North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

2017-12-19 • Proofpoint •

https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

#Cryptocurrency #Whitepaper #PowerRatankba #RatankbaPOS #Lazarus

Attachments

pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf (6 MB)

Thumbnail for North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group

Proofpoint’s white paper describes financially motivated Lazarus Group activity around cryptocurrency, with analysis organized around PowerRatankba downloaders and related tooling. It covers multiple delivery formats including PowerSpritz, Windows shortcut files, CHM help files, Office macro documents, and backdoored PyInstaller applications, then details PowerRatankba C2 behavior, persistence, a PowerRatankba.B stage 2 Gh0st RAT, and RatankbaPOS. The report’s attribution section points defenders to technical traits such as encryption, obfuscation, functionality, code overlap, decoys, and C&C characteristics. It also includes IOC and Suricata/Snort signature sections useful for tracking Lazarus cryptocurrency and POS-related malware activity.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	publicvm.com	2017-12-19	2023-11-01
HASH	b66624ab8591c2b10730b7138cbf447…	2017-12-19	2020-03-09
DOMAIN	coinbroker.linkpc.net	2017-12-19	2019-09-30
DOMAIN	macintosh.linkpc.net	2017-12-19	2019-09-30
DOMAIN	moneymaker.publicvm.com	2017-12-19	2019-09-30
HASH	972b598d709b66b35900dc21c5225e5…	2017-12-19	2018-01-24
HASH	6d4415a2cbedc960c7c7055626c6184…	2017-12-19	2018-01-24
HASH	8ff100ca86cb62117f1290e71d5f9c0…	2017-12-19	2018-01-24
HASH	db8163d054a35522d0dec35743cfd2c…	2017-12-19	2018-01-24
HASH	d5f9a81df5061c69be9c0ed55fba7d7…	2017-12-19	2018-01-24
HASH	1768f2e9cea5f8c97007c6f822531c1…	2017-12-19	2018-01-24
HASH	772b9b873100375c9696d87724f8efa…	2017-12-19	2018-01-24
HASH	030b4525558f2c411f972d91b144870…	2017-12-19	2018-01-24
HASH	d844777dcafcde8622b9472b6cd442c…	2017-12-19	2018-01-24
HASH	f7f2dd674532056c0d67ef1fb7c8ae8…	2017-12-19	2018-01-24
HASH	6cb1e9850dd853880bbaf68ea23243b…	2017-12-19	2018-01-24
HASH	9d10911a7bbf26f58b5e39342540761…	2017-12-19	2018-01-24
HASH	01b047e0f3b49f8ab6ebf6795bc72ba…	2017-12-19	2018-01-24
HASH	000102030405060708090a0b0c0d0e0f	2017-12-19	2017-12-19
HASH	cbebafb2f4d77967ffb1a74aac09633…	2017-12-19	2017-12-19
HASH	41ee2947356b26e4d8aca826ae392be…	2017-12-19	2017-12-19
HASH	f2f6b4770718eed349fb7c77429938a…	2017-12-19	2017-12-19
HASH	97c6c69405ed721a64c158f18ab4386…	2017-12-19	2017-12-19
HASH	99ad06cca4910c62e8d6b68801c6122…	2017-12-19	2017-12-19
HASH	3a856d8c835232fe81711680dc098ed…	2017-12-19	2017-12-19
HASH	8f0b83d4ff6d8720e134b467b34728c…	2017-12-19	2017-12-19
HASH	eb372423e4dcd4665cc03ffc384ff62…	2017-12-19	2017-12-19
HASH	b9cf1cba0f626668793b9624e55c76e…	2017-12-19	2017-12-19
HASH	beecb33ef8adec99bbba3b64245c723…	2017-12-19	2017-12-19
HASH	b46530fa2bd5f9958f664e754ae392d…	2017-12-19	2017-12-19
HASH	7975c09dd436fededd38acee9769ad3…	2017-12-19	2017-12-19
HASH	4eb2dd5e90bda6da5efbd213c847277…	2017-12-19	2017-12-19
HASH	85a263fc34883fc514be48da2d814f1…	2017-12-19	2017-12-19
HASH	6c8c801bb71b2cd90a2c1595092358e…	2017-12-19	2017-12-19
HASH	25f13dca780bafb0001d521ea6e76a3…	2017-12-19	2017-12-19
HASH	bd7332bfbb6fe50a501988c3834a160…	2017-12-19	2017-12-19
HASH	9cc69d81613285352ce92ec3cb44227…	2017-12-19	2017-12-19
HASH	41f155f039448edb42c3a566e7b8e15…	2017-12-19	2017-12-19
HASH	e7581e1f112edc7e9fbb0383dd5780c…	2017-12-19	2017-12-19
HASH	100c6400331fa1919958bed122b88f1…	2017-12-19	2017-12-19
HASH	81617bd4fa5d6c1a703c40157fbe16c…	2017-12-19	2017-12-19
HASH	9ca3e56dcb2d1b92e88a0d09d8cab22…	2017-12-19	2017-12-19
HASH	5a162898a38601e41d538f067eaf81d…	2017-12-19	2017-12-19
HASH	b530de08530d1ba19a94bc075e74e22…	2017-12-19	2017-12-19
HASH	b265a5d984c4654ac0b25ddcf8048d0…	2017-12-19	2017-12-19
