X-Industry

North Korean threat actors have caught Sentinel Lab's attention over the past year, providing us with fruitful insight into a variety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics.  To add to that list, analysts looked at an intrusion into what might be considered a highly desirable strategic espionage mission, supporting North Korea’s contentious missile program.[1]

The Target Orga

Sentinel Labs reports that in a previous post in this series, we looked at powering up radare2 with aliases and macros to make our work more productive. Still, sometimes we need the ability to automate more complex tasks, extend our analyses by bringing in other tools, or process files in batches.  Most reverse engineering platforms have some scripting engine to help achieve this kind of heavy lifting, and radare2 does, too.  In this article, researchers learn how to drive radare2 with r2pipe an

• A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East.
• Sentinel assess it is likely that WIP26 is espionage-related.
• WIP26 relies heavily on public Cloud infrastructure to evade detection by making malicious traffic look legitimate.
• WIP26 involves the use of backdoors, titled CMD365 and CMDEmber, which abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
• WIP26 also involves the use of Microsoft Azure and Dropbox instances as