A new campaign using the sophisticated EndClientRAT targets North Korean human rights defenders (HRDs), utilizing compromised code-signing to bypass antivirus protections. This malicious operation was discovered during a collaboration between independent security researchers and PSCORE.
Technical Details of the Attack
The campaign involves a malicious Microsoft Installer, 'StressClear.msi', which leverages stolen certificates from Chengdu Huifenghe Science and Technology Co Ltd, issued by SSL.com EV Code Signing Intermediate CA RSA R3. This certificate is valid from 2024-10-25 to 2025-10-17.
The EndClientRAT's low detection rate—only 7 out of 64 antivirus engines flagged the dropper—illustrates its stealth. It exploits a scheduled task named 'IoKlTr' for persistence and uses a mutex 'Global\AB732E15-D8DD-87A1-7464-CE6698819E701' to avoid multiple instances.
Targets and Tactics
The attackers compromised a prominent activist in September, remotely wiping the Android device and hijacking the KakaoTalk account to disseminate the RAT further. The campaign reached 39 additional targets using social engineering techniques. The package, AutoIT-based, operates with strong anti-analysis tactics and communicates with a command-and-control server, 116.202.99.218:443, using custom JSON protocols marked by 'endClient9688' and 'endServer9688'.
Mitigation and Recommendations
Security experts recommend monitoring for specific protocol markers within network traffic and suspicious artifacts in user directories. Organizations should distrust signed MSI files until their provenance is verified. Collaborative threat intelligence sharing and specialized support for at-risk civil society organizations are crucial in mitigating these targeted threats.
