to
the
internat
South
Korean
Gov
network
It
appears
that
KIM
maintains
access
to
internat
South Korean
Government
Network systems
There
1s
project
named Onnara_auto,
which
contains
several interesting
files .
The project
appears
to
be
toots
to
query
internal government
servers
For
instance,
fi1e
named:
lonnara_auto/log/log-20250511.
has
the
folowing
entries:
[horedi179
get
onnarag,saas,gcLoud,go,kr
at
11
05/2025 19:41:23
[horedi179
main_job
Session
6112b9bc-5a2a
4abd-a907-aaec4b19ezed
does
not
exist
[horedi179
https
onnarag,saas.gcLoud.go.kr
at
11
05
2025 19:45:37
[horedi179
main_job
Session
‘c446a8c
e913
467d
a9b9-3fo8abfb6f7a
does
not
exist
[horedi179
get https:/
onnara9
saas
gcLoud,go,kr
SSO.do
at
11/05/202_
The correspond_
code:
drives
instanceManger(config_hub)
client
CLient(config_hub)
plugins
PluginManager()
onnara
onnara_sso(
horedi79″
WM
“1250000” , “onnara9”)
klass
plugins
Load(os
join(os getcwd()
scripts”
target_project,
“onLaunch py”)
opts
{
onnara
:onnara,
drives
drives ,
“cLient”:
client})
The
hostname
onnaragsaas,gcLoud.go.kr
is
not
accessible
from
the public
Internet
however
the
domain
name
appears
in
some
documents
mentioned
as
an
internal government portal.
KIM
seems
to
have
access
to
this
network.
Log
get
(ing
try
path

There
is
cert
and private
for
rckt.CO.
South
Korea
Telecom
Remote
Controi
Service .
It
runs
remote support
backend
from
https:
IWWW,rsupport.com.
Kim may
have
access
to any
company
that
Korea
Telecom
was
providing
remote support
for
Lots
of passwords
in
mnt/hgfs/Desktop/111/account/account.txt
from
“LG
Uplus”
(LGU)
South
Korean
mobile operator.
The
favicon-search
indicates
that
KIM
first
hacked
into
SECUREKI ,
company
supplying
MFA
and password
services
to
LGU
and from
there
pivoted
into
LGU
internal
network.
His
google
search history
deserves
closer
Look.
Especially
around
chacha2o
and
arc4.
The
chrome temp
files
should
get
some
attention.
APPM
TRANS. txt
and
111/config.txt
contain
credentials
to
internat
servers
at
LGU .
gpki.7z
government-PKI:
contains
internal
data
about
the South Korean
Government
Public Key
Infrastructure.
See
also
GPKISecurelebX
and
111/2
rar
(more
below)
ROOT.zip
contains
the
source
code
for
the
APPM
security solution
that
was
initially
hacked by
KIM .
The
file
app_one_cmd.py
1s
the decompiled python
program
for
the
APPM
security
solution
He
seems
to
download
his
Dev
Tools
from
[#16]
and
stole
his IDA
Pro
license from
now disused
TOR
address
[#17]
The Google
Chrome configuration
files
contain
these
links .
Does
KIM
use
(his?)
google
creds
to
access these
sites?
Is
Wwh1oo4
his
GitHub account?
Did
he
use
google-pay
to
pay
for
the
three
VPN
services?
key
kr,

2.7
Spawn
Chimera
and
The Hankyoreh
Drop
Location:
mnt/hgfs/Desktop/New folder/203.234.192.200_cLient.zip
The
client
accesses
the SpawnChimera
backdoor
via port knocking
The
IP
203.234.192.200
belongs
to https:llhani.co.kr
(The Hankyoreh)
Liberal
newspaper
from
South
Korea.
The
client.py
at
1ine
152
shows
the port knocking method:
It
hides
inside
the TLS-CLient-Helo ,
in
the
32 byte CLientRandom
field,
but
with
new
twist:
The
first
bytes
must
be
the
correct
Crc32
Of
the
rema
ining
28 bytes.
random
Os
urandom(28
cient
hetlo[15:43]
random
jamcrc
int(
0b”
32 ,
2)
zib crc32(random)
client_helLo[11: 15]
struct pack(
!I
jamcrc)
We
invite
the community
to investigate
further.
again

~—[
3.2
GPKI
Stolen Certificates
In
early 2024,
new
malware
written
in
Go
and
labeLLed
Trol
Stealer
was
discovered
by
S2W [#4]
This
malware
has
the abitity
to
steal
GPKI
(Government
Public
Infrastructure)
certificates
and
that
are
stored
on
infected
devices
GPKI
is
way
for
employees
of
the
South
Korean
government
to
sign
documents
and
to
prove their authenticity.
The
threat
actor
had
thousands
Of
these
files
on
his
workstation
subject=C=KR ,
O-Government
of Korea, OU-Ministry
Of
Unification,
OU=peop
CN=Lee Min-kyung
issuer-C=KR,
O-Government
of Korea, OU=GPKI ,
CN=CA131100001
Drop
location:
Work/homeluser/Desktopldesktopluni_certs
&8 worklhome
userlDownloads/certl
The
threat
actor
developed
Java
program
to
crack
the
passwords protecting
the keys and certificates
136박정-001
env,key
Password 5cys13640229
041″ 아64001_env.key
Password
jinhee165o
041″아0국001_sig. key
Password
ssa9514515
[…]
Drop
Location:
work/homeluserlDownloads/certlsrclcert.java
Key
keys
Le,