Shares tag: Moneyholic • Same author: Ahnlab • Published within a month
Operaion Moneyholic
2019-08-29 • Ahnlab •
http://download.ahnlab.com/kr/site/library/Analysis_Report_Operation_Moneyholic.pdf
Attachments
AhnLab tracks Operation Moneyholic as activity observed from early 2018 through August 2019 against cryptocurrency exchanges and users for financial theft. The attacks used email attachments with double extensions or hidden spacing to masquerade as documents, then showed decoy cryptocurrency-related files while downloading batch scripts and additional malware. The excerpt details TiWorker.exe, a backdoor based on publicly available Chinese source code that sends the fxftest signature to its C2 and supports drive listing, file operations, process control, command execution, and connectivity tests. Another chain used base64-encoded HWP decoys and ipnet.dll, whose variants communicated with C2 over web or FTP and were compared with malware seen in a 2014 lure about North Korean satellite-launch-site construction. The report matters because it ties multiple document-lure techniques, backdoor families, hosting paths, C2 behavior, and operator artifacts into a cryptocurrency-focused intrusion cluster while presenting technical evidence for possible links to a state-run hacking group.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | helpnaver.com | 2019-08-29 | 2023-05-25 |
| [email protected] | 2019-08-29 | 2020-11-22 | |
| HASH | c1063cfa402e64882d41f88ada87c8d1 | 2019-08-24 | 2020-11-22 |
| [email protected] | 2019-08-24 | 2020-11-22 | |
| [email protected] | 2019-08-24 | 2020-11-22 | |
| [email protected] | 2019-08-24 | 2020-11-22 | |
| DOMAIN | rnaii.com | 2019-08-24 | 2020-11-22 |
| DOMAIN | app-wallet.com | 2019-08-24 | 2020-11-22 |
| DOMAIN | manage.app-wallet.com | 2019-08-24 | 2020-11-22 |
| DOMAIN | rneail.com | 2019-08-24 | 2020-11-22 |
| IPv4 | 193.148.16.45 | 2019-08-24 | 2020-11-22 |
| HASH | b2fcef57d62ca5075e62975aee272137 | 2019-08-29 | 2019-08-29 |
| HASH | 9cb536f3af8a9d52937dddac43d3de99 | 2019-08-29 | 2019-08-29 |
| HASH | 5259e9a18754703fdd47d2c9ade0e35f | 2019-08-29 | 2019-08-29 |
| HASH | 109a42f52b68b1af7ec1ac3d5cb22cfd | 2019-08-29 | 2019-08-29 |
| HASH | 51e161503b6cd3d9f854cffcbfcd4e77 | 2019-08-29 | 2019-08-29 |
| HASH | d32f6ed7958c07698d3f51e7268f1fa4 | 2019-08-29 | 2019-08-29 |
| HASH | 1793f7bddf6be0129fe8af7488dd384f | 2019-08-29 | 2019-08-29 |
| HASH | 6f5f22753af837433267dcd76bf316ea | 2019-08-29 | 2019-08-29 |
| HASH | b12fa22d02fda312eaf31babe2d719e9 | 2019-08-29 | 2019-08-29 |
| HASH | 0c08c15f4becc21fab5ee3a0871f2c39 | 2019-08-29 | 2019-08-29 |
| HASH | 715051f5028dc793e06b20b4048f33a6 | 2019-08-29 | 2019-08-29 |
| HASH | 8fc875be2f4b6be1fd31ef6a99d0be25 | 2019-08-29 | 2019-08-29 |
| HASH | 2827cc82c23cc054944930d331c7475f | 2019-08-29 | 2019-08-29 |
| HASH | 1d9668a4d59b19d50f93481f65ca4e46 | 2019-08-29 | 2019-08-29 |
| HASH | f6ebbd988d6f68749343c6ede200ce36 | 2019-08-29 | 2019-08-29 |
| HASH | 37c6326f3cf3542e52439a66150ba278 | 2019-08-29 | 2019-08-29 |
| HASH | a3f297208d69bd597e7235cad7faefaf | 2019-08-29 | 2019-08-29 |
| HASH | 068a6acb7d4ec0d146497e37fccca210 | 2019-08-29 | 2019-08-29 |
| HASH | 96cc6500169b047e5ab2565f91e1eaaa | 2019-08-29 | 2019-08-29 |
| HASH | 4a86f5909441914ff04f2a16bb379353 | 2019-08-29 | 2019-08-29 |
| HASH | f05af1304c8fb427b5f073f2e0154c0e | 2019-08-29 | 2019-08-29 |
| HASH | a77566ec1317117d5fe0eb4d647c6ac0 | 2019-08-29 | 2019-08-29 |
| HASH | 865138cf59970c8c871f085ce18fcb1b | 2019-08-29 | 2019-08-29 |
| HASH | ecfc59216dd787dff53cf2e4b7d0f832 | 2019-08-29 | 2019-08-29 |
