Skip to content

Latest commit

 

History

History
1152 lines (838 loc) · 104 KB

lazarus-malware-and-ttps.md

File metadata and controls

1152 lines (838 loc) · 104 KB
Raw

Lazarus' Evolution

2006 - 2013

2006-07-26: INTERPOL’s Supernote Summit wherein they decide to change the bill.

2007-07-03: Operation Flame Malware

2009-07-04: MYDOOM Malware and Dozer Malware - DDoS Attacks

  • A large scale DDoS attack on US and South Korean websites uses the MYDOOM and Dozer malware, which is suspected to have arrived in email messages. The malware places the text “Memory of Independence Day” in the Master Boot Record (MBR).

2009-2012: Operation Troy DDoS Attacks

2011-03: Ten Days of Rain Attacks

  • “Ten Days of Rain” attack targets South Korean media, financial, and critical infrastructure targets. Compromised computers within South Korea are used to launch DDoS attacks.

2011-04: Nonghyuo Bank DDoS Attacks

2013-03-20: DarkSeoul Wiper Attacks

  • DarkSeoul: a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP
  • At the time, two other groups going by the personas ″NewRomanic Cyber Army Team and WhoIs Team″, took credit for that attack

2014

2014-11-24: Sony Pictures Hack Wiper Attack Occurs

  • Sony Pictures Entertainment (“SPE”) and its comedic film “The Interview,” which depicted a fictional Kim Jong-Un, the Chairman of the Workers’ Party of Korea and the “supreme leader” of North Korea
  • Lazarus targeted individuals and entities associated with the production of “The Interview” and employees of SPE, sending them malware that the subjects used to gain unauthorized access to Sony's network
  • Once inside Sony's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable
  • The same group of subjects also targeted individuals associated with the release of “The Interview,” among other victims.
  • Perpetrators identified themselves as the Guardians of Peace.
  • Large amounts of data were stolen and slowly leaked in the days following the attack.
  • U.S. investigators say the culprits spent at least two months copying critical files
  • The attack was conducted using malware. Server Message Block Worm Tool to conduct attacks
  • Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool
  • The components clearly suggest an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack
  • November 24, 2014 - malware previously installed rendered many Sony employees' computers inoperable by the software, with the warning by a group calling themselves the Guardians of Peace, along with a portion of the confidential data taken during the hack.
  • Several Sony-related Twitter accounts were also taken over
  • Park was a North Korean hacker that worked for the country's Reconnaissance General Bureau, the equivalent of the
  • The US DOJ also asserted that Park was partially responsible for arranging WannaCry, having developed part of the ransomware software
  • https://en.wikipedia.org/wiki/Sony_Pictures_hack
  • https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

2014-2015: Operation Red Dot against South Korean Govt/Defence Co's

  • Variants of the malware used in the Sony Pictures hack were found in attacks which targeted the websites of North Korean research and governmental organizations, and the South Korean defence industry.
  • AhnLab refers to these attacks – which occurred from 2014 to 2015 – as Operation Red Dot. The variants in this operation share similar code and names, such as AdobeArm.exe and msnconf.exe.
  • The main infection methods are: executable files disguised as document files (HWP, PDF), disguised installers, and exploits of Hangul Word Processor (HWP) file vulnerabilities.
  • The document files, which are listed in Table 3, are decoys disguised as legitimate documents, such as address books, deposit slips and invitations to lure victims into opening them.
  • https://www.virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/

2015

2015-01-12: Banco del Austro in Ecuador SWIFT Bank Heist - $12M

2015-03-17: KIMSUKY - South Korea blames North Korea for December hack on nuclear operator

2015-03-30: Bangledesh Bank Employees spear-phished.

  • By March the hackers had a backdoor to teh bank's electronic communication system allowing them to send messages to one another in a way that mimicked the bank’s encrypted-communication protocols, and did not alert security to their presence.

2015-2019: SWIFT Heists

  • Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent SWIFT messages.

2015: Sony Pictures Hack - Intrusion into Mammoth Screen, producer of a fictional series involving a British nuclear scientist taken prisoner in DPRK

2016

2016-02-01: Sony Pictures Hack Report Released: Operation Blockbuster

2016-02-04: Bangledesh Bank SWIFT Heist Initiated - $81M

2015-2018: Engaged in computer intrusions and cyber-heists at many financial services victims in the United States, and in other countries in Europe, Asia, Africa, North America, and South America in 2015, 2016, 2017, and 2018, with attempted losses well over $1 billion.

2016-05-13: BAE Systems Threat Research Blog: Cyber Heist Attribution

2016-05-14: FASTCash - $16M dollars was withdrawn from roughly 1700 7-Eleven A.T.M.s across Japan using data stolen from South Africa’s Standard Bank

2016-05-15: Tien Phong Bank in Vietnam SWIFT Heist - $1M

2016-05-26: SWIFT Heists Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank

2016-05-27: SWIFT Heists Evidence of Stronger Ties Between North Korea and SWIFT Banking Attacks

2016-06-17: Operation Daybreak

2016-2020: Multiple spear-phishing campaigns targetting employees of US defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S. Department of Defense

2016: Stole more than 200GB of South Korean Army data

  • which included documents known as Operational Plan 5015—a detailed analysis of how a war with the country’s northern neighbor might proceed, and, notably, a plot to “decapitate” North Korea by assassinating Kim Jong Un. The breach was so egregious that Kim Tae-woo, a former president of the Korea Institute for National Unification, a think tank in Seoul, told the Financial Times, “Part of my mind hopes the South Korean military intentionally leaked the classified documents to the North with the intention of having a second strategy.”

