Korea

May 31, 2018

THREAT RESEARCH

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

1 min read

Talos discovered a malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan, "NavRAT," downloads with command execution and keylogging capabilities.

April 2, 2018

THREAT RESEARCH

Fake AV Investigation Unearths KevDroid, New Android Malware

1 min read

Talos identified two variants of the Android Remote Administration Tool (RAT) with the capability to steal information on the compromised device (contacts, SMS and phone history) and record phone calls.

January 15, 2018

THREAT RESEARCH

Korea In The Crosshairs

2 min read

This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for six campaigns targeting both Korean and Non-Korean institutions.

November 27, 2017

THREAT RESEARCH

ROKRAT Reloaded

1 min read

This post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An. Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We […]

July 6, 2017

THREAT RESEARCH

New KONNI Campaign References North Korean Missile Capabilities

1 min read

This blog was authored by Paul Rascagneres Executive Summary We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar […]

May 3, 2017

THREAT RESEARCH

KONNI: A Malware Under The Radar For Years

1 min read

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. […]