171 reports
ESRC analyzed Operation Ghost Puppet, an August 2018 campaign using a malicious HWP document titled as a notice about illegal fund-raising activity. The document embedded compressed PostScript under HWP BinData and abused GhostScript processing to decode …
The source analyzes a Korean HWP malware sample described as similar to earlier ROKRAT activity, with VirusTotal showing the Hangul document as undetected at the time. The infection chain converts shellcode into PE files under the Temp directory, creates …
Lazarus used a fake software company called Celas to distribute a cryptocurrency trading application that covertly compromised users, according to Kaspersky Lab researchers speaking at Cyber Week 2018. The operation relied on suspicious corporate registra…
Zaif reported that attackers gained unauthorized external access to servers managing hot wallets used for cryptocurrency deposits and withdrawals between about 17:00 and 19:00 on September 14, 2018. The exchange said BTC, MONA, and BCH were transferred ou…
Zaif, a Japan-based cryptocurrency exchange operated by Tech Bureau, reported that attackers stole about 6.7 billion yen, or roughly $60 million, in cryptocurrency from hot wallets. The excerpt says the exchange detected unusual withdrawal and deposit act…
A Korean malware operation targeted public PC-room environments where users played go-stop, poker, Baduki, Matgo, Vanilla Game, and related online gambling/card games for financial gain. The installer or updater dropped syswnt.exe, cleaned prior component…
A malicious HWP file was disguised as a Korea Real Estate Association daily trend report, a document type said to be available only to members. The infection flow uses EPS content to decrypt shellcode with a 16-byte key and then download Manuscrypt. The d…
The excerpt is a U.S. federal criminal complaint against Park Jin Hyok alleging conspiracy and wire-fraud-related computer intrusion activity from at least 2014 through 2017. Its table of contents links the case to North Korean computer networks, Brambul,…
A malicious file themed around the AltPlanet coin used a familiar EPS vulnerability to initiate the attack. The downloaded file was encrypted with 0xAA and identified in the excerpt as Manuscrypt. The listed command-and-control infrastructure includes dgj…
Securonix analyzes the August 2018 Cosmos Bank intrusion, in which attackers stole more than $13.5 million through coordinated ATM and SWIFT abuse. The excerpt says some sources attributed the activity to Lazarus Group or DPRK-linked Hidden Cobra, while a…
Kaspersky describes Operation AppleJeus, a Lazarus campaign that targeted a cryptocurrency exchange through a trojanized Celas Trade Pro cryptocurrency trading application. The victim installed the application from a legitimate-looking website after recei…
ESRC describes Operation Rocket Man, activity attributed in the excerpt to the Geumseong121 group, which has targeted South Korean North Korea-related organizations and defense-sector entities. The August 2018 case used spear phishing in which attackers i…
Operation Red Signature compromised a South Korean remote support provider's update server to deliver 9002 RAT to selected customer IP ranges. The attackers stole the vendor's code-signing certificate, signed malicious update files, and used the trusted u…
Check Point analyzed Ryuk as a targeted ransomware campaign that hit several enterprises worldwide and produced large ransom payments, with infections manually focused on critical systems after prior network mapping and credential collection. The research…