Defending in a hostile environment: Key findings from the BlackHat NOC
2022-08-24 • Iron Net •
https://www.ironnet.com/blog/a-view-from-the-black-hat-noc-key-findings
IronNet’s Black Hat NOC hunters observed numerous callouts from four unique hosts to three domains associated with SHARPEXT, malware that Volexity had linked to the North Korean APT Kimsuky, also tracked as SharpTongue. The finding occurred in a noisy conference network where defenders had to distinguish real malware from training and demo traffic, making known APT infrastructure especially important for triage. The source frames the SHARPEXT activity as one of several genuine infections detected during the event, alongside unrelated Shlayer and NetSupport RAT cases. For DPRK-focused tracking, the key evidence is the presence of North Korean-attributed SHARPEXT network activity on multiple hosts in the Black Hat environment.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | gonamod.com | 2022-08-24 | 2023-05-16 |
| DOMAIN | siekis.com | 2022-08-24 | 2023-04-19 |
| DOMAIN | api.commondevice.com | 2022-08-24 | 2022-08-24 |
| DOMAIN | download.commondevice.com | 2022-08-24 | 2022-08-24 |
| DOMAIN | downloads.commondevice.com | 2022-08-24 | 2022-08-24 |
| DOMAIN | radoinvest.com | 2022-08-24 | 2022-08-24 |
| IPv4 | 23.63.71.26 | 2022-08-24 | 2022-08-24 |
| IPv4 | 135.84.124.41 | 2022-08-24 | 2022-08-24 |
| IPv4 | 199.188.200.186 | 2022-08-24 | 2022-08-24 |
| IPv4 | 198.54.126.155 | 2022-08-24 | 2022-08-24 |
| IPv4 | 156.154.113.16 | 2022-08-24 | 2022-08-24 |