仮想通貨事業者を標的にした攻撃キャンペーンに関する脅威情報のハンティング
2021-01-28 • JPCERT • Hunting for threat information regarding attack campaigns targeting virtual currency operators •
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf
Attachments
JSAC2021_302_kodera_jp.pdf (3 MB)
The JSAC presentation explains hunting methods for threat intelligence related to cryptocurrency-business targeting campaigns, including activity affecting Japanese cryptocurrency operators. It references campaigns publicly reported by JPCERT/CC, ClearSky, and F-Secure, including Dangerous Password, CryptoCore Group, and Lazarus activity against the cryptocurrency vertical. The material describes delivery through shortened URLs, ZIP files, decoy PDF or DOCX documents, and LNK shortcut files, and argues that faster threat-information collection is needed to detect and prevent compromises.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | up.digifincx.com | 2021-01-28 | 2022-01-13 |
| HASH | 0eb71e4d2978547bd96221548548e9f0 | 2020-06-24 | 2022-01-13 |
| HASH | da599b0cde613b5512c13f299fec739e | 2020-06-24 | 2022-01-13 |
| HASH | 09bca3ddbc55f22577d2f3a7fda22d1c | 2020-06-24 | 2022-01-13 |
| DOMAIN | 1driv.org | 2020-06-24 | 2021-05-24 |
| IPv4 | 103.31.249.62 | 2021-01-28 | 2021-02-01 |
| IPv4 | 45.61.139.215 | 2021-01-28 | 2021-02-01 |
| IPv4 | 103.130.195.170 | 2021-01-28 | 2021-02-01 |
| IPv4 | 84.201.189.216 | 2020-11-24 | 2021-02-01 |
| HASH | 4a41775f08ac9dec54e67ee5ad6f8c21 | 2021-01-28 | 2021-01-28 |
| HASH | e33cc1ebaf16d10a4d651868aa66fc87 | 2021-01-28 | 2021-01-28 |
| HASH | 23fb6b8c4575375c7e98df04e82899c5 | 2021-01-28 | 2021-01-28 |
| HASH | c025d1abf79cf25d753cdf97d549ab2b | 2021-01-28 | 2021-01-28 |
| HASH | 76ec46ffc28bdd4337588fbe0e826b39 | 2021-01-28 | 2021-01-28 |
| HASH | f4d2b31353720527e1114aebfde0c6c9 | 2021-01-28 | 2021-01-28 |
| HASH | 483d9238da27b35b9983ae6c062b3cd0 | 2021-01-28 | 2021-01-28 |
| HASH | af89869ad1ed31935ee6a15ab7a7cca9 | 2021-01-28 | 2021-01-28 |
| HASH | dbbda35f115f382ad022cae0fd7d5157 | 2021-01-28 | 2021-01-28 |
| HASH | bb14edf24bc21310f5af99fe7f31769f | 2021-01-28 | 2021-01-28 |
| HASH | bfd2bbfbd00f6164ad08d088a407240f | 2021-01-28 | 2021-01-28 |
| HASH | 365d95c0d0659a1081488460eadf8159 | 2021-01-28 | 2021-01-28 |
| HASH | 115c42f4a16aa6f52a4a431dcdd92941 | 2021-01-28 | 2021-01-28 |
| HASH | 42e570787aeba38db7b4fc7ae075685b | 2021-01-28 | 2021-01-28 |
| HASH | 65686b08db5424db6be1520b9c1cb38c | 2021-01-28 | 2021-01-28 |
| HASH | 0e03f39a4b4008d76e4ca1d1c2c4559d | 2021-01-28 | 2021-01-28 |
| HASH | 610043cefa364c56091d28058ea0392d | 2021-01-28 | 2021-01-28 |
| HASH | 2a317378db1a743e2cea02fda71dab54 | 2021-01-28 | 2021-01-28 |
| HASH | 124f4406e1f65d734f1f7430142f6f15 | 2021-01-28 | 2021-01-28 |
| HASH | a36b1884980301e22f70b2ddd4e5550b | 2021-01-28 | 2021-01-28 |
