The DPRK (Democratic People's Republic of Korea) state-linked cyber actors have been involved in sophisticated cyber activities, including software supply chain attacks and crypto theft. These activities have been noted for their improved capabilities in malware and evasion techniques.
RustBucket Malware: Researchers have identified an updated version of a macOS malware called RustBucket, which has enhanced capabilities to establish persistence and avoid detection by security software. RustBucket is one of the tools in the arsenal of DPRK cyber actors, illustrating their focus on developing and utilizing sophisticated malware.
KandyKorn Malware Campaign: A new macOS malware named 'KandyKorn' has been attributed to the North Korean Lazarus hacking group. This group targets blockchain engineers of cryptocurrency exchange platforms. The attackers are known to impersonate members of the cryptocurrency community on Discord channels, spreading Python-based modules that trigger multi-stage attacks. This approach indicates a strategic targeting of individuals and entities in the cryptocurrency sector.
Tactics, Techniques, and Procedures (TTPs): The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. These tactics span various phases, from acquiring and purchasing infrastructure to concealing DPRK affiliation. This includes acquiring infrastructure, obfuscating identity, and purchasing VPNs and VPSs to gain access to target networks. This demonstrates a comprehensive and multi-faceted approach to cyber operations.
Operation In(ter)ception: There have been instances, such as Operation In(ter)ception, where job vacancies at cryptocurrency exchanges like Coinbase and Crypto.com were used as lures to infect macOS users with malware. This variant of the campaign indicates a continuing and evolving threat targeting the cryptocurrency sector, leveraging social engineering tactics to infiltrate networks.
The ongoing cyber activities of DPRK state-linked actors, including sophisticated malware campaigns and targeted ransomware attacks, underscore the evolving landscape of state-sponsored cyber threats. The focus on cryptocurrency platforms and the use of advanced malware suggest a strategic approach aimed at financial gain and intelligence gathering.
IoC
DOMAIN
- tp-globa.xyz
- swissborg.blog
- on-global.xyz
IPv4
- 23.254.226.90
- 192.119.64.43
- 104.168.214.151
SHA256
- 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6
- 8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4
- 8a8de435d71cb0b0ae6d4b15d58b7c85ce3ef8f06b24266c52b2bc49217be257
- 3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940
REFERENCES
- https://otx.alienvault.com/pulse/64a2b6a638a683d6da50262c
- https://otx.alienvault.com/browse/global/pulses?q=lazarus&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=lazarus
- https://otx.alienvault.com/pulse/6564cd4faeaeaa1291c57bde
TAGS
KandyKorn, RustBucket, Sugarloader, Hloader, macOS
No comments:
Post a Comment