Now that it’s been leaked, lets take a look at the North Korean email client that was part of the leak. It’s made up of a main executable, a couple of dll files, and a config file. Before even diving into it there’s a couple of interesting things that we can find looking at the strings and some of the associated file names.
.rdata:006E1E80 0000001C C Not a valid Chilkat object.
.rdata:006E2004 00000025 C VHJpYWwgcGVyaW9kIGhhcyBleHBpcmVkLg==
.rdata:006E2030 00000059 C UHJvZHVjdCBpcyBub3QgdW5sb2NrZWQuICBNYWtlIHN1cmUgdG8gY2FsbCBVbmxvY2tDb21wb25lbnQgZmlyc3Qu
.rdata:006E5A88 00000047 C AutoFix: SMTP port 587 requires explicit SSL/TLS for this mail server.
.rdata:007366D8 0000001F C No SSH connection established!
.rdata:007366F8 00000024 C SSH password authentication failed
So it’s using the Chilkat library and there’s references to SSH, FTP, and other protocols in there as well. The base64 encoded strings are decoded to being about an invalid license. If you’re not familiar with Chilkat, it is a cross-language, cross-platform API providing 90+ classes for many Internet protocols, formats, and algorithms.
And while Google Translate is great, based on the file names for the icons we can get an idea of how the software works when connected to a mail client.
There’s also an icon for a question that I haven’t seen in use yet.
Running the software we can see that it’s a pretty simple interface for an email client.
Checking the temp files as it’s running gives some more information about the UI. While it looks like someone has taken over the domain using the Wayback Machine we can see that uieasy.com is described as “a powerful library to help you develop the user interface program. It uses xml files to describe the look and feel of the control and you can make fancy user interface easily. “. However the last active snapshot on the Wayback Machine is from 2014. If this is email client is still in use it could have been in use for a long time now potentially.
I set up my own email server to see how this works since there are references to SSH and FTP. Two things right away that were a pain is that it only support usernames @star-co.net.kp and there really aren’t good error messages when trying to set up the client, even though it looks like there’s plenty of strings to support an error message but I suppose they’re all in English and not Korean.
I worked out the errors. If you want to test this out on your own I’ve uploaded a dockerfile that you can use that builds with all the correct settings. You can log in with the username ‘test@star-co.net.kp’ and the password is ‘yourpassword’
https://nkinternet.wordpress.com/wp-content/uploads/2024/09/docker_netstar_email_server.zip
You also have to use a star-co.net.kp domain when entering the username in the email program or else it rejects it. There’s a config file as well for setting the mail server to connect to. The default config that it shipped with is interesting. There’s an entry for a North Korean domain but the second entry is titled 626MailServer and has the server set to the IP address 214.6.26.30 which is owned by the Department of Defense. Could be interesting, could just be on a network that is using DoD IP’s for their internal IP’s
Once the email client authenticates the rest of the buttons become available. There’s options to write an email as well as download an email. It looks like this is designed for being used offline. The bottom left box is for storing emails that come in to a users inbox and the bottom right looks to be an outbox for when connected to the internet you can send emails.
Overall it appears to be a pretty standard email client. It’s interesting that there is some functionality for apparently working in locations without internet access. Probably going to have a second part to this after looking into the dll an db file a little more.
Files:
e3144b16b70ca666abcafdcef98b0ea9 MailClient.exe
16e8287667a1db5b5645531029d3dfc3 dskinliteud.dll
00fb7dc1c20bc169f