2017

2017-04-03: Lazarus Under The Hood

  • Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011.
  • All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.
  • We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers.
  • Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.
  • Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto.
  • Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.
  • https://securelist.com/lazarus-under-the-hood/77908/
  • https://www.csoonline.com/article/560979/kaspersky-lab-reveals-direct-link-between-banking-heist-hackers-and-north-korea.html

2017-05-12: WannaCry

2017-05-30: Lazarus Arisen

  • https://www.group-ib.com/blog/lazarus/
  • 210.52.109.22 - China Netcom, 210.52.109.0/24 is assigned to North Korea
  • 175.45.178.222 - Natinal Defence Commission
  • 175.45.178.19 - Ghost RAT
  • 175.45.178.97 - Ghost RAT

2017-04-22 – Four wallets on Yapizon, a South Korean cryptocurrency exchange, are compromised. (It is worth noting that at least some of the tactics, techniques, and procedures were reportedly employed during this compromise were different than those we have observed in following intrusion attempts and as of yet there are no clear indications of North Korean involvement).

2017-04-26 – The United States announces a strategy of increased economic sanctions against North Korea. Sanctions from the international community could be driving North Korean interest in cryptocurrency, as discussed earlier.

2017-05-01 – Spearphishing against South Korean Exchange #1 begins.

2017-05-30 – South Korean Exchange #2 compromised via spearphish.

2017-06-01 – More suspected North Korean activity targeting unknown victims, believed to be cryptocurrency service providers in South Korea.

2017-06-13: CISA's report on HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

  • This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.

2017-06-13: US-CERT's HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

2017-07-01 – South Korean Exchange #3 targeted via spear phishing to personal account.

2017-09-17: Why Is North Korea So Interested in Bitcoin?

2017-08-14: Unit42 has discovered ongoing attack targeting individuals involved with US defense contracts links back to perportrators of the Sony Pictures Hack.

2017-08-23: CISA's analysis of DeltaCharlie Attack Malware

  • STIX file for MAR 10132963. This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

2017-10-15: The World Once Laughed at North Korean Cyberpower. No More.

2017-11-14: CISA's analysis of FALLCHILL and Volgmer

  • CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
  • CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
  • These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

2017-12-20: North Korea suspected in latest bitcoin heist, bankrupting Youbit exchange

2017-12-21: CISA's analysis of North Korean Trojan: BANKSHOT

  • STIX file for MAR 10135536
  • DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
  • Two files are 32-bit Windows executables that function as Proxy servers and implement a Fake TLS method.
  • The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.

2018

2018-01-15: TrendMicro's KillDisk Variant Hits Latin American Financial Groups

2018-01-16: Korea In The Crosshairs

2018-02-05: North Korea stole huge amount of virtual currency: South Korea spy agency

2018-02-13: CISA's analysis of North Korean Trojan: HARDRAIN

  • AR 10135536-F: North Korean Trojan: HARDRAIN
  • STIX file for MAR 10135536-F
  • DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.

2018-02-20: Reaper - The Overlooked North Korean Actor from FireEye

2018-03-28: CISA's analysis of North Korean Trojan: SHARPKNOT

  • MAR 10135536.11: North Korean Trojan: SHARPKNOT
  • STIX file for MAR 10135536.11
  • DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.

2018-04-03: Lazarus KillDisks Central American casino

  • https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
  • Our analysis shows that the cybercriminals behind the attack against an online casino in Central America, and several other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents the attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised machines.
  • Some of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on Novetta et al’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks; the WannaCryptor outbreak; phishing campaigns against US defense contractors, etc – and provides grounds for the attribution of these attacks to the Lazarus Group.
  • Our analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further, they are almost identical to the KillDisk variant used against financial organizations in Latin America, as described by Trend Micro.
  • One of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made unpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or pirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and Mexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster samples, reported by Palo Alto Networks, used an older version of VMProtect.
  • This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.
  • Utilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks after an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that ESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale effort of the attackers.

2018-04-25: SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.

2018-05-29: CISA's analysis of HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

  • CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • MAR 10135536-3: HIDDEN COBRA RAT/Worm
  • This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.

2018-05-31: NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

2018-06-13: Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist

2018-06-14: CISA's analysis of North Korean Trojan: TYPEFRAME

  • AR 10135536-12
  • DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.

2018-08-09: CISA's analysis of North Korean Trojan: KEYMARBLE

  • AR 10135536-17
  • DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

2018-09-06: DOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer Jin Hyok Park

2018-10-01 - The most destructive cyber threat right now

2018-10-01 - FireEye Report on APT38

2018-10-01: NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT

2018-10-02: CISA's analysis of HIDDEN COBRA FASTCash Campaign

  • MAR 10201537: HIDDEN COBRA FASTCash-Related Malware
  • CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.
  • https://www.cisa.gov/news-events/alerts/2018/10/02/hidden-cobra-fastcash-campaign

2018-10-25 - Lazarus Group Shifting Patterns in Internet Use Reveal Adaptable and Innovative North Korean Ruling Elite

2018-11-01: Cryptocurrency businesses targeted by Lazarus via custom PowerShell Scripts

2018-12-05: KIMSUKY - Stolen Pencil Campaign

2018-12-14: Top secret report: North Korea keeps busting sanctions, evading U.S.-led sea patrols

2018-12-31: Group-IB's 2018 Crime Report

2018-2017: According to the Treasury, NK affiliated hackers “likely” stole ~$571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

  • 2018-09: Indonesian Crypto Company Theft - $24.9M
  • 2018-06: Bithumb2 CEX Hack - Lazarus - $30M
  • 2017-12: YouBit CEX Hack (previously known as Yapizon)
  • 2017-04: Yapizon CEX Hack - 3831 BTC

2018-2020: Multiple malicious cryptocurrency applications which would provide the North Korean hackers a backdoor into the victims’ computers.

