0520-20Kwak.pdf (13 MB)

Kyoung-Ju Kwak’s HackCon material links the RIFLE campaign to Lazarus Group context from Operation Blockbuster and South Korean incidents including DarkSeoul, financial-sector attacks, and defense-sector spearphishing. The RIFLE malware family is described as including a downloader, sniffer, and server component, with infected hosts creating guifx.exe, using mutexes such as ASDASDASDSA, collecting user, host, OS, and network adapter data, and communicating with C2 servers including 192.99.223.115 and compromised Korean infrastructure. The campaign abused stolen Initech code-signing certificates and is correlated with an ADEX-themed macro lure targeting military and defense organizations such as LIG Nexone, Samsung Thales, Samsung Techwin, Agency for Defense Development, Doosan DST, and Hanwha Defense. The slides also describe exploitation of third-party Korean security and management products, including Nicstech DLP and TCO!Stream, to move through supplier and victim environments, reinforcing the operational risk of trusted software providers in South Korean financial, defense, and conglomerate networks.