18 reports
KISA/KRCERT's 2014 Malware Analysis report examines more than 500 malware samples to support similarity analysis, rapid variant detection, and incident response for Korean cyber incidents. The DPRK-relevant sections cover 7.7 DDoS, 3.4 DDoS, 3.20 cyber-te…
The excerpt analyzes malware used in the Sony Pictures Entertainment attack, including a dropper that deployed main modules, proxy tooling, disk destruction components, and cleanup functionality. One component sent log data to C2 every five minutes, inclu…
Evidence cited in the Sony Pictures discussion ties the 2014 destructive intrusion to earlier North Korea-linked operations against South Korean banks, broadcasters, military-related networks, and U.S. government websites. The excerpt highlights Dark Seou…
The excerpt contains a fragmentary list of Windows service names and descriptions rather than a complete intrusion report. It references built-in Windows functions such as BitLocker Drive Decryption, Remote Registry, Task Scheduler, SMB client connections…
Trend Micro analyzed TROJ_WHAIM.A, a destructive MBR wiper used against a Korean power-plant target and believed to have reached systems partly through malicious Hangul Word Processor files delivered with social-engineering lures. The malware checked whet…
US-CERT reports destructive malware activity against a major entertainment company using an SMB worm tool with multiple components for propagation, access, proxying, and wiping. The worm brute-forces Windows SMB shares on port 445, copies itself to reacha…
Cisco Talos analyzed a wiper malware variant to improve network detection for beaconing behavior from the disk-wiping component. The team examined related samples, modified hard-coded command-and-control addresses to a local decoy environment, and shorten…
AhnLab analyzed nine malicious Hangul Word Processor documents that used a known HWP vulnerability and were reportedly distributed as email attachments to specific recipients. Each document carried the same malicious file, which installed a DLL under the …
Flashpoint analyzed the 2014 Sony Pictures breach by the group calling itself GOP or Guardians of Peace, while noting public allegations that North Korea may have been involved in retaliation for the film The Interview. The attackers released large volume…
Symantec linked Backdoor.Destover, the destructive malware highlighted in an FBI Flash Warning, to earlier South Korea-focused activity through shared infrastructure and tradecraft. Some Destover samples reported to a command-and-control server also used …
Destover malware used in the Sony Pictures Entertainment attack was described as a destructive Windows wiper capable of overwriting disk data and the MBR. The droppers installed EldoS RawDisk drivers as a USB 3.0 Host Controller service to bypass NTFS pro…
Trend Micro analyzed WIPALL destructive malware after an FBI warning to U.S. businesses following the Sony Pictures attack, detecting the main installer as `BKDR_WIPALL.A` / `diskpartmg16.exe`. The malware used XOR-encrypted credential lists to log into s…
HP Security Research profiles North Korea's cyber threat landscape, framing DPRK cyber capability as an asymmetric military and intelligence concern despite the country's limited public digital infrastructure. The excerpt identifies South Korea as North K…
ALYac analyzed a malicious HWP document judged to resemble previously reported Kimsuky-style activity targeting Korean organizations. The document abuses a Hancom Office vulnerability through hidden HWP sections with abnormally large paragraph text data, …
CrowdStrike's RSA Conference deck frames cyber defense as an adversary-attribution problem rather than only a malware problem. It lists multiple named actor clusters by country and sector focus, including North Korea's Silent Chollima targeting government…