  • from March 2018 through at least September 2020:
  • Celas Trade Pro WorldBit-Bot iCryptoFx Union Crypto Trader Kupay Wallet CoinGo Trade Dorusio CryptoNeuro Trader and Ants2Whale
  • which would provide the North Korean hackers a backdoor into the victims’ computers.

2018: FASTCash grabs $6.1 million from BankIslami Pakistan Limited

2018: Operation AppleJeus research highlighted Lazarus’s focus on cryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency businesses

  • New ability to target macOS.
  • Infected with malware after installing a legitimate-looking trading application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. Malware delivered via update files in app. User installed this program via a download link delivered over email.
  • For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot.
  • https://securelist.com/operation-applejeus/87553/

2019

2019-01-30: 200 North Korean hacker organizations dispatched overseas, each team sending up to $1 million to North Korea

2019-02-08: KIMSUKY - Operation Kabar Cobra

2019-04-17: KIMSUKY - Operation Smoke Screen

2019-04-30: North Korea's Next Weapon of Choice: Cyber

2019-05-13: ScarCruft continues to evolve, introduces Bluetooth harvester

2019-09-09: CISA's analysis of North Korean Malware ELECTRICFISH and BADCALL

  • MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.
  • MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.
  • CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
  • ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.
  • BADCALL malware is an executable that functions as a proxy server and implements a Fake TLS method.

2019-09-13: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups

2019-10-29: Indian Nuclear Power Plant Attack

  • https://greatgameindia.com/kudankulam-nuclear-power-plant-hit-by-cyberattack/
  • Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
  • In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack.
  • Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.

2019-11-04: Indian Nuclear Power Plant Attack We have long known and continuously monitored North Korea is attacking India

2019-12-04 - New Lazarus Malware: macOS Threat Served from Cryptocurrency Trading Platform

2020

2020-02-14: CISA's analysis of North Korean Trojans BISTROMATH, SLICKSHOES, CROWDEDFLOUNDER, HOTCROISSANT, ARTFULPIE, BUFFETLINE, HOPLIGHT

  • Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.
  • BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.
  • SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.
  • CROWDEDFLOUNDER looks at Themida packed Windows executable.
  • HOTCROSSIANT is a full-featured beaconing implant.
  • ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.
  • BUFFETLINE is a full-featured beaconing implant.
  • HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.

2020-03-02: Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group

2020-03-05: How an elaborate North Korean crypto hacking heist fell apart

2020-03-16: UNC2891 Have Your Cake and Eat it Too? An Overview of UNC2891

  • https://www.mandiant.com/resources/unc2891-overview
  • UNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the actor had remained largely undetected.
  • Mandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden in victim networks, we have named this CAKETAP.
  • Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for financial gain that target mission critical systems running these operating systems.

2020-04-15: U.S. Government Advisory: Guidance on the North Korean Cyber Threat

  • The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.

2020-04-15: CISA's Guidance on the North Korean Cyber Threat

2020-04-18: CISA Alert on TraitorTrader

2020-04-29: OXT's The North Korean Connection

2020-05-12: CISA's analysis of North Korean Trojans: COPPERHEDGE, TAINTEDSCRIBE, PEBBLEDASH

  • MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE
  • MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE
  • MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH
  • CISA, FBI, and DoD identified three malware variants used by the North Korean government.
  • COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a
  • TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.

2020-05-12: U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities

  • CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.

2020-05-28: USA Chargees 28 North Koreans and 5 Chinese citizens with laundering more than $2.5 billion in assets to help fund North Korea’s nuclear weapons

2020-07-01: VHD ransomware, Hakuna MATA

  • initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server.
  • https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

2020-07-06: North Korean hackers are skimming US and European shoppers

2020-07-23: U.S. seeks forfeiture of $2,372,793 for violations of sanctions against the DPRK

  • According to the complaint, the four companies laundered U.S. dollars on behalf of sanctioned North Korean banks and helped those banks to illegally access the U.S. financial market.
  • The complaint lists one source of the laundered funds as a DPRK entitity involved in the banned sales of North Korean coal. The laundered funds were used to purchase Russian pretroleum products and nuclear and missile components for the DPRK and to aid multiple cover branches of the DPRK’s Foreign Trade bank, which the U.S. Treasury Department had sanctioned for “facilitating transactions on behalf of actors linked to the DPRK’s proliferation network”.
  • https://www.justice.gov/opa/pr/united-states-files-complaint-forfeit-more-237-million-companies-accused-laundering-funds

