Continue to distribute malware related to cryptocurrency exchange

2018-06-22 Issuemakers Lab

http://taylor-blog.issuemakerslab.com/2018/06/continue-to-distribute-malicious-code.html

Thumbnail for Continue to distribute malware related to cryptocurrency exchange

A group suspected of North Korean activity repeatedly sent malicious HWP documents to cryptocurrency exchange personnel after June 1, 2018, using decoys tied to cryptocurrency regulation, wallet development, and job-application themes. The documents used an EPS exploit in HWP to deliver malware that could contact C2 servers, send victim information, and download and execute additional payloads. The source links the malware to the latest Lazarus Group variant and compares it with Hidden Cobra activity against Turkish financial organizations that used Bankshot-themed cryptocurrency lures. Shared tradecraft included explorer.exe injection, similar additional-download logic, matching decryption keys, comparable C2 communication protocols, and RAT capabilities for system discovery, file listing, process execution, drive enumeration, and process collection.

Indicators of Compromise

Type Value First Seen Last Seen
HASH a43dfbfad77b5aa974cd475744ab8182 2018-06-22 2019-07-03
HASH 2228fea495bee51dc88c1a0ed953450a 2018-06-22 2019-07-03
HASH e8bf331858b173eac8bd2b2227821022 2018-06-22 2019-07-03
HASH 06cfc6cda57fb5b67ee3eb0400dd5b97 2018-06-22 2019-07-03
HASH 631f1c63ff87399e5e73c7d94d62532f 2018-06-22 2019-07-03
HASH a7c804b62ae93d708478949f498342f9 2018-06-22 2018-09-24
URL https://tpddata.com/flash/gcoin… 2018-06-22 2018-09-24
URL https://tpddata.com/flash/gcoin… 2018-06-22 2018-09-24
DOMAIN tpddata.com 2018-06-22 2018-09-24
HASH 71c78b84f0153ba64d30ea986c3e682b 2018-06-22 2018-08-07
HASH 298a17c20a517dc02bc5388bc645837d 2018-06-22 2018-08-07
HASH 69ad5bd4b881d6d1fdb7b19939903e0b 2018-06-22 2018-08-07
HASH 86685ec8c3c717aa2a9702e2c9dec379 2018-06-22 2018-08-07
HASH cf09201f02f2edb9c555942a2d6b01d4 2018-06-22 2018-08-07
HASH 912f87392a889070dbb1097a82ccd93f 2018-06-22 2018-06-22
HASH 786124b0d0845785c0d156e400ff3e8d 2018-06-22 2018-06-22
HASH 361c2c5be75439dda958daa6032cab49 2018-06-22 2018-06-22
HASH 87e252e3da6c02bf531a6cfb788f122a 2018-06-22 2018-06-22
HASH eb6275a24d047e3be05c2b4e5f50703d 2018-06-22 2018-06-22
HASH aa7f506b0c30d76557c82dba45116ccc 2018-06-22 2018-06-22
HASH a6d1424e1c33ac7a95eb5b92b923c511 2018-06-22 2018-06-22
HASH 2898a8bb7cc7639b7bd1080f9ad00e79 2018-06-22 2018-06-22
HASH 667cf9e8ec1dac7812f92bd77af702a1 2018-06-22 2018-06-22
HASH 778a7ed1aa3ce2d8eb719765cac3c166 2018-06-22 2018-06-22
HASH 23f8a0c5efb2ca33e389e0a3d98c254e 2018-06-22 2018-06-22
URL https://tpddata.com/skins/skin-… 2018-06-22 2018-06-22
URL https://wifispeedcheck.net/uplo… 2018-06-22 2018-06-22
URL https://tpddata.com/skins/skin-… 2018-06-22 2018-06-22
URL https://sfacor.com/upload/profi… 2018-06-22 2018-06-22
URL https://itaddnet.com/res/prof6.… 2018-06-22 2018-06-22
URL https://sfacor.com/upload/profi… 2018-06-22 2018-06-22
URL https://itaddnet.com/res/prof3.… 2018-06-22 2018-06-22
URL https://wifispeedcheck.net/uplo… 2018-06-22 2018-06-22
DOMAIN markcoprintandcopy.com 2018-06-22 2018-06-22
DOMAIN 919xy.com 2018-06-22 2018-06-22
DOMAIN wifispeedcheck.net 2018-06-22 2018-06-22
DOMAIN itaddnet.com 2018-06-22 2018-06-22
DOMAIN sfacor.com 2018-06-22 2018-06-22
DOMAIN aedlifepower.com 2018-06-22 2018-06-22
DOMAIN falcancoin.io 2018-03-07 2018-06-22

Related Reports

« Back