Attribution |
North Korean Campaign (APT38/ Lazarus Group) |
Target |
Security (Vulnerability) Researchers |
Vector |
|
Sample Summary |
|
Summary
Ongoing North Korean social engineering campaign targets vulnerability researchers by using fake social media handles specifically on Twitter. Threat actor(s) build rapport with target researchers by inviting them to collaborate on exploit development for a specific vulnerability of the attacker’s choice. Once the victim shows interest in the work, the attacker shares a weaponized Visual Studio project file with them. The malicious file executes custom.dll containing the malware that connects back to the attacker’s C2 infrastructure. This method of attack is known as Vector #1. When the attacker employs Vector #2 as drive-by attack, they lure victims to visit the blog br0vvnn(.)io, a malicious service that gets installed on the victim host, which executes an in-memory backdoor.Technical Overview
- Attackers abuse the “Build Event” feature in Visual Studio to attack the victim with custom-made malware.
- Powershell command is specified in the “Build Event” of the VS project file, leading to the execution of Powershell script invoking the rundll32 binary to load malware DLL and associated files into the memory of the host machine.
Indicators of Compromise
FileHashes |
a3060a3efb9ac3da444ef8abc99143293076fe32 |
| 29489f1a0c1d3920d783c047641fc46d759935dacf09debb3769c3a843b90ee2 | |
| 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 | |
| 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 | |
| 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc | |
| a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 | |
| a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15 | |
RegistryKeys |
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp |
| HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Parameters | |
| HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Security | |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig | |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig | |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update | |
File Paths |
C:\Windows\System32\Nwsapagent.sys |
| C:\Windows\System32\helpsvc.sys | |
| C:\ProgramData\USOShared\uso.bin | |
| C:\ProgramData\VMware\vmnat-update.bin | |
| C:\ProgramData\VirtualBox\update.bin | |
Domain |
angeldonationblog[.]com |
| codevexillium[.]org | |
| investbooking[.]de | |
| krakenfolio[.]com | |
| opsonew3org[.]sg | |
| transferwiser[.]io | |
| transplugin[.]io | |
| trophylab[.]com | |
| www.colasprint[.]com | |
| www.dronerc[.]it | |
| www.edujikim[.]com | |
| www.fabioluciani[.]com | |
URLs |
https[:]//angeldonationblog[.]com/image/upload/upload.php |
| https[:]//codevexillium[.]org/image/download/download.asp | |
| https[:]//investbooking[.]de/upload/upload.asp | |
| https[:]//transplugin[.]io/upload/upload.asp | |
| https[:]//www.dronerc[.]it/forum/uploads/index.php | |
| https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php | |
| https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php | |
| https[:]//www.edujikim[.]com/intro/blue/insert.asp | |
| https[:]//www.fabioluciani[.]com/es/include/include.asp | |
| http[:]//trophylab[.]com/notice/images/renewal/upload.asp | |
| http[:]//www.colasprint[.]com/_vti_log/upload.asp |