2020-08-31: Yang Ban Corporation Pleads Guilty to Money Laundering

  • From at least February 2017 to May 2018 and beyond, Yang Ban deceived banks in the U.S. into processing transactions for North Korean customers of Yang Ban.
  • It used front companies and created false sets of invoices and shipping records to conceal that the ultimate destination of shipments were customers in the DPRK. These practices helped Yang Ban circumvent “banks’ sanction and anti-money laundering filters” thus “duping U.S. correspondent banks into processing U.S. dollar transactions that they would not otherwise have authorized.”
  • Yang Ban specifically admitted to conspiring with SINSMS (a company subsequently designated by U.S. sanctions) and others, “to conceal the North Korean nexus” by falsifying shipping records and by other means.
  • The company will pay a financial penalty totaling $673,714 (USD) and has “agreed to implement rigorous internal controls and to cooperate fully with the Justice Department, including by reporting any criminal conduct by an employee”.
  • https://www.justice.gov/opa/pr/company-pleads-guilty-money-laundering-violation-part-scheme-circumvent-north-korean
  • https://www.nknews.org/2020/09/company-pleads-guilty-to-helping-north-korea-illegally-use-us-banking-system

2020-08-13: Operation Dream Job - Espionage Campaign Targetting Govt and Defense Co's

  • Widespread North Korean Espionage Campaign
  • It succeeded in infecting several dozens of companies and organizations in Israel and globally
  • Main targets: defense, governmental companies, and specific employees of those companies
  • We assess this to be this year’s main offensive campaign by the Lazarus group
  • The infection and infiltration of target systems had been carried out through a widespread and sophisticated social engineering campaign, which included: reconnaissance, creation of fictitious LinkedIn profiles, sending emails to the targets’ personal addresses, and conducting a continuous dialogue with the target – directly on the phone, and over WhatsApp
  • Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it
  • The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country.
  • https://www.clearskysec.com/operation-dream-job/
  • https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

2020-08-19: CISA's analysis of North Korean Remote Access Trojan: BLINDINGCAN

  • CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.

2020-08-25: DPRK-aligned threat actor targeting cryptocurrency vertical with global hacking campaign

2020-08-25: Lazarus Group Campaign Targeting the Cryptocurrency Vertical

2020-08-26: CISA's Report FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

  • MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON
  • MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT
  • MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows
  • CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

2020-08-28: US DOJ: Forfeiture Complaint for 280 Crypto addresses tied to North Korea

2020-09-02: Chainalysis: report regarding Lazarus Group on-chain activity and the recent US DOJ civil forfeiture of 280 cryptocurrency addresses

2020-09-02: F-Secure: Report on Lazarus Group's targeting of crypto companies

2020-09-20: US DOJ: Lazarus Group developed multiple malicious crypto applications from March 2018 through at least September 2020. Such apps include Celas Trade Pro, Worldbit-bot, icryptofx, Union Crypto Trader, Kupay Wallet, Coingo Trade, Dorusio, Cryptoneuro Trader, and Ants2whale.

2020-09-20: Secret documents show how North Korea launders money through U.S. banks

2020-09: Pharma Company Espionage Attacks

  • An employee of the pharmaceutical company received a document named GD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00).
  • After a short period of time, another employee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date: 2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on their home computers
  • In one of the cases, a malicious document was received via Telegram. Note that both documents were received by the victims over the weekend.
  • At the same time, by performing reconnaissance on the computers available, the attackers received new vectors for penetration into the company's corporate network. So, two days later, after the company's network infrastructure was compromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was contacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics UK.
  • The compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the malicious document and did not allow the attackers to expand the attack surface.
  • In this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with malicious macros containing a stub text with a job offer through LinkedIn Messages, Telegram, WhatsApp, and corporate email.

2020-10-27: CISA's Report on North Korean Advanced Persistent Threat Focus: Kimsuky

  • CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.

2020-11-27: North Korean hackers targeted COVID vaccine maker AstraZeneca

2020-12-08: OFAC Cyber-related Designations

2020-All-Of-2020: Pharma Company Espionage Attacks

  • Stayed in their systems for months on end
  • Contacted in Feb 2020
  • Payload delivered in Q2/Q3
  • Data exif Q2 Q3 Q4 2020
  • By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.
  • https://www.hvs-consulting.de/public/ThreatReport-Lazarus.pdf

2021

2021-01-01: 2021 Chainalysis Report: North Korean Hackers Crypto Holdings Reach All-time High