| HASH | a553bd68ee74e920eb7c4f068ce35706 | 2019-08-29 | 2019-08-29 |
| HASH | ac7f2afa1934eb9178de53ec1c50d6aa | 2019-08-29 | 2019-08-29 |
| HASH | 45fa564f2ccea45ff26099cb3737d654 | 2019-08-29 | 2019-08-29 |
| URL | http://gmaildown.1apps.com/1.txt | 2019-08-29 | 2019-08-29 |
| URL | http://attach10131.1apps.com/1.… | 2019-08-29 | 2019-08-29 |
| URL | http://881.000webhostapp.com/se… | 2019-08-29 | 2019-08-29 |
| URL | http://881.000webhostapp.com/se… | 2019-08-29 | 2019-08-29 |
| URL | http://attach10131.1apps.com/11… | 2019-08-29 | 2019-08-29 |
| URL | http://result-viewer.com/cc/ind… | 2019-08-29 | 2019-08-29 |
| DOMAIN | result-viewer.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | gotomyhouse1013.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | attach10131.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | gmaildown.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | snop.mytut.net | 2019-08-29 | 2019-08-29 |
| DOMAIN | 8877.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | mytut.net | 2019-08-29 | 2019-08-29 |
| DOMAIN | snop.webrnail.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | indiana1014.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | downok1013.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | u811238542.hostingerapp.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | rainbow1013.1apps.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | rainbow.webrnail.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | cert-us.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | mklawyer.maru.net | 2019-08-29 | 2019-08-29 |
| DOMAIN | 71790.000webhostapp.com | 2019-08-29 | 2019-08-29 |
| DOMAIN | signetsys.com | 2019-08-29 | 2019-08-29 |
| IPv4 | 217.197.161.78 | 2019-08-29 | 2019-08-29 |
| IPv4 | 111.90.138.41 | 2019-08-29 | 2019-08-29 |
| IPv4 | 194.59.164.14 | 2019-08-29 | 2019-08-29 |
| IPv4 | 156.67.222.184 | 2019-08-29 | 2019-08-29 |
| IPv4 | 180.71.56.198 | 2019-08-29 | 2019-08-29 |
| IPv4 | 103.249.31.170 | 2019-08-29 | 2019-08-29 |
| IPv4 | 27.102.112.179 | 2019-08-29 | 2019-08-29 |
| IPv4 | 160.202.162.79 | 2019-08-29 | 2019-08-29 |
| IPv4 | 61.14.211.140 | 2019-08-29 | 2019-08-29 |
| IPv4 | 147.46.46.140 | 2019-08-29 | 2019-08-29 |
| [email protected] | 2019-08-24 | 2019-08-29 | |
| DOMAIN | nidhelpnaver.com | 2019-08-24 | 2019-08-29 |
| DOMAIN | naver.attach-download.com | 2019-08-24 | 2019-08-29 |
| DOMAIN | grnaeil.com | 2019-08-24 | 2019-08-29 |
| DOMAIN | daum.attach-download.com | 2019-08-24 | 2019-08-29 |
| IPv4 | 160.202.162.78 | 2019-08-24 | 2019-08-29 |
| IPv4 | 188.241.39.10 | 2019-08-24 | 2019-08-29 |
| IPv4 | 188.241.39.220 | 2019-08-24 | 2019-08-29 |
| IPv4 | 62.133.58.60 | 2019-08-24 | 2019-08-29 |
| IPv4 | 104.243.41.186 | 2019-08-24 | 2019-08-29 |
| IPv4 | 5.252.198.93 | 2019-05-24 | 2019-08-29 |
| DOMAIN | alabamaok0515.1apps.com | 2019-05-16 | 2019-08-29 |
| DOMAIN | fighiting1013.org | 2019-05-16 | 2019-08-29 |
| HASH | b02f3881321f0912b2ae3f27498c448f | 2019-03-04 | 2019-08-29 |
| HASH | 11fc4829c2fff9fb240acbd71c60fc67 | 2019-03-04 | 2019-08-29 |
| HASH | a25811b24b7f27a486c05c0a09ad992d | 2018-12-20 | 2019-08-29 |
| IPv4 | 103.249.31.159 | 2018-12-20 | 2019-08-29 |
| DOMAIN | 071790.000webhostapp.com | 2018-11-29 | 2019-08-29 |
| DOMAIN | vnik.000webhostapp.com | 2018-11-29 | 2019-08-29 |
| DOMAIN | 881.000webhostapp.com | 2018-11-29 | 2019-08-29 |
| DOMAIN | attach10132.1apps.com | 2018-11-29 | 2019-08-29 |
| IPv4 | 61.14.210.72 | 2018-11-29 | 2019-08-29 |
Related Reports
Shares 20 IOCs • Published within a week
Shares 2 IOCs • Same author: Ahnlab
Shares 2 IOCs
Shares 6 IOCs
Shares 2 IOCs