Undetected North Korean Malware: A Looming Threat to Financial Institutions
2023-02-16 • Bridewell •
Attachments
Bridewell Intelligence warns that TA444, a financially motivated North Korea state-sponsored actor, poses a continuing threat to banks, financial institutions, and cryptocurrency exchanges. Pivoting from Proofpoint and Kaspersky reporting, Bridewell identified additional TA444 command-and-control infrastructure whose malware was largely undetected by conventional antivirus services, including several IPs with zero or very low VirusTotal detections. The advisory says TA444 has targeted banks for years and expanded further into cryptocurrency in late 2022, using tactics such as Porkbun DNS and Cloudflare services to obscure infrastructure. Financial-sector defenders are urged to retrospectively hunt for connections to the published indicators, add them to alerting or block lists, and pair threat intelligence with segmentation, advanced detection, audits, access controls, training, and incident-response planning.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | dnsowl.com | 2023-02-16 | 2024-10-29 |
| DOMAIN | docs.azurehosting.co | 2023-02-16 | 2023-10-04 |
| DOMAIN | shippingspro.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | share.anobaka.info | 2023-02-16 | 2023-06-06 |
| DOMAIN | team.msteam.biz | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.j-ic.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.j-ic.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | internal.j-ic.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.azurehosting.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | down.espcapital.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.anobaka.info | 2023-02-16 | 2023-06-06 |
| DOMAIN | down.j-ic.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | autoprotect.gb.net | 2023-02-16 | 2023-06-06 |
| DOMAIN | trytiponlineresult.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | autoprotect.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.mekongcapital.net | 2023-02-16 | 2023-06-06 |
| DOMAIN | cloud.gpmtreit.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | ns2.trytiponlineresult.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | down.j-ic.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | ns1.trytiponlineresult.com | 2023-02-16 | 2023-06-06 |
| DOMAIN | site.siteshare.me | 2023-02-16 | 2023-06-06 |
| DOMAIN | autoprotect.com.de | 2023-02-16 | 2023-06-06 |
| DOMAIN | down.gpmtreit.co | 2023-02-16 | 2023-06-06 |
| DOMAIN | share.1drvmicrosoft.com | 2023-02-16 | 2023-06-06 |
| IPv4 | 104.255.172.56 | 2023-02-16 | 2023-06-06 |
| IPv4 | 172.93.181.221 | 2023-02-16 | 2023-06-06 |
| DOMAIN | ms.msteam.biz | 2022-12-27 | 2023-06-06 |
| IPv4 | 155.138.159.45 | 2022-12-27 | 2023-06-06 |
| IPv4 | 172.86.122.181 | 2023-02-16 | 2023-05-22 |
| DOMAIN | centralnic.net | 2023-02-16 | 2023-02-16 |
| DOMAIN | server-1.phcnetworks.net | 2023-02-16 | 2023-02-16 |
| DOMAIN | namecheaphosting.com | 2023-02-16 | 2023-02-16 |
| DOMAIN | phcnetworks.net | 2023-02-16 | 2023-02-16 |
| DOMAIN | naogoze.com | 2023-02-16 | 2023-02-16 |
| DOMAIN | corporateimageguru.com | 2023-02-16 | 2023-02-16 |
| DOMAIN | phcdevworks.com | 2023-02-16 | 2023-02-16 |
| IPv4 | 172.86.123.181 | 2023-02-16 | 2023-02-16 |