Keypoints
- TAG-74 is a prolonged Chinese state‑sponsored campaign focusing on South Korean academic, government, and political entities.
- Initial access is achieved via spearphishing using malicious .chm/HTML attachments that rely on user execution.
- Attack chain uses DLL search-order hijacking to load a customized VBScript backdoor (ReVBShell) as first-stage code execution.
- A custom secondary backdoor named Bisonal is deployed post‑access to expand capabilities and maintain access.
- Persistence mechanisms include registry Run keys/startup folder autostart entries and use of system binaries (compiled HTML/CHM) for proxy execution.
- Command-and-control leverages web protocols with standard encoding and symmetric encryption; exfiltration is performed over the C2 channel.
- The report provides extensive IOCs: dozens of dynamic DNS domains, multiple IP addresses, filenames, and numerous hashes for CHM, HTML, loaders, ReVBShell, and Bisonal.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via malicious attachments (CHM/HTML) that users open; (‘use of .chm files that trigger a DLL search order hijacking execution chain’).
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Execution of a VBScript backdoor (ReVBShell) to run attacker code; (‘VBScript backdoor ReVBShell’).
- [T1204.002] User Execution: Malicious File – Reliance on user action to open malicious CHM/HTML files to begin the infection chain; (‘use of .chm files … to load a customized version of the VBScript backdoor ReVBShell’).
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via registry Run keys or startup entries; (‘Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder’).
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – DLL search-order hijacking used to load attacker-controlled loader DLLs and launch ReVBShell; (‘DLL search order hijacking execution chain’).
- [T1218.001] System Binary Proxy Execution: Compiled HTML File – Use of compiled HTML/CHM files to proxy execution through trusted system components; (‘System Binary Proxy Execution: Compiled HTML File’).
- [T1480] Execution Guardrails – Execution includes guardrails to limit execution to intended targets/environments; (‘- Execution Guardrails’).
- [T1518.001] Software Discovery: Security Software Discovery – Actors perform discovery of security software to evade detection; (‘Security Software Discovery’).
- [T1132.001] Data Encoding: Standard Encoding – C2 and payloads use standard encoding techniques for data handling; (‘Data Encoding: Standard Encoding’).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communications occur over web protocols (HTTP/HTTPS); (‘Application Layer Protocol: Web Protocols’).
- [T1573.001] Encrypted Channel: Symmetric Cryptography – C2 channels use symmetric cryptography to encrypt communications; (‘Encrypted Channel: Symmetric Cryptography’).
- [T1041] Exfiltration Over C2 Channel – Sensitive data is exfiltrated back to the actor over the established C2 channel; (‘Exfiltration Over C2 Channel’).
Indicators of Compromise
- [Domains] Dynamic DNS domains used for C2 and staging – alleyk.onthewifi[.]com, anrnet.servegame[.]com, and 69 other domains.
- [IP Addresses] C2 / infrastructure IPs – 45.133.194[.]135, 92.38.135[.]92, and 5 more IPs.
- [Bisonal hashes] Secondary backdoor samples – 01e5ebc2c096d46580066…38bd, 11cd4b64dcac3195c01ff…5fd, and 3 more hashes.
- [ReVBShell hashes] Decoded VBScript backdoor samples – aa4ad5341a9258…, 8f50f49e77ddcc…, and 5 more hashes.
- [Loader DLLs] DLL loader hashes observed in the DLL hijack chain – c643598b4ee0e9b3b70d…, 9425666e58b20030…, and 7 more hashes.
- [CHM file hashes] Malicious CHM payloads delivered as attachments – beb09817608daba0…, ba07ee6409908384…, and 5 more hashes.
- [HTML file hashes] Malicious HTML/compiled HTML payloads – b3a8ea3b501b9b72…, 9d10de1c3c435927…, and 5 more hashes.
- [Filenames] Decoy/document filenames used to entice targets – “KOREA MARITIME & OCEAN UNIVERSITY.chm”, “SPM_(협력사)_사용자매뉴얼_v2.1.chm”, and additional filenames.
Recorded Future’s technical analysis describes a consistent infection chain beginning with spearphishing attachments—commonly .chm or HTML files—that rely on user interaction to execute content. When opened, these compiled HTML/CHM payloads are used to abuse system execution flows (including DLL search-order hijacking) to load attacker-controlled loader DLLs which, in turn, launch a customized VBScript backdoor variant known as ReVBShell.
After initial execution, operators deploy a custom secondary backdoor called Bisonal to extend capabilities. The malware implements persistence via registry Run keys or startup entries and leverages system binaries/compiled HTML proxy execution to evade detection. Attackers perform discovery of security software and apply execution guardrails to restrict activity to target environments.
Command-and-control uses web protocols with standard encoding and symmetric encryption to protect communications, and sensitive data is exfiltrated over the established C2 channel. The report supplies extensive IOCs—numerous dynamic DNS domains, multiple infrastructure IPs, CHM/HTML/loader/ backdoor hashes, and decoy filenames—that defenders can use to hunt and block the described campaign.