2019-05-16 •
z3r0trust
#Steganography
#Scarcruft
« 2019 »
183 reports
2019-05-14 •
Kaspersky
Kaspersky describes ScarCruft as a Korean-speaking, allegedly state-sponsored actor targeting organizations linked to the Korean peninsula, with recent activity showing a multi-stage binary infection process. The chain used an initial dropper with UAC byp…
2019-05-13 •
ESTSecurity
ESRC reports that the Kimsuky-linked Campaign Smoke Screen continued in May 2019 against South Korean and U.S. professionals working on North Korea-related issues. One observed DOC lure impersonated a U.S. think-tank researcher, used Korean-language docum…
2019-05-10 •
KRCERT
KrCERT/CC warned that Hunesion's i-oneNet network-separation file-transfer solution contained two security vulnerabilities affecting versions 3.0.7 through 3.0.53 and 4.0.4 through 4.0.16. CVE-2019-12803 allowed unauthorized arbitrary file uploads to the …
2019-05-10 •
Igloo
Igloo analyzes Operation KimsuKEE as an evolved Kimsuky intrusion chain that still begins with an HWP document exploiting PostScript execution to load shellcode. The newer sample differs from earlier Kimsuky tradecraft by abusing the legitimate mshta.exe …
2019-05-09 •
USCISA
DHS and FBI attribute ELECTRICFISH to North Korean government malicious cyber activity tracked as HIDDEN COBRA and analyze it as a 32-bit Windows tunneling utility. The malware accepts command-line parameters for source and destination IP/port pairs plus …
2019-05-02 •
ESTSecurity
ESRC attributes Operation Printing Paper to the government-backed Geumseong121 cluster after a new malicious HWP file from April 2019 reused academic-conference content as a spear-phishing lure. The HWP contained a BIN0001.eps PostScript stream that wrote…
2019-04-29 •
ESTSecurity
ESRC observed a Geumseong121 spear-phishing operation against people active in North Korea-related organizations, using sparse email lures that encouraged recipients to open an attached HWP file. The HWP contained a BIN0001.eps PostScript stream and shell…
2019-04-26 •
Paloalto Networks
Unit 42 reports that BabyShark activity continued through March and April 2019 after earlier spear-phishing against U.S. national-security think tanks, with newer decoys also showing interest in cryptocurrency-related financial gain. The malware used a mu…
2019-04-24 •
Uppsala Security
DragonEx reported that an attacker compromised the exchange and transferred cryptocurrency out of its wallets, including Ethereum tracked from wallet 0xa7f72bf63edeca25636f0b13ec5135296ca2ebb2. Uppsala Security used CATV to follow the stolen ETH through s…
2019-04-24 •
Vertic
VERTIC examined Marine Chain, a Hong Kong-registered blockchain maritime investment platform flagged by the UN Panel of Experts as having at least one DPRK individual behind it. Marine Chain claimed to tokenize fractional ownership of ships on an Ethereum…
2019-04-22 •
ESTSecurity
ESRC identified an Operation Fake News spear-phishing campaign in April 2019 that impersonated South Korea’s Ministry of Unification and matched earlier 2018 ministry-themed activity attributed in the report to Geumseong121. The email used a spoofed minis…
2019-04-17 •
ESTSecurity
ESRC links the activity to Kimsuky and its Operation Stealth Power / Campaign Smoke Screen cluster, describing spear-phishing against people working on North Korea-related issues and related South Korea-U.S. policy themes. The attacker used encrypted mali…
2019-04-11 •
Intelx
IntelX reported that North Korea’s AS131279 gained a third internet uplink on 3 April 2019 through AS133073, Teleglobal Communication Services Limited, adding to existing routes through China Unicom and Russia’s TransTeleCom. The added path increased Nort…
2019-04-10 •
USCISA
CISA’s AR19-100A MAR analyzes `HOPLIGHT`, Trojan malware variants used by the North Korean government and tracked by the U.S. Government as `HIDDEN COBRA`. The April 2019 report covers nine malicious executables, including seven proxy applications that ma…