North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
2023-07-24 • Mandiant •
https://www.mandiant.com/resources/blog/north-korea-supply-chain
Mandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a history of targeting companies within the cryptocurrency vertical. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. The first path ( /Library/Fonts/ArialUnicode.ttf.md5) stores the backdoor’s full configuration, including its C2 servers. STRATOFEAR is a modular backdoor that communicates with C2 servers using a protocol specified in its C2 configuration, which is decrypted from a local file.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | rentedpushy.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | contortonset.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | prontoposer.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | basketsalute.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | relysudden.com | 2023-07-24 | 2024-09-09 |
| IPv4 | 146.19.173.125 | 2023-07-24 | 2024-09-09 |
| IPv4 | 198.244.135.250 | 2023-07-24 | 2024-09-09 |
| IPv4 | 23.227.202.54 | 2023-07-24 | 2024-09-09 |
| IPv4 | 38.132.124.88 | 2023-07-24 | 2024-09-09 |
| IPv4 | 88.119.174.148 | 2023-07-24 | 2024-09-09 |
| DOMAIN | primerosauxiliosperu.com | 2023-07-12 | 2024-09-09 |
| HASH | 5d18443f88f38ad7e3de62ac46489f6… | 2023-07-24 | 2023-07-24 |
| HASH | 9b1c1013ad8d2c0144af74eff5a2afc… | 2023-07-24 | 2023-07-24 |
| HASH | 48eaf2a7e97189709fb3789f0c662e1c | 2023-07-24 | 2023-07-24 |
| HASH | 27db0f17282a4c4507266f3c4d9c4527 | 2023-07-24 | 2023-07-24 |
| HASH | a8b1c5eb2254e1a3cec397576ef42da… | 2023-07-24 | 2023-07-24 |
| HASH | c1fc3213bdb8f3139fd5d4b13e24244… | 2023-07-24 | 2023-07-24 |
| HASH | b0e0e0d258fcd55d3cc5af2b4669e014 | 2023-07-24 | 2023-07-24 |
| HASH | 88f23c22a7f9da8b5087a3fa9c76fd5… | 2023-07-24 | 2023-07-24 |
| HASH | e901d9279d8f2ad96d741e7cd92770c… | 2023-07-24 | 2023-07-24 |
| HASH | 15bfe67e912f224faef9c7f6968279c6 | 2023-07-24 | 2023-07-24 |
| HASH | e5d42bee74a1e1813e8aad9a46a5ebc… | 2023-07-24 | 2023-07-24 |
| HASH | 6f1c47566a46d252885858f928a3b85… | 2023-07-24 | 2023-07-24 |
| HASH | 6d8194c003d0025fa92fbcbf2eadb6d1 | 2023-07-24 | 2023-07-24 |
| HASH | f0854a28209e07a70d7847af4b2632e… | 2023-07-24 | 2023-07-24 |
| HASH | 55554944c2a6eb29a7bc3c73acdaa3e… | 2023-07-24 | 2023-07-24 |
| HASH | 28c3d359364bf5d64a864f08d4743ea… | 2023-07-24 | 2023-07-24 |
| HASH | 65baa3c1a22052fe1f70c9d2cbe11de4 | 2023-07-24 | 2023-07-24 |
| HASH | 08607faad41009e31c094539b20b615… | 2023-07-24 | 2023-07-24 |
| HASH | 555549440ea0d64e96bb34428e08cc8… | 2023-07-24 | 2023-07-24 |
| HASH | 39a421ea89035ffcc3dea0cd0f10964e | 2023-07-24 | 2023-07-24 |
| HASH | 5701d7bcf809d5ffc9061daeb24d3e7… | 2023-07-24 | 2023-07-24 |
| HASH | ff975b95cfc65b6d19ca18993322cfe… | 2023-07-24 | 2023-07-24 |
| HASH | a90561efc22bdd777956cc67d5b67e3… | 2023-07-24 | 2023-07-24 |
| HASH | 555549440fca1d2f1e613094b0c768d… | 2023-07-24 | 2023-07-24 |
| HASH | 155597a7985cb8f7a6e748e5e108f637 | 2023-07-24 | 2023-07-24 |