FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.
South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.
Adobe has confirmed the existence of the flaw, which affects Flash Player 28.0.0.137 and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.
FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper. This threat actor is believed to be operating out of North Korea based on the fact that it has been spotted interacting with command and control (C&C) servers from IP addresses associated with Star JV, the North Korean-Thai joint venture that connects the country to the Internet.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.
FireEye said its researchers spotted a new wiper malware, dubbed “RUHAPPY,” being developed by the Reaper group in the past year. North Korean threat actors have been known to use wiper malware, but Reaper has not been seen using RUHAPPY in attacks.
The security firm’s analysis showed that the hackers have exploited the Flash Player zero-day vulnerability using malicious Office documents and spreadsheets containing a specially crafted SWF file. If the flaw is exploited successfully, a piece of malware named by FireEye “DOGCALL” is delivered.
Cisco Talos has published several reports in the past months on this remote access trojan (RAT), which it tracks as ROKRAT.
The company has attributed the Flash Player zero-day attacks to an actor it has named “Group 123.” Talos last month detailed several campaigns conducted by this group against South Korean targets, but researchers have refrained from explicitly attributing the operations to North Korea.
“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers said in a blog post on Friday. “They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”
Simon Choi of South Korea-based cybersecurity firm Hauri, one of the first people to publicly attribute the attack to North Korea, said they had traced one of the hackers using the Flash zero-day to a Facebook account apparently belonging to a resident of North Korea’s capital city of Pyongyang.
*Updated with information from Simon Choi
Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea
Related: Australia, Canada, Others Blame North Korea for WannaCry Attack

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
Latest News
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
