Connect with us

Hi, what are you looking for?


Malware & Threats

Trend Micro Details Ongoing Attack Campaign Targeting South Korea

Researchers at Trend Micro have detailed the inner workings of an ongoing attack campaign that for years has quietly been targeting organizations and institutions tied to the South Korean government.

Researchers at Trend Micro have detailed the inner workings of an ongoing attack campaign that for years has quietly been targeting organizations and institutions tied to the South Korean government.

Known as Heartbeat, the attack campaign is believed to have been active since at least November 2009. According to Trend Micro, the first HeartBeat remote access tool (RAT) component was discovered in June 2012 in the computer network of a Korean newspaper.

“The HeartBeat campaign is an isolated APT case that targets organizations within South Korea only,” blogged Trend Micro Threat Researcher Roland Dela Paz. “Based on our research, the campaign [had] started by at least November 2009. They target organizations that are directly or in some ways related to the South Korean government. Specifically, the HeartBeat campaign targets the following sectors: political parties; media outlets; a national policy research institute; a military branch of the South Korean armed forces; a small business sector organization [and] branches of the South Korean government.”

After the RAT component was discovered, further investigation revealed the campaign had been distributing the component to targets in 2011 and the first half of 2012. A second component was discovered to date back to November 2009. 

“Variants of their RAT contains an embedded campaign code that mostly contains strings that describes their respective decoy documents and a campaign date in MMDD format,” Dela Paz blogged.

Once on a victim’s computer, the malware opens up a backdoor and gives the attackers full access to the machine. While the report said it is unclear how the malware arrives on victims’ systems, Trend Micro suspects spear-phishing emails were used. In fact, the packaged malware used the icon of the decoy document to look legitimate, Trend Micro stated in the report. If the decoy is an XLS file for example, the package will appear to have an XLS document icon.

“Based on the samples we collected, the campaign’s decoy documents used the file formats .JPG, .PDF, XLS, and HWP, the Korean government standard word processor format,” according to the report. “One of the previous HeartBeat attacks even dropped a pornographic .JPG image as decoy. Below is a screenshot of a Hangul Word Processor (.HWP) document used as bait in November 2011. Its document title roughly translates to ‘Information to the President.hwp’.”

Advertisement. Scroll to continue reading.

“Once users open the packaged malicious file, the actual document is displayed to the user while a RAT installer in .EXE format runs in the background,” the report continues. “The RAT installer, on the other hand, drops a .DLL file that is then injected to the legitimate process svchost.exe. The injected code in svchost.exe then connects to the malware command and control (C&C) server to register infection and wait for remote commands.”

 The campaign’s command and control domains appear to use a site redirection service, with the sites redirecting to IP addresses from Internet Service Providers (ISPs) in Armenia, Japan, India, Korea and the United States. The attackers updated the IP address of some of their C&C domains, and all of their IP addresses belong to legitimate ISPs. Because of this, researchers suspect these IP addresses are compromised hosts that act as proxy servers that redirect traffic to the actual C&C servers.

“Clues relating to the attackers remain very limited,” according to the report. “Using compromised hosts as C&C proxy servers minimizes the possibility of tracking potential threat actors.”

That doesn’t mean there were no potential clues however. In order to track their campaigns and victims, the attackers used campaign codes that contained campaign dates and strings that described specific campaigns. These codes were embedded in the RAT binaries, and sent to their C&C servers along with information about the targets’ systems. Some of these codes included Chinese words such as guohui, xuehui and minzhu – though some of the C&C domain names contained English words.  

“While having an isolated target may have helped them stay under the security industry’s radar, the attackers illustrated that they were very careful but persistent,” according to the report. “Understanding targeted campaigns and their methodologies is fundamental in protecting both end users and organizations. Not only does it help in coming up with effective defensive strategies through multiple protection layers, it also helps with predicting possible targets in the future and ultimately, raise awareness.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...