Latest North Korean Social Engineering Campaign Threat Intel Advisory

Summary

CloudSEK threat intelligence advisory on an ongoing North Korean campaign targeting security researchers to spread weaponized files.
Attribution
North Korean Campaign (APT38/ Lazarus Group)
Target
Security (Vulnerability) Researchers
Vector
  • Weaponized Visual Studio project file (Vector #1)
  • Drive by attack which downloads in-memory backdoor beacon on victim host (Vector #2)
Sample Summary
  • Provided samples can be mapped to vector #1
  • Samples consist of DLL/EXE/Registry Configuration
 

Summary

Ongoing North Korean social engineering campaign targets vulnerability researchers by using fake social media handles specifically on Twitter. Threat actor(s) build rapport with target researchers by inviting them to collaborate on exploit development for a specific vulnerability of the attacker’s choice. Once the victim shows interest in the work, the attacker shares a weaponized Visual Studio project file with them. The malicious file executes custom.dll containing the malware that connects back to the attacker’s C2 infrastructure. This method of attack is known as Vector #1. When the attacker employs Vector #2 as drive-by attack, they lure victims to visit the blog br0vvnn(.)io, a malicious service that gets installed on the victim host, which executes an in-memory backdoor.  

Technical Overview

  • Attackers abuse the “Build Event” feature in Visual Studio to attack the victim with custom-made malware. 
  • Powershell command is specified in the “Build Event” of the VS project file, leading to the execution of Powershell script invoking the rundll32 binary to load malware DLL and associated files into the memory of the host machine.
 

Indicators of Compromise

FileHashes
a3060a3efb9ac3da444ef8abc99143293076fe32
29489f1a0c1d3920d783c047641fc46d759935dacf09debb3769c3a843b90ee2
4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
RegistryKeys
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSp\Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update
File Paths
C:\Windows\System32\Nwsapagent.sys
C:\Windows\System32\helpsvc.sys
C:\ProgramData\USOShared\uso.bin
C:\ProgramData\VMware\vmnat-update.bin
C:\ProgramData\VirtualBox\update.bin
Domain
angeldonationblog[.]com
codevexillium[.]org
investbooking[.]de
krakenfolio[.]com
opsonew3org[.]sg
transferwiser[.]io
transplugin[.]io
trophylab[.]com
www.colasprint[.]com
www.dronerc[.]it
www.edujikim[.]com
www.fabioluciani[.]com
URLs
https//angeldonationblog[.]com/image/upload/upload.php
https//codevexillium[.]org/image/download/download.asp
https//investbooking[.]de/upload/upload.asp
https//transplugin[.]io/upload/upload.asp
https//www.dronerc[.]it/forum/uploads/index.php
https//www.dronerc[.]it/shop_testbr/Core/upload.php
https//www