North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US

2023-06-06 Recorded Future

https://go.recordedfuture.com/hubfs/reports/cta-2023-0606.pdf

Attachments

cta-2023-0606.pdf (4 MB)

Thumbnail for North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US

Recorded Future’s Insikt Group identified a TAG-71 cluster from September 2022 to March 2023 that spoofed financial institutions and venture capital firms in Japan, Vietnam, and the United States. The activity closely overlaps public reporting on North Korean APT38, also known as Bluenoroff, Stardust Chollima, and BeagleBoyz, and included 74 domains resolving to five IP addresses plus six malicious files. Observed delivery methods included ZIP archives with password-protected PDFs, DOCX template injection to external infrastructure, and double-extension LNK files that launched pcalua.exe or mshta.exe. Newly observed infrastructure included 172.93.181[.]221, 104.168.143[.]222, and 104.168.149[.]145, with reused IPs 155.138.159[.]45 and 104.255.172[.]56 hosting document-sharing and financial-brand lookalike domains. The targeting aligns with North Korean financially motivated operations against financial and investment entities, where compromise could expose sensitive firm or customer information.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN docs.azurehosting.co 2023-02-16 2023-10-04
HASH be04d1b357ec88ffb87a7d22ae79c99… 2023-06-06 2023-06-06
HASH 06863bcb40655c737b5eb0162beee6b… 2023-06-06 2023-06-06
HASH 50320e2cff68bdcfa114879334804e3… 2023-06-06 2023-06-06
HASH 788c722f056f25b96a5876b683c1064… 2023-06-06 2023-06-06
HASH 6d4b5f3ef86997bf333b3db85286618… 2023-06-06 2023-06-06
HASH 7a78609dedb0dc8b9c22c6711687367… 2023-06-06 2023-06-06
HASH 3ee65304c66b151b329bd62cff6f376… 2023-06-06 2023-06-06
HASH bdeb94b7aa7a0809bf019c37b3b436b… 2023-06-06 2023-06-06
HASH 607e7ac326994f0f85d85305c3b8107… 2023-06-06 2023-06-06
HASH d1223db1e8dd0aa13b9bff498f47e10… 2023-06-06 2023-06-06
URL https://docs.az 2023-06-06 2023-06-06
URL https://cloud.es 2023-06-06 2023-06-06
DOMAIN er.us.org 2023-06-06 2023-06-06
DOMAIN deck.altairvc.com 2023-06-06 2023-06-06
DOMAIN cloud.es 2023-06-06 2023-06-06
DOMAIN docs.az 2023-06-06 2023-06-06
DOMAIN down.altairvc.info 2023-06-06 2023-06-06
DOMAIN mufg.us.com 2023-06-06 2023-06-06
DOMAIN urehosting.co 2023-06-06 2023-06-06
DOMAIN verifydocument.com 2023-06-06 2023-06-06
DOMAIN cloudprotect.us.org 2023-06-06 2023-06-06
IPv4 104.168.143.222 2023-06-06 2023-06-06
IPv4 104.168.149.145 2023-06-06 2023-06-06
HASH 26e376fc80b090b2ee04e7d3104d308… 2023-05-01 2023-06-06
DOMAIN web.j-ic.co 2023-05-01 2023-06-06
DOMAIN shippingspro.com 2023-02-16 2023-06-06
DOMAIN share.anobaka.info 2023-02-16 2023-06-06
DOMAIN team.msteam.biz 2023-02-16 2023-06-06
DOMAIN cloud.j-ic.com 2023-02-16 2023-06-06
DOMAIN cloud.j-ic.co 2023-02-16 2023-06-06
DOMAIN internal.j-ic.co 2023-02-16 2023-06-06
DOMAIN cloud.azurehosting.co 2023-02-16 2023-06-06
DOMAIN down.espcapital.co 2023-02-16 2023-06-06
DOMAIN cloud.anobaka.info 2023-02-16 2023-06-06
DOMAIN down.j-ic.co 2023-02-16 2023-06-06
DOMAIN autoprotect.gb.net 2023-02-16 2023-06-06
DOMAIN trytiponlineresult.com 2023-02-16 2023-06-06
DOMAIN autoprotect.com 2023-02-16 2023-06-06
DOMAIN cloud.mekongcapital.net 2023-02-16 2023-06-06
DOMAIN cloud.gpmtreit.co 2023-02-16 2023-06-06
DOMAIN ns2.trytiponlineresult.com 2023-02-16 2023-06-06
DOMAIN down.j-ic.com 2023-02-16 2023-06-06
DOMAIN ns1.trytiponlineresult.com 2023-02-16 2023-06-06
DOMAIN site.siteshare.me 2023-02-16 2023-06-06
DOMAIN autoprotect.com.de 2023-02-16 2023-06-06
DOMAIN down.gpmtreit.co 2023-02-16 2023-06-06
DOMAIN share.1drvmicrosoft.com 2023-02-16 2023-06-06
IPv4 104.255.172.56 2023-02-16 2023-06-06
IPv4 172.93.181.221 2023-02-16 2023-06-06
DOMAIN ms.msteam.biz 2022-12-27 2023-06-06
IPv4 155.138.159.45 2022-12-27 2023-06-06
URL http://schemas.openxmlformats.o… 2020-03-20 2023-06-06

Related Actors

Related Reports

« Back