| URL | https://jvcea.or.jp/news/main-i… | 2021-01-28 | 2021-01-28 |
| DOMAIN | shop.newsbtctech.com | 2021-01-28 | 2021-01-28 |
| DOMAIN | drop.trailads.net | 2021-01-28 | 2021-01-28 |
| IPv4 | 111.93.95.82 | 2021-01-28 | 2021-01-28 |
| IPv4 | 206.169.149.96 | 2021-01-28 | 2021-01-28 |
| IPv4 | 41.79.70.142 | 2021-01-28 | 2021-01-28 |
| IPv4 | 192.119.84.22 | 2021-01-28 | 2021-01-28 |
| IPv4 | 140.115.70.75 | 2021-01-28 | 2021-01-28 |
| IPv4 | 142.11.213.5 | 2021-01-28 | 2021-01-28 |
| IPv4 | 140.114.37.4 | 2021-01-28 | 2021-01-28 |
| HASH | a164164ef82fa17605c49c36c67a6244 | 2020-11-24 | 2021-01-28 |
| HASH | 14a00f517012279af53118a491253e5c | 2020-11-24 | 2021-01-28 |
| HASH | 12aa32ee18926c597f3c0387f0775577 | 2020-11-24 | 2021-01-28 |
| HASH | 224d2398437e665f3202d4118e4748e2 | 2020-11-24 | 2021-01-28 |
| IPv4 | 89.134.49.3 | 2020-11-24 | 2021-01-28 |
| DOMAIN | twosigmateam.info | 2020-08-18 | 2021-01-28 |
| DOMAIN | name.ownemail.me | 2020-08-18 | 2021-01-28 |
| DOMAIN | mse.theworkpc.com | 2020-08-18 | 2021-01-28 |
| HASH | 97fd02ae666988d853a68fdd7f7d2e7f | 2020-06-24 | 2021-01-28 |
| HASH | 8cc8bdc017b103f4dbd00e6336809594 | 2020-06-24 | 2021-01-28 |
| HASH | 92aa224af7d71c9fc162fdb6ce53bc5b | 2020-06-24 | 2021-01-28 |
| HASH | cf1bc39380f40a514aa82e4db6215b11 | 2020-06-24 | 2021-01-28 |
| HASH | d73499bc6b500b4fc5648943e12ce9e2 | 2020-06-24 | 2021-01-28 |
| HASH | ff9ee83f13bd8167d9ba780b2a147668 | 2020-06-24 | 2021-01-28 |
| HASH | 093eae51bd7566c40d646c1b37bce0ea | 2020-06-24 | 2021-01-28 |
| HASH | 53b800066811b7668e59774bd4c763ca | 2020-06-24 | 2021-01-28 |
| HASH | eab491a31d4f049695c0aa515a0d90b6 | 2020-06-24 | 2021-01-28 |
| IPv4 | 78.94.213.101 | 2020-06-24 | 2021-01-28 |
| IPv4 | 140.117.91.22 | 2020-06-24 | 2021-01-28 |
| IPv4 | 23.254.144.139 | 2020-06-24 | 2021-01-28 |
| IPv4 | 88.204.166.59 | 2020-04-02 | 2021-01-28 |
| IPv4 | 41.85.145.164 | 2020-01-08 | 2021-01-28 |
| DOMAIN | mdown.showprice.xyz | 2019-07-09 | 2021-01-28 |
| IPv4 | 75.133.9.84 | 2019-07-09 | 2021-01-28 |
Related Actors
Related Reports
Shares tags: Cryptocurrency, CryptoMimic • Shares 4 IOCs • Published within a week
Shares tags: Cryptocurrency, CryptoMimic
Shares tag: CryptoMimic • Published within a month
2021-02-17 •
40% Match
#Cryptocurrency
#AppleJeus
#T1587.001
#T1041
#T1071.001
#T1059.004
#T1027
#T1204.002
#T1566.002
#T1583.006
#T1053.005
#T1583.001
#T1059
#T1059.002
#T1573.001
#T1548
#T1564.001
#T1543.004
#T1588.003
#T1547
#T1573
#T1033
#T1543.003
#T1588.004
#T1053.004
Shares tag: Cryptocurrency • Published within a month
2021-02-09 •
40% Match
Lazarus Group Pulled Off 2020’s Biggest Exchange Hack and Appears to be Exploring New Money Laundering Options
Chainalysis
Shares tag: Cryptocurrency • Published within a month
Shares tag: Cryptocurrency • Shares 18 IOCs