The Shadow Force group is a threat group that has been active since 2013, targeting corporations and organizations in South Korea. Trend Micro revealed the first analysis report in September 2015, where it stated that a Korean media-related company had been attacked. In March 2020, AhnLab published an analysis report on Operation Shadow Force. It was introduced as a single campaign a there was the possibility of it being activies of an existing threat group. However, no relevant threat group information has been found for over three (3) years since the release of the analysis report, and it thus seems to be a group active in Korea. In July 2022, KRCert published the details of their analysis of the Shadow Group’s additional breach through their report Analysis of Lateral Movement Strategies Unsinf TTPs#7 SMB Admin Share. In October 2022, AhnLab announced that the PE-modifying iatinfect.exe file is continuously being detected.
The report covers the changes made to the existing malware and new malware discovered through tracking recent activities of the Shadow Force group. There are continued reports of file modification using latinfect.exe, while the usage rate of the backdoor used in the past has decreased. Instead, there have been cases where other backdoors such as Viticdoor were used, and since since December 2021, cryptocurrency miners were being installed along side them. The threat actor has been using the same file name and similar malware and tools since 2014, making it easier to identify them.
Link to full AnhLab report on Shadow Force: ATIP_2023_Shadow-Force-Groups-Viticdoor-and-CoinMiner.pdf
This article is presented at no charge for educational and informational purposes only.
Comments