HASH	d334c40b42d2e6286f0553ae9e6e73e…	2017-12-19	2017-12-19
HASH	2b05a692518a6102c540e209cb4eb13…	2017-12-19	2017-12-19
HASH	3cd0689b2bae5109caedeb2cf9dd4b3…	2017-12-19	2017-12-19
HASH	b3235a703026b2077ccfa20b3dabd82…	2017-12-19	2017-12-19
HASH	2b7e151628aed2a6abf7158809cf4f3c	2017-12-19	2017-12-19
HASH	20f7e342a5f3224cab8f0439e2ba02b…	2017-12-19	2017-12-19
HASH	79a4b6329e35e23c3974960b2cecc68…	2017-12-19	2017-12-19
HASH	eab612e333baaec0709f3f213f73388…	2017-12-19	2017-12-19
EMAIL	[email protected]	2017-12-19	2017-12-19
EMAIL	[email protected]	2017-12-19	2017-12-19
URL	http://www.webkingston.com/top.…	2017-12-19	2017-12-19
URL	https://xn--bitcoingld-lcb.org/	2017-12-19	2017-12-19
URL	http://apps.got-game.org/images…	2017-12-19	2017-12-19
URL	https://doc-00-64-docs.googleus…	2017-12-19	2017-12-19
URL	http://dogecoin.deaftone.com:80…	2017-12-19	2017-12-19
URL	http://online-help.serveftp.com…	2017-12-19	2017-12-19
URL	http://www.energydonate.com/ima…	2017-12-19	2017-12-19
URL	http://apps.got-game.org/files/…	2017-12-19	2017-12-19
URL	http://vietcasino.linkpc.net:80…	2017-12-19	2017-12-19
URL	http://www.energydonate.com/fil…	2017-12-19	2017-12-19
URL	http://www.energydonate.com/fil…	2017-12-19	2017-12-19
URL	http://www.energydonate.com/lis…	2017-12-19	2017-12-19
URL	http://trade.publicvm.com/image…	2017-12-19	2017-12-19
URL	http://www.webkingston.com/upda…	2017-12-19	2017-12-19
URL	http://www.businesshop.net/hide…	2017-12-19	2017-12-19
URL	http://trade.publicvm.com/image…	2017-12-19	2017-12-19
URL	http://trade.publicvm.com/image…	2017-12-19	2017-12-19
URL	http://skype.2.vu/k	2017-12-19	2017-12-19
URL	https://xn--electrms2a.org/elec…	2017-12-19	2017-12-19
URL	http://www.energydonate.com/fil…	2017-12-19	2017-12-19
URL	http://macintosh.linkpc.net:808…	2017-12-19	2017-12-19
DOMAIN	skype.2.vu	2017-12-19	2017-12-19
DOMAIN	xn--bitcingold-hcb.org	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingol-4kb.com	2017-12-19	2017-12-19
DOMAIN	africawebcast.com	2017-12-19	2017-12-19
DOMAIN	dogecoin.deaftone.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingod-8yb.com	2017-12-19	2017-12-19
DOMAIN	skypeupdate.2.vu	2017-12-19	2017-12-19
DOMAIN	doc-00-64-docs.googleuserconten…	2017-12-19	2017-12-19
DOMAIN	apps.got-game.org	2017-12-19	2017-12-19
DOMAIN	xn--bitcin-zxa.org	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingldwallet-twb.org	2017-12-19	2017-12-19
DOMAIN	trade.publicvm.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingld-lcb.com	2017-12-19	2017-12-19
DOMAIN	xn--bitoingold-1ib.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingld-lcb.org	2017-12-19	2017-12-19
DOMAIN	xn--btcongold-g5ad.com	2017-12-19	2017-12-19
DOMAIN	bitforex.linkpc.net	2017-12-19	2017-12-19
DOMAIN	coinbases.org	2017-12-19	2017-12-19
DOMAIN	xn--btcoingold-v8a.com	2017-12-19	2017-12-19
DOMAIN	telegramupdate.2.vu	2017-12-19	2017-12-19
DOMAIN	vietcasino.linkpc.net	2017-12-19	2017-12-19
DOMAIN	xn--bitcoingldlcb.org	2017-12-19	2017-12-19
DOMAIN	xn--electrm-s2a.org	2017-12-19	2017-12-19
DOMAIN	xn--electrms2a.org	2017-12-19	2017-12-19
DOMAIN	xn--6fgp.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcoigold-o1b.com	2017-12-19	2017-12-19
DOMAIN	deaftone.com	2017-12-19	2017-12-19
DOMAIN	xn--btcongold-54ad.com	2017-12-19	2017-12-19
DOMAIN	online-help.serveftp.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcingold-t3b.com	2017-12-19	2017-12-19
DOMAIN	xn--bitcingold-jbb.com	2017-12-19	2017-12-19
IPv4	201.211.183.215	2017-12-19	2017-12-19
IPv4	144.217.51.246	2017-12-19	2017-12-19
IPv4	158.69.57.135	2017-12-19	2017-12-19
IPv4	180.235.133.235	2017-12-19	2017-12-19
IPv4	122.248.34.23	2017-12-19	2017-12-19
IPv4	198.100.157.239	2017-12-19	2017-12-19
IPv4	51.255.219.82	2017-12-19	2017-12-19
IPv4	180.235.133.121	2017-12-19	2017-12-19
IPv4	92.222.106.229	2017-12-19	2017-12-19
IPv4	201.139.226.67	2017-12-19	2017-12-19