  • https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
  • North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400M worth of digital assets last year.
  • These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses.
  • Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. These complex tactics and techniques have led many security researchers to characterize cyber actors for the Democratic People’s Republic of Korea (DPRK) as advanced persistent threats (APTs). This is especially true for APT 38, also known as “Lazarus Group,” which is led by DPRK’s primary intelligence agency, the US- and UN-sanctioned Reconnaissance General Bureau.
  • While we will refer to the attackers as North Korean-linked hackers more generally, many of these attacks were carried out by the Lazarus Group in particular. Lazarus Group first gained notoriety from its Sony Pictures and WannaCry cyberattacks, but it has since concentrated its efforts on cryptocurrency crime—a strategy that has proven immensely profitable.
  • From 2018 on, the group has stolen and laundered massive sums of virtual currencies every year, typically in excess of $200M. The most successful individual hacks, one on KuCoin and another on an unnamed cryptocurrency exchange, each netted more than $250M alone.
  • Interestingly, in terms of dollar value, Bitcoin now accounts for less than one fourth of the cryptocurrencies stolen by DPRK.
  • In 2021, only 20% of the stolen funds were Bitcoin, whereas 22% were either ERC-20 tokens or altcoins. And for the first time ever, Ether accounted for a majority of the funds stolen at 58%.
  • The growing variety of cryptocurrencies stolen has necessarily increased the complexity of DPRK’s cryptocurrency laundering operation. Today, DPRK’s typical laundering process is as follows:
  • More than 65% of DPRK’s stolen funds were laundered through mixers this year, up from 42% in 2020 and 21% in 2019, suggesting that these threat actors have taken a more cautious approach with each passing year.
  • Why mixers? DPRK is a systematic money launderer, and their use of multiple mixers is a calculated attempt to obscure the origins of their ill-gotten cryptocurrencies while offramping into fiat. Why DeFi? DeFi platforms like DEXs provide liquidity for a wide range of ERC-20 tokens and altcoins that may not otherwise be convertible into cash. When DPRK swaps these coins for ETH or BTC they become much more liquid, and a larger variety of mixers and exchanges become usable. What’s more, DeFi platforms don’t take custody of user funds and many do not collect know-your-customer (KYC) information, meaning that cybercriminals can use these platforms without having their assets frozen or their
  • DPRK’s stolen fund stockpile: $170M worth of old, unlaundered cryptocurrency holdings. Chainalysis has identified $170M in current balances—representing the stolen funds of 49 separate hacks spanning from 2017 to 2021—that are controlled by North Korea but have yet to be laundered through services. The ten largest balances by dollar value are listed below.
  • Of DPRK’s total holdings, roughly $35M came from attacks in 2020 and 2021. By contrast, more than $55M came from attacks carried out in 2016—meaning that DPRK has massive unlaundered balances as much as six years old.

2021-01-25: Google TAG report on a new campaign targeting security researchers

  • government-backed entity based in North Korea. Social media targetting.
  • the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
  • Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
  • After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. An example of the VS Build Event can be seen in the image below.
  • In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
  • These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email
  • https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
  • https://apnews.com/article/malware-media-north-korea-social-media-south-korea-7dc8a5a9a3576005a615524d1ba439aa

2021-02-17: FBI + CISA's report on Operation AppleJeus

  • targeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the dissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of cryptocurrency
  • the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate
  • infecting victims through legitimate-looking websites, HIDDEN COBRA actors also use phishing, social networking, and social engineering techniques to lure users into downloading the malware.
  • Celas Trade Pro JMT Trading Union Crypto Kupay Wallet CoinGoTrade Dorusio Ants2Whale

2021-02-17: CISA's Report on Operation AppleJeus: Analysis of North Korea's Cryptocurrency Malware

  • Joint FBI-CISA-Treasury
  • CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”

2021-02-20: Ghaleb Alaumary + Ramon Abbas (Hushpuppi) named in ‘North Korean-perpetrated cyber-enabled’ heist

  • https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
  • Nigerian Instagram celebrity Ramon Abbas, also known as Hushpuppi, has been named in another case in the United States, this time with North Korean hackers involved.
  • The United State Justice Department said Hushpupp conspired with a Canadian-American citizen Ghaleb Alaumary and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.
  • Hushpuppi is currently facing separate trial for conspiring “to launder hundreds of millions of dollars from BEC frauds and other scams.”
  • “The affidavit also alleges that Abbas conspired to launder funds stolen in a $14.7 million cyber-heist from a foreign financial institution in February 2019, in which the stolen money was sent to bank accounts around the world.
  • Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020. Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes. Alaumary is also being prosecuted for his involvement in a separate BEC scheme by the U.S. Attorney’s Office for the Southern District of Georgia.
  • With respect to the North Korean co-conspirators’ activities, Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.
  • Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

2021-03-22: Mun Chol-myon

2021-04-11: A NEW NFT&DeFi TECH (PROTECTED).docx

2021-04-21: Lazarus BTC Changer

2021-04-15: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware

2021-04-26: The Incredible Rise of North Korea’s Hacking Army - Lazarus group’s criminal enterprises including cryptocurrency exchange heists and ransomware attacks

2021-06-03: ClearSky's report on the Crypto Core APT group attributing it to the North Korean Lazarus APT

2021-06-30: HushPuppi - THE FALL OF THE BILLIONAIRE GUCCI MASTER

2021-09-10: Rapid Change of Stablecoin (Protected).docx secure.azureword[.]com Z Venture Capital Presentation(Protected).docx

2021-09-16: Ghaleb Alaumary sentenced to 11 years in jail for laundering funds such as those coming from a banking heist by North Korean actors

2022

2022-01-04: CVE-2022-0609 Earliest sighting of this particular kit

2022-01-13: Kapersky Report: SnatchCrypto Campaign

2022-01-13: North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High

2022-02-02: North Korea Hacked Him. So He Took Down Its Internet

2022-02-10: CVE-2022-0609 reported by Google TAGs Clément Lecigne - use after free animation

  • TAG discovered two distinct North Korean attacker groups exploiting remote execution vulnerability
  • Operation Dream Job + Operation AppleJeus

2022-02-14: CVE-2022-0609 Chrome Update Released - use after free animation

2022-03-23: CVE-2022-1096 reported by anon - type confusion V8

2022-03-23: FireEye/Mandriant - Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations

2022-03-24: CVE-2022-0609 Google posts update abt zero day CVE-2022-0609 - Operation Dream Job and Operation AppleJeus

  • Campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries.
  • Targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.
  • Operation AppleJeus targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.
  • The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (1️⃣ CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system.
  • https://blog.google/threat-analysis-group/countering-threats-north-korea/

2022-03-25: CVE-2022-1096 Chrome Update Released - type confusion V8

2022-03-31: Lazarus Trojanized DeFi app for delivering malware

2022-04-12: APT Group Lazarus Distributing Korean Phishing Lures to Feel Out Cryptocurrency Users

  • In this attack, Lazarus built a type of decoy document containing an “AhnLab ” icon and prompt information. The prompts for these documents vary, but the common goal is to trick victims into enabling Office’s document editing capabilities. AhnLab is a cyber security vendor with its headquarters in South Korea. Lazarus uses the name to increase the persuasiveness of the decoy document.
  • Another type of decoy document contains Binance icons and related tips. Binance is a cryptocurrency trading platform.

2022-04-13: CVE-2022-1364 Reported by Google TAG's Clément Lecigne

  • Type Confusion, V8 Engine

2022-04-14: CVE-2022-1364 Chrome Update Released, everyone told to update urgently

2022-04-14: Ronin Bridge Hack Attributed to Lazarus Group, addresses added to OFAC list

2022-04-15: Tornado Cash uses Chainalysis Oracle to blcok OFAC addresses (from frontend)

2022-04-20: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

2022-04-27: How the DPRK became a hacking powerhouse and why it loves crypto

2022-05-16: Guidance on the DPRK IT Workers

2022-06-29: Insight: Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests

2022-07-10: Here’s how North Korean operatives are trying to infiltrate US crypto firms

2022-07-11: AppleSeed Disguised as Purchase Order and Request Form Being Distributed

-https://asec.ahnlab.com/en/36368/

2022-07-19: US disrupts North Korean hackers that targeted hospitals

2022-07-28: AppleSeed Being Distributed to Maintenance Company of Military Bases

-https://asec.ahnlab.com/en/37078/

2022-08-02: Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)

-https://asec.ahnlab.com/en/37396/

2022-08-08: U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash

2022-08-11: Suspected Tornado Cash developer arrested in Netherlands

2022-09-26: Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto

2022-10-05: Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD

2022-10-07: U.S. targets North Korean fuel procurement network for breaching UN sanctions

2022-10-12: Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)

-https://asec.ahnlab.com/en/39828/

2022-10-13: With more than $3B already stolen, 2022 is on pace to become crypto’s ‘biggest year for hacking on record’

2022-10-25: Malicious app suspected to be created by a North Korean hacker organization aimed at stealing cryptocurrency discovered

2022-10-27: Distribute AppleSeed to companies related to nuclear power plants

-https://asec.ahnlab.com/ko/40552/

2022-11-01: Lazarus Group had been observed targeting public and private sector research organizations, medical research and energy sectors, as well as their supply chains. This campaign, dubbed “No Pineapple”, focused on intelligence-gathering, starting with an attack on a company that was exploited through CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) – two vulnerabilities affecting the digital collaboration

2022-12-22: Seoul: North Korean hackers stole $1.2B in virtual assets

2022-12-24: SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

2023

2023-01-11: Lazarus - The suspected APT-C-26 (Lazarus) organization conducts attack activity analysis through cryptocurrency wallet promotion information

2023-01-12: Kimsuky - North Korea’s Cryptocurrency Craze and its Impact on U.S. Policy

2023-01-17: Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)

2023-01-23: FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft

2023-02-03: TA444: The APT Startup Aimed at Acquisition (of Your Funds)

2023-02-09: CISA - Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a
  • 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
  • 16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
  • 16sYqXancDDiijcuruZecCkdBDwDf4vSEC
  • 1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
  • 1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
  • 1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
  • 1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
  • 1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
  • 1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
  • 1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
  • bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
  • bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
  • bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
  • bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
  • bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
  • bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
  • bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
  • bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
  • bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
  • bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
  • bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
  • bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
  • bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
  • bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
  • bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
  • bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
  • bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
  • bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
  • bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
  • bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
  • bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
  • bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
  • bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
  • bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
  • bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
  • bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
  • bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
  • bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
  • bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
  • bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
  • bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
  • bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
  • LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135

2023-02-15: Kimsuky: Malware Disguised as Normal Documents

  • Same tactics used as in Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers; in this case, the threat actor used an image that prompts users to execute the macro.
  • https://asec.ahnlab.com/en/47585/

2023-02-23: Lazarus Anti-Forensic Techniques

  • The Lazarus Group carried out anti-forensics to conceal their malicious activities. They transmitted a configuration file with C2 information and a PE file that communicates with the C2 server in encrypted forms to evade detection by security products. The encrypted files operate after being decrypted onto the memory by the loader file. They then receive additional files from the C2 and perform malicious actions.
  • https://asec.ahnlab.com/en/48223/

2023-02-16: Økokrim has seized almost NOK 60 million in cryptocurrency. This is the largest amount of cryptocurrency ever seized by the Norwegian police

2023-02-24: WinorDLL64 - backdoor from the vast Lazarus arsenal

2023-03-13: Kimsuky - CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)

2023-03-24: Kimsuky - OneNote Malware Disguised as Compensation Form

2023-03-29: Kimsuky - Distributes Malware Disguised as Profile Template (GitHub)

