APT37 targets Journalists & Security Researchers

2021-12-04 0xthreatintel

http://web.archive.org/web/20211203182513/https://0xthreatintel.medium.com/apt37-targets-journalists-security-researchers-4d18c559767c

APT37 is reported targeting journalists and security researchers with malicious Hangul Word Processor documents themed around COVID-19 vaccine disinformation and Upbit policy changes. The analyzed HWP lures contain embedded files, shellcode, PE files, and base64-encoded PowerShell that spawn command interpreters and use HTTP POST requests for command-and-control. The PowerShell downloads additional plugins into the APPDATA folder from C2 paths including ljs5950[.]cafe24[.]com/bbs/samsung/do[.]php and kjdnc[.]gp114[.]net/data/log/do[.]php. The activity maps to spearphishing attachments, PowerShell and Windows command execution, registry and system discovery, persistence via Run keys or startup folders, and web-protocol C2, making it relevant for tracking DPRK-linked targeting of researchers and media.

Indicators of Compromise

Type Value First Seen Last Seen
HASH b0ca169c6a64336e48fe8d5c0e83762… 2021-12-04 2021-12-04
HASH 304d569374625857323cae7ce6a1a4b… 2021-12-04 2021-12-04
HASH 81ee247eb8d9116893e5742d12b2d8c… 2021-12-04 2021-12-04
HASH 9d6fa64e0c0f3ec7442cb72bfaa016c… 2021-12-04 2021-12-04
HASH c69f4052c34efc8b0b51892c53488c0… 2021-12-04 2021-12-04
HASH dbbecbafd905f0b4a2c8194cba3c879… 2021-12-04 2021-12-04
HASH 8879de48468dd650152cb3aa150349d… 2021-12-04 2021-12-04
HASH 40359e0e92a99b428778ac4e9d70fbc… 2021-12-04 2021-12-04
DOMAIN ljs5950.cafe24.com 2021-12-04 2021-12-04
IPv4 23.32.238.240 2021-12-04 2021-12-04
IPv4 40.126.31.137 2021-12-04 2021-12-04
IPv4 104.89.38.104 2021-12-04 2021-12-04
IPv4 104.111.242.51 2021-12-04 2021-12-04
IPv4 23.48.202.145 2021-12-04 2021-12-04
IPv4 20.190.154.19 2021-12-04 2021-12-04
IPv4 222.122.86.177 2021-12-04 2021-12-04
IPv4 8.248.143.254 2021-12-04 2021-12-04
HASH f17502d3e12615b0fa8868472a4eabfb 2021-11-29 2021-12-04
HASH 72e5b8ea33aeb083631d1e8b302e76af 2021-11-29 2021-12-04
HASH 5a7ef48fe0e8ae65733db64ddb7f2478 2021-11-29 2021-12-04
HASH c155f49f0a9042d6df68fb593968e110 2021-11-29 2021-12-04
DOMAIN kjdnc.gp114.net 2020-07-14 2021-12-04
IPv4 211.115.92.200 2020-07-14 2021-12-04

Related Actors

Related Reports

2021-12-02 • 38% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865
Shares tags: T1082, T1071.001, T1027 • Published within a week
« Back