최신 APT 캠페인, 작전명 유령 꼭두각시(Operation Ghost Puppet)
2018-09-24 • ESTSecurity • Latest APT campaign, Operation Ghost Puppet •
ESRC analyzed Operation Ghost Puppet, an August 2018 campaign using a malicious HWP document titled as a notice about illegal fund-raising activity. The document embedded compressed PostScript under HWP BinData and abused GhostScript processing to decode shellcode, inject into explorer.exe, and download gcoin2.swf from tpddata.com. The payload provided remote-control functionality and contacted C2 paths on pakteb.com, nuokejs.com, and qdbazaar.com. The source highlights targeting logic around Korean HWP documents, which are commonly used in South Korean public-sector environments, and compares metadata, XOR decoding structures, and command strings with earlier Korean intrusion cases.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e904bf93403c0fb08b9683a9e858c73e | 2014-12-04 | 2018-11-01 |
| HASH | 7706d38718707a73dce032f79eea43ef | 2018-09-24 | 2018-09-24 |
| HASH | 5c35360d28082e6e32d3e8ee347843fb | 2018-09-24 | 2018-09-24 |
| HASH | a7328fb36af985bcae0ed4ec7fa75659 | 2018-09-24 | 2018-09-24 |
| DOMAIN | bizforms.co.kr | 2018-09-24 | 2018-09-24 |
| IPv4 | 104.221.134.28 | 2018-09-24 | 2018-09-24 |
| IPv4 | 104.195.1.39 | 2018-09-24 | 2018-09-24 |
| IPv4 | 104.31.74.89 | 2018-09-24 | 2018-09-24 |
| HASH | a7c804b62ae93d708478949f498342f9 | 2018-06-22 | 2018-09-24 |
| URL | https://tpddata.com/flash/gcoin… | 2018-06-22 | 2018-09-24 |
| URL | https://tpddata.com/flash/gcoin… | 2018-06-22 | 2018-09-24 |
| DOMAIN | tpddata.com | 2018-06-22 | 2018-09-24 |
| HASH | fa6ee9e969df5ca4524daa77c172a1a7 | 2017-05-22 | 2018-09-24 |
| HASH | 78e8c150481107d7a5ed99e7e420fd24 | 2017-05-12 | 2018-09-24 |