2023-04-11: Inside the international sting operation to catch North Korean crypto hackers

2023-04-12: Lazarus DeathNote campaign

2023-04-20: 3CX Double Supply Chain Attack

2023-04-05: Google TAG - How we’re protecting users from government-backed attacks from North Korea

2023-04-21: Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware

2023-04-24: North Korean Foreign Trade Bank Representative Charged in Crypto Laundering Conspiracies

2023-05-10: Half of North Korean missile program funded by cyberattacks and crypto theft, White House says

2023-05-19: APT-C-28 (ScarCruft) Organization Uses Malicious Documents to Deliver RokRAT Attack Activity Analysis

2023-05-22: Kimsuky - Phishing Attacks Targetting North Korea-Related Personnel

2023-05-23: US sanctions orgs behind North Korea’s ‘illicit’ IT worker army

2023-05-23: North Korea is now Mining Crypto to Launder Its Stolen Loot

  • Today, cybersecurity firm Mandiant published a report on a prolific North Korean state-sponsored hacking group it's now calling APT43, sometimes known by the names Kimsuky and Thallium. The group, whose activities suggest its members work in the service of North Korea's Reconnaissance General Bureau spy agency, has been primarily focused on espionage, hacking think tanks, academics, and private industry from the US to Europe, South Korea, and Japan since at least 2018, mostly with phishing campaigns designed to harvest credentials from victims and plant malware on their machines.
  • Like many North Korean hacker groups, APT43 also maintains a sideline in profit-focused cybercrime, according to Mandiant, stealing any cryptocurrency that can enrich the North Korean regime or even just fund the hackers' own operations. And as regulators worldwide have tightened their grip on exchanges and laundering services that thieves and hackers use to cash out criminally tainted coins, APT43 appears to be trying out a new method to cash out the funds it steals while preventing them from being seized or frozen: It pays that stolen cryptocurrency into “hashing services” that allow anyone to rent time on computers used to mine cryptocurrency, harvesting newly mined coins that have no apparent ties to criminal activity.
  • https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
  • https://web.archive.org/web/20230328150400/https://www.wired.com/story/north-korea-apt43-crypto-mining-laundering/

2023-06-06: Kimsuky - Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

  • Kimsuky conducted a social engineering campaign targeting experts in DPRK issues to steal Google and subscription credentials of a reputable news and analysis service focusing on the DPRK, as well as deliver reconnaissance malware. Kimsuky also engaged in extensive email correspondence and used spoofed URLs, websites imitating legitimate web platforms and Office documents weaponized with the ReconShark malware. The activity indicates Kimsuky’s growing dedication to social engineering and highlights the group’s increasing interest in gathering strategic intelligence.
  • https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/

2023-06-12: Report: North Korean Hackers Have Stolen $3 Billion Worth of Crypto

2023-06-23: Andariel’s silly mistakes and a new malware family

2023-06-23: North Korea’s Cyber Strategy

2023-07-05: BlueNoroff - How DPRK’s macOS RustBucket Seeks to Evade Analysis and Detection

2023-07-13: The DPRK strikes using a new variant of RUSTBUCKET

2023-07-28: Scarcruft - Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures

2023-07-27: JumpCloud

2023-07-31: Kimsuky - Spreading malware disguised as coin and investment-related content

2023-08-22: FBI Identifies Cryptocurrency Funds Stolen by DPRK

2023-08-23: US arrests Tornado Cash co-founder, sanctions another who remains at large

2023-08-24: Lazarus Group's infrastructure reuse leads to discovery of new malware

2023-08-23: VMConnect supply chain attack continues, evidence points to North Korea

2023-09-07: Active North Korean campaign targeting security researchers

  • In January 2021, a DPRK cyber actor campaign was publicly disclosed, in which they used 0-day exploits to target security researchers working on vulnerability research and development. Over the past two and a half years, the campaign has continued. Recently, DPRK cyber actors were found to likely be responsible for a new, similar campaign, with at least one actively exploited 0- day being used to target security researchers in the past several weeks. DPRK threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package. Upon successful exploitation, the shellcode conducts a series of anti-virtual machine checks and then sends the collected information, along with a screenshot, back to an attacker-controlled command and control domain. The shellcode used in this exploit is constructed in a similar manner to shellcode observed in previous North Korean exploits.
  • https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/

2023-09-18: Scarcruft exploits WinRAR vulnerability (CVE-2023-38831) targeting the cryptocurrency industry

  • https://paper.seebug.org/3033/
  • This recent wave of attacks is noteworthy for revealing that, apart from the Lazarus Group, there are other North Korean-affiliated entities engaging in targeted operations against the cryptocurrency industry, which is relatively uncommon in the security community.
  • The targets of this Konni group's recent attacks are notably different from their previous activities. Judging by the lure name, the attacks are directed towards the cryptocurrency industry. It is speculated that Konni may be exploring new attack vectors. The captured sample named "wallet_Screenshot_2023_09_06_Qbao_Network.zip", and it references Qbao Network, which is described as follows:

2023-10-13: Lazarus Group’s Undercover Operations 2022–2023 - L. Taewoo, S. Lee & D. Kim

2023-10-19: How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs

2023-10-20: TeamCity CVE-2023-42793 / CyberLink Supply Chain Attack

2023-10-26: Lazarus’ New Campaign Exploiting Legitimate Software

2023-10-29: Deep Dive into the Lazarus Group's Foray into macOS

2023-10-30: FastViewer Variant Merged with FastSpy and disguised as a Legitimate Mobile Application

