More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

June 11, 2018  |  Chris Doman

Written By Chris Doman and Jaime Blasco


Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government. These attacks have been attributed to Lazarus, a group thought to be linked to North Korea.

Below we’ve shared our brief analysis of of the attack.

Profiling Script

The first step appears to have been a profiling script to get information on possible targets for their attack. We’ve seen Lazarus do this before on other sites they have infected, and it’s a technique that other advanced attackers have been seen to employ.

This was followed by scripts to perform additional profiling and actually delivery the ActiveX exploit.

Some details of these scripts were kindly shared by issuemakerslab, who identified a number of infections that moved over time:

Whilst these malicious files have been taken down, a record of the same infection is preserved on urlscan. The malicious script is hidden at http://www.sejong[.]org/js/jquery-1.5.3.min.js.

This script is similar to typical exploit kits - it identifies which browser and operating system the user is running. Much of the code is taken from PinLady’s Plugin-Detect. If a target is running Internet Explorer, it checks if it is enabled to run ActiveX, and what plugins are enabled from a specific list of ActiveX components:

  • EasyPayPlugin.EPplugin.
  • ACUBEFILECTRL.AcubeFileCtrlCtrl.1

Results are sent to http://alphap1[.]com/hdd/images/image.php?id=ksjdnks. An example execution URL stored in OTX is:  

Other Profiling Scripts

It’s easy to find other similar looking scripts with the same obfuscation techniques.

One sends results to[.]kr/mall/skin/skin.php?id=ksjdnks

It’s possible this site was compromised some time ago, as it’s a recorded as a command and control server for related Lazarus malware back in 2015 named Waketagat.

ActiveX Exploit and Delivery

The ActiveX exploit was also shared by issumakerslabs on Twitter:

Javascript to execute the ActiveX exploit

VBScript written to temp.vbs to download and install the malware (splwow32.exe)

If successful, it downloads malware from: http://www.peaceind[.]

To a file named splwow32.exe. Splwow32.exe is a fairly uncommon filename for malware, and was previously seen in the Taiwan bank heist which has been attributed to another sub-set of the Lazarus attackers. We also note that the peaceind[.] site has been previously identified as vulnerable.

The Malware

Whilst we can’t be certain, based on the rare filename, date and context the delivered malware is likely this file. The malware, detected as Akdoor.R228914 by Ahnlab, is a simple backdoor that executes commands over the command prompt. It has a distinctive command and control protocol.

When the malware communication is decoded, the victim machine sends a status such as:

And the server responds with:

We were able to find two other samples of Akdoor.R228914 and a different C&C that we share in the appendix.


Yara rules

rule ActiveXSejongInstitute {


                $a1 = "EasyPayPlugin.EPplugin.1"

                $a2 = "ACUBEFILECTRL.AcubeFileCtrlCtrl.1"

                $a3 = "DUZONERPSSO.DUZONERPSSOCtrl.1"

                $a4 = "\x45\x61\x73\x79\x50\x61\x79\x50\x6c\x75\x67\x69\x6e\x2e\x45\x50\x70\x6c\x75\x67\x69\x6e\x2e\x31"

                $a5 = "\x41\x43\x55\x42\x45\x46\x49\x4c\x45\x43\x54\x52\x4c\x2e\x41\x63\x75\x62\x65\x46\x69\x6c\x65\x43\x74\x72\x6c\x43\x74\x72\x6c\x2e\x31"

                $a6 = "\x44\x55\x5a\x4f\x4e\x45\x52\x50\x53\x53\x4f\x2e\x44\x55\x5a\x4f\x4e\x45\x52\x50\x53\x53\x4f\x43\x74\x72\x6c\x2e\x31"

                $a7 = "SIClientAccess.SIClientAccess.1"

                $a8 = "INIWALLET61.INIwallet61Ctrl.1"


                any of them


rule splwow32LazarusPayload {


                $resp = "TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE="


                uint16(0) == 0x5a4d and all of them


Profiling Script URLs









Akdoor.R228914 Download URL


Akdoor.R228914 File-Hashes




Akdoor.R228914 Command and Control Servers



Akdoor.R228914 Network Detection (Suricata)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"AV TROJAN Lazarus Akdoor.R228914 Response"; flow:established,from_server; dsize:38; content:"TG9naW4gU3VjY2VzcyFcclxuV2VsY29tZSE=|0d 0a|"; depth:38; reference:md5,8796fda0510420f6a1daff6ed89851ab; classtype:trojan-activity; sid:xxx; rev:1;)

OTX Pulse

You can find additional indicators in OTX.

Share this with others

Get price Free trial