Shares 1 IOC • Same author: Norfolk
OSINT Reporting Regarding DPRK and TA505 Overlap
2019-04-10 • Norfolk •
https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/
Norfolk Infosec reviewed open-source evidence supporting BAE Systems’ SAS2019 reporting on DPRK-attributed SWIFT heist activity, including a PowerShell backdoor dubbed PowerBrace and possible overlap with TA505 intrusions. The source ties DPRK-linked financial-sector IOCs, the PSLogger keylogger, and several similar PowerShell samples through infrastructure overlaps and VirusTotal submission patterns, including a Pakistan submitter associated with both PSLogger and a PowerBrace candidate. The report assesses that the listed PowerShell scripts likely belong to the same DPRK-attributable malware family described by BAE, while providing selected MD5 indicators and analysis notes rather than a full reverse-engineering write-up.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | b12325a1e6379b213d35def383da2986 | 2019-04-10 | 2020-08-05 |
| HASH | 7c651d115109fd8f35fddfc44fd24518 | 2019-04-10 | 2020-08-05 |
| HASH | 34404a3fb9804977c6ab86cb991fb130 | 2019-01-13 | 2020-08-05 |
| HASH | 09e4f724e73fccc1f659b8a46bfa7184 | 2019-04-10 | 2019-04-10 |
| HASH | b88d4d72fdabfc040ac7fb768bf72dcd | 2019-04-10 | 2019-04-10 |
| HASH | cc29adb5b78300b0f17e566ad461b2c7 | 2019-04-10 | 2019-04-10 |
| HASH | 5b7244c47104f169b0840440cdede788 | 2019-04-10 | 2019-04-10 |
| HASH | 26f09267d0ec0d339e70561a610fb1fd | 2019-04-10 | 2019-04-10 |
| HASH | 9c35e9aa9255aa2214d704668b039ef6 | 2019-04-10 | 2019-04-10 |
| HASH | 2e0d13266b45024153396f002e882f15 | 2019-04-10 | 2019-04-10 |
| HASH | 53f7be945d5755bb628deecb71cdcbf2 | 2019-04-10 | 2019-04-10 |
| HASH | 8a41520c89dce75a345ab20ee352fef0 | 2019-04-10 | 2019-04-10 |
| HASH | e00499e21f9dcf77fc990400b8b3c2b5 | 2019-04-10 | 2019-04-10 |
| HASH | 3be75036010f1f2102b6ce09a9299bca | 2019-04-10 | 2019-04-10 |
| IPv4 | 192.95.14.128 | 2019-04-10 | 2019-04-10 |