Latest North Korean Social Engineering Campaign Threat Intel Advisory

CloudSEK threat intelligence advisory on an ongoing North Korean campaign targeting security researchers to spread weaponized files.
Updated on
April 19, 2023
Published on
February 8, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Attribution
North Korean Campaign (APT38/ Lazarus Group)
Target
Security (Vulnerability) Researchers
Vector
  • Weaponized Visual Studio project file (Vector #1)
  • Drive by attack which downloads in-memory backdoor beacon on victim host (Vector #2)
Sample Summary
  • Provided samples can be mapped to vector #1
  • Samples consist of DLL/EXE/Registry Configuration
 

Summary

Ongoing North Korean social engineering campaign targets vulnerability researchers by using fake social media handles specifically on Twitter. Threat actor(s) build rapport with target researchers by inviting them to collaborate on exploit development for a specific vulnerability of the attacker’s choice. Once the victim shows interest in the work, the attacker shares a weaponized Visual Studio project file with them. The malicious file executes custom.dll containing the malware that connects back to the attacker’s C2 infrastructure. This method of attack is known as Vector #1. When the attacker employs Vector #2 as drive-by attack, they lure victims to visit the blog br0vvnn(.)io, a malicious service that gets installed on the victim host, which executes an in-memory backdoor.  

Technical Overview

  • Attackers abuse the “Build Event” feature in Visual Studio to attack the victim with custom-made malware. 
  • Powershell command is specified in the “Build Event” of the VS project file, leading to the execution of Powershell script invoking the rundll32 binary to load malware DLL and associated files into the memory of the host machine.
 

Indicators of Compromise

FileHashes
a3060a3efb9ac3da444ef8abc99143293076fe32
29489f1a0c1d3920d783c047641fc46d759935dacf09debb3769c3a843b90ee2
4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
RegistryKeys
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update
File Paths
C:\Windows\System32\Nwsapagent.sys
C:\Windows\System32\helpsvc.sys
C:\ProgramData\USOShared\uso.bin
C:\ProgramData\VMware\vmnat-update.bin
C:\ProgramData\VirtualBox\update.bin
Domain
angeldonationblog[.]com
codevexillium[.]org
investbooking[.]de
krakenfolio[.]com
opsonew3org[.]sg
transferwiser[.]io
transplugin[.]io
trophylab[.]com
www.colasprint[.]com
www.dronerc[.]it
www.edujikim[.]com
www.fabioluciani[.]com
URLs
https[:]//angeldonationblog[.]com/image/upload/upload.php
https[:]//codevexillium[.]org/image/download/download.asp
https[:]//investbooking[.]de/upload/upload.asp
https[:]//transplugin[.]io/upload/upload.asp
https[:]//www.dronerc[.]it/forum/uploads/index.php
https[:]//www.dronerc[.]it/shop_testbr/Core/upload.php
https[:]//www.dronerc[.]it/shop_testbr/upload/upload.php
https[:]//www.edujikim[.]com/intro/blue/insert.asp
https[:]//www.fabioluciani[.]com/es/include/include.asp
http[:]//trophylab[.]com/notice/images/renewal/upload.asp
http[:]//www.colasprint[.]com/_vti_log/upload.asp

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations