DPRK Malware Analysis targeting security researchers

2021-01-28 kkoha

https://kkoha.tistory.com/entry/DPRK-Malware-Analysis-targeting-security-researchers

Thumbnail for DPRK Malware Analysis targeting security researchers

This Korean analysis describes DPRK-linked malware activity targeting security researchers through fake vulnerability research collaboration and an actor-controlled blog at blog.br0vvnn[.]io. The attack chain used malicious exploit PoC projects whose build process launched DLL payloads through PowerShell and rundll32, then established persistence under registry Run keys and dropped files such as C:\ProgramData\VMware\vmnat-update.bin. The payloads decrypted embedded data, loaded additional DLLs, and contacted C2 URLs including codevexillium.org, dronerc.it, transplugin.io, and fabioluciani.com paths. The source also ties similar logic to Operation North Star job-lure documents that created localdb.db and downloaded final payloads from attacker infrastructure.

Indicators of Compromise

Type Value First Seen Last Seen
HASH a75886b016d84c3eaacaf01a3c61e04… 2021-01-25 2025-11-07
DOMAIN codevexillium.org 2021-01-25 2024-04-17
URL https://codevexillium.org/image… 2021-01-25 2024-01-19
HASH 8ed89d14dee005ea59634aade15dba97 2021-01-28 2021-04-27
HASH 9c906c2f3bfb24883a8784a92515e63… 2021-01-28 2021-04-27
URL https://www.fabioluciani.com/ae… 2021-01-28 2021-02-25
URL https://www.dronerc.it/shop_tes… 2021-01-28 2021-02-25
HASH e0e59bfc22876c170af65dcbf19f744… 2021-01-28 2021-01-28
HASH 56018500f73e3f6cf179d3b853c27912 2021-01-28 2021-01-28
HASH f5475608c0126582081e29927424f338 2021-01-28 2021-01-28
HASH 35545d891ea9370dfef9a8a2ab1cf95d 2021-01-26 2021-01-28
HASH 4c3499f3cc4a4fdc7e67417e055891c… 2021-01-25 2021-01-28
URL https://www.dronerc.it/shop_tes… 2021-01-25 2021-01-28
URL https://transplugin.io/upload/u… 2021-01-25 2021-01-28
DOMAIN transplugin.io 2021-01-25 2021-01-28
DOMAIN blog.br0vvnn.io 2021-01-25 2021-01-28

Related Reports

« Back