  • Kimsuky has created a FastViewer variant that induces a victim to install the app onto their mobile device by disguising the malware as a legitimate Android application (APK file), such as Google Authenticator, an anti-virus program, or a payment service application. The FastViewer malware receives commands directly from the server without downloading additional malware, and the main purpose of this FastViewer variant is to steal information from infected devices. It appears that Kimsuky has developed this malware since at least July 2023 to target Republic of Korea victims. The report further notes that the disguised applications are expected to be distributed via spearphishing emails or smishing to trick targets into running them
  • https://medium.com/s2wblog/fastviewer-variant-merged-with-fastspy-and-disguised-as-a-legitimate-mobile-application-f3004588f95c

2023-10-31: Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware in attacks against blockchain engineers.

2023-11-01: Kimsuky - Operation Covert Stalker

2023-11-04: Crypto-Themed npm Packages Found Delivering Stealthy Malware

2023-11-10: Microsoft: BlueNoroff hackers plan new crypto-theft attacks

2023-11-06: Jamf - BlueNoroff strikes again with new macOS malware

2023-11-21: Two South Koreans indicted for allegedly colluding with North Korean hackers

2023-11-21: Palo Alto - Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors

2023-11-22: Korean gov’t officials targeted by North’s ‘journalist’ crypto hackers

2023-11-22: Microsoft:Diamond Sleet supply chain compromise distributes a modified CyberLink installer

  • https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/)
  • Microsoft has observed suspicious activity associated with the modified CyberLink installer file as early as October 20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan, Canada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after compromise via this malware, the group has historically:
  • If these criteria are not met, the executable continues running the CyberLink software and abandons further execution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the second-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft Internet Explorer’
  • When invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both domains are legitimate but have been compromised by Diamond Sleet.

2023-11-24: Operation Dream Magic, MagicLine4NX - Hackers use zero-day in supply-chain attack

2023-11-29: FIOD + US Seizes Sinbad Crypto Mixer

2023-11-30: US govt sanctions North Korea’s Kimsuky hacking group

2023-12-03: Alex Masmej Near Miss

2023-12-03: Analysis of North Korean Hackers’ Targeted Phishing Scams on Telegram

2023-12-07: 疑似Lazarus(APT-Q-1)涉及npm包供应链的攻击样本分析

2023-12-10: Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

2023-12-11: Koda's recent DPRK IoCs

2023-12-22: To stem North Korea’s missiles program, White House looks to its hackers

2023-12-23: Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks

2024

2024-01-05: Update to November’s Crypto-Themed npm Attack

2024-01-11: Comprehensive Report on North Korean Hackers, Phishing Groups, and Money Laundering in 2023

2024-01-24: North Korea Threat Landscape Update

2024-01-24: Funds Stolen from Crypto Platforms Fall More Than 50% in 2023, but Hacking Remains a Significant Threat as Number of Incidents Rises

2024-02-24: CVE-2024-21338 - North Korea’s Lazarus deploys rootkit via AppLocker zero-day flaw

2024-02-28: SquidSquad - Phishing by Appointment: Suspected North Korean Hackers Target Blockchain Community Via Telegram

2024-03-07: UN Security Council Report

  • According to a cybersecurity company, the IP address of the Kimsuky server hosting this malware is 144.76.109.61 and the IP address of another, related server hosting the Kimsuky-controlled domain civilarys[.]store is 27.255.81.77. Kimsuky-related email accounts associated with this campaign include luckgpu[@]gmail.com and abdulsamee7561[@]gmail.com. The malicious applications were likely distributed via spearphishing or smishing.

2024-04-29: SquidSquad - How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020–2023

2024-05-10: US court orders forfeiture of 279 crypto accounts tied to North Korea laundering

2024-05-14: Exclusive: North Korea laundered $147.5 mln in stolen crypto in March, say UN experts

2024-05-16: DPRK IT - Thousands of North Koreans stole Americans’ identities and took remote-work tech jobs at Fortune 500 companies, DOJ says

2024-06-12: UNC4899 - Insights on Cyber Threats Targeting Users and Enterprises in Brazil

  • https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil
  • North Korean Government-Backed Groups Targeting Brazil
  • Since 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing activity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and Brazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions, cryptocurrency and financial technology firms have been a particular focus, and at least three North Korean groups have targeted Brazilian cryptocurrency and fintech companies.
  • In early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including Brazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.
  • North Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In one example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and used it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign, PAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in Brazil and other regions via email and social media about prospective job opportunities. Google blocked the emails, which contained malicious links to a DOCX file containing a job posting lure that dropped AGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via messages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation Dream Job and activity previously described by Google.  In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts safe.  
  • One North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil follow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and the group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their credentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to direct diplomatic targets to credential harvesting pages.
  • One of the emerging trends we are witnessing globally from North Korean threat activity today is the insider threat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in various IT roles. Though we have not yet observed direct connections between any of these North Korean IT workers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup ecosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this problem. 

2024-07-25 - APT45: North Korea’s Digital Military Machine

2024-08-29 - Contagious Interview - Malicious npm Packages

2024-08-30 - North Korean threat actor Citrine Sleet exploiting Chromium zero-day (CVE-2024-7971)