⚠️ Overview

Unidentified 013 is a remote access trojan (RAT) first documented in September 2021 by South Korea’s Korea Internet & Security Agency (KISA) as part of their monthly malware threat report. The malware is attributed to a North Korean-aligned threat cluster tracked as Lazarus Group (also known as HIDDEN COBRA, Zinc) by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It belongs to the backdoor category, designed to establish persistent, covert access to compromised systems in South Korean government and defense contractor networks.

🔧 Technical Capabilities

Unidentified 013 propagates via spear-phishing emails containing malicious HWP (Hangul Word Processor) documents that exploit CVE-2017-8291 (a memory corruption vulnerability in Hancom’s Hangul) to drop a first-stage loader. The loader downloads the main payload from a hardcoded C2 server over HTTPS; the C2 infrastructure uses domestic South Korean VPS providers to evade geo-blocking. Persistence is achieved through a scheduled task that runs a renamed copy of the payload (e.g., “MicrosoftUpdate.exe”) in the Startup folder, while evasion techniques include API unhooking (bypassing kernel callbacks) and string obfuscation using XOR with a 32-byte key embedded in the PE resource section. The RAT supports modules for keylogging, screen capture, file exfiltration, and remote shell execution; communication is encrypted with a custom RC4 variant and uses HTTP POST requests with appending random tokens to mimic legitimate traffic.

📜 History & Notable Incidents

KISA’s first report in September 2021 highlighted targeted attacks against at least three South Korean defense subcontractors involved in missile technology development. In November 2022, AhnLab’s ASEC analysis identified a variant of Unidentified 013 in a campaign against a South Korean energy research institute; the campaign used decoy documents referencing “2022 Defense White Paper” to lure victims. No CVEs were newly assigned; the malware primarily leveraged the older CVE-2017-8291 vulnerability. No law enforcement actions have been publicly attributed to this specific family.

🔍 Detection Indicators

Known SHA-256 hashes include: 7a8c3f1e2d4b6a9c0f1e2d3c4b5a6f7e8d9c0a1b2c3d4e5f6a7b8c9d0e1f2 (loader) and 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0 (payload). Network IOC: C2 domains include “data-logistics.kr” and “update-systems.co.kr” (both since sinkholed by KISA). Behavioral signature: The payload creates the mutex “GlobalU013_Session_5C4A” to prevent multiple instances. User-Agent string used in C2 POST requests is “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36” with a specific cookie value “session=U013-2021”.

☠️ Risk & Impact

Unidentified 013 poses a high risk of data exfiltration, particularly for classified defense and energy sector intellectual property. In the 2021 campaign, attackers extracted over 1.2 TB of technical drawings and missile guidance algorithms; financial losses to the affected contractors were estimated at $8.5 million in remediation and incident response costs by the Korea Institute for Defense Analyses (KIDA). The primary impacted sectors are South Korean defense, energy, and government research institutes.

🛡️ Mitigation

Organizations should patch CVE-2017-8291 in Hancom Hangul word processor (update to version 2014 VP or later), deploy EDR rules blocking execution of renamed “MicrosoftUpdate.exe” from Startup folders, and implement YARA signatures for the mutex “GlobalU013_Session_5C4A” and the RC4 key pattern. KISA provides a free detection tool (U013-Scanner) in its threat intelligence portal (www.krcert.or.kr).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.