![]() The theme of the file is related to cryptocurrency investments. The password for the file was mentioned in the email body. In this email, a password protected macro-based XLS file was sent to the victim. This is done for the purpose of social engineering. For instance, in the document with MD5 hash: 1a536709554860fcc2c147374556205d, the decoy content used was related to Ahnlab - a Korea-based computer security company. This is consistent with other decoy contents used by the threat actor. In this email, a macro-based document was sent to the victim.įigure 3 below shows that the decoy content of the document is related to Menlo Security company. Multiple IP addresses related to KT Corporation were abused by this threat actor during the current attack. Note: This IP address is related to KT Corporation, a Korean telecom provider. We identified three unique attack chains used by the threat actor to distribute the malware in emails:ĭuring our analysis, we discovered that at least one of the IP addresses (222.112.1279) used by the threat actor to log in to the attacker-controlled Dropbox accounts was also used to send spear phishing emails to the victims in South Korea.īelow are examples of two such emails that were sent from the IP address 222.112.1279. This threat actor has frequently updated its attack chains over the last two months. We would like to thank Dropbox for their quick action in taking down the malicious accounts used by the threat actor, and for also sharing valuable threat intelligence that helped us with threat attribution. In this blog, we will share the technical details of the attack chains, and will explain how we correlated this threat actor to Lazarus. This proactive discovery of attacker infrastructure helps us in preempting the attacks. Our research led us to the discovery of command-and-control (C2) domains even before they were used in active attacks by the threat actor. Some details about this campaign were published in this Korean blog, however they did not perform the threat attribution.Įven though the TTPs of this threat actor evolved over time, there were critical parts of their infrastructure that were reused, allowing ThreatLabz to correlate the attacks and do the threat attribution with a high-confidence level. In 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC (Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as Binance, and others. In 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as Naver, the popular South Korean search engine and web portal. This threat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures (TTPs) we believe with high confidence that the threat actor is associated with Lazarus Group, a sophisticated North Korean advanced persistent threat (APT) group. Zscaler’s ThreatLabz research team has been closely monitoring a campaign targeting users in South Korea.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |