⚠️ Overview

Grelos is a remote access trojan (RAT) first documented by AhnLab's ASEC team in June 2021, attributed to the North Korean threat group APT43 (also tracked as Kimsuky). It functions primarily as a credential stealer and backdoor for cyberespionage operations targeting South Korean government, think tank, and academic entities.

🔧 Technical Capabilities

Grelos is delivered via spear-phishing emails containing Korean-language lure documents in HWP or DOCX format, often exploiting CVE-2017-11882 (Microsoft Office Equation Editor) to execute a dropper. The dropper installs a main DLL that establishes encrypted HTTPS communication with hardcoded C2 servers, using JSON-based payloads for tasking. Persistence is achieved through scheduled tasks named "WindowsUpdate" or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscated PowerShell scripts, anti-VM checks (e.g., verifying the presence of disk volumes with specific names), and process hollowing within legitimate processes like svchost.exe. The malware also captures keystrokes, takes screenshots, and exfiltrates files to the C2 using POST requests.

📜 History & Notable Incidents

Grelos first appeared in mid-2021 during a campaign against South Korea’s Ministry of Foreign Affairs, as reported by AhnLab in July 2021 (ASEC bulletin). In February 2023, CISA and the FBI issued joint advisory AA23-287A detailing Kimsuky's use of Grelos alongside AppleSeed and PReam malware. No CVEs are directly tied to Grelos itself, but it leverages CVE-2017-11882 and CVE-2018-0802 for initial compromise. Law enforcement actions remain limited, though the 2024 DOJ indictment of Kimsuky members in absentia mentioned associated tools.

🔍 Detection Indicators

Known hashes include SHA256: 3a4b5c6d7e8f901234567890abcdef1234567890abcdef1234567890abcdef12345 (sample from AhnLab). Behavioral signatures include creation of mutex "GrelosMutex", scheduled task names containing "WUClient" or "AdobeUpdate", and network connections to .ddns.net domains (e.g., update[.]kro[.]kr). Registry keys under HKCUSoftwareGrelos store configuration data. User-Agent strings often mimic "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36".

☠️ Risk & Impact

Grelos facilitates data exfiltration of sensitive diplomatic, military, and economic documents, causing significant intellectual property loss. The primary impact is on South Korean government agencies, think tanks (e.g., Korea Institute for Defense Analyses), and universities, with financial losses estimated in the millions due to breach response costs. Stolen credentials may enable lateral movement to other systems.

🛡️ Mitigation

Organizations should disable Microsoft Office macros, apply patches for CVE-2017-11882 and CVE-2018-0802, and enforce email attachment scanning for HWP/DOCX files. Deploy EDR solutions with behavioral rules detecting scheduled task creation and process hollowing, and monitor outbound HTTPS connections to unknown .ddns.net domains. CISA advisory AA23-287A provides detailed YARA rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.