APT-C-28(ScarCruft)组织对韩国地区攻击活动分析
2023-04-11 • Qihoo360 • APT-C-28 (ScarCruft) analysis of attack activities in South Korea •
360 Threat Intelligence Center reports that APT-C-28/ScarCruft, also known as Konni, conducted targeted attacks against South Korean entities using Korean-language lure documents related to rewards, payments, cryptocurrency, and contacts. The malicious macro documents downloaded or released CAB payloads, executed batch scripts, selected UAC-bypass methods based on system version and CPU architecture, and installed a disguised Remote Database Service Update service for persistence. The final remote-control DLL collected system and process information, encrypted uploads, and communicated with C2 infrastructure such as 4895750.c1.biz and 5645780.c1.biz. The report ties the activity to Konni based on targeting, lure style, CAB-based loading, remote-control behavior, and overlap with prior payloads used by the group.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7b27586c4b332c5e87784c8d3e45a523 | 2023-04-11 | 2024-09-05 |
| DOMAIN | 4895750.c1.biz | 2022-12-07 | 2024-09-05 |
| HASH | cf5f18032667bfb4c7373191e7fb1fbf | 2022-11-16 | 2024-09-05 |
| HASH | 00e6e9ed4666623860686c123ed334f0 | 2022-11-16 | 2024-09-05 |
| DOMAIN | c1.biz | 2020-01-23 | 2024-09-05 |
| HASH | 1ae5b24456d9751dbd15c5c4fccef261 | 2023-04-11 | 2023-04-11 |
| HASH | d3dbd7bb1299096441c5ebba6ce2675e | 2023-04-11 | 2023-04-11 |
| HASH | 8a37c1614aed81a2b9d1f44cf84e2515 | 2023-04-11 | 2023-04-11 |
| HASH | 8e50622992a4b4b33127c34ff3fdbd30 | 2023-04-11 | 2023-04-11 |
| HASH | 079be709ce7e57f4015b0ca8347e8a29 | 2023-04-11 | 2023-04-11 |
| HASH | 3f96cd95327a8c801972620c7906dcf… | 2023-04-11 | 2023-04-11 |
| URL | http://5645780.c1.biz//index.ph… | 2023-04-11 | 2023-04-11 |
| DOMAIN | 5645780.c1.biz | 2022-12-07 | 2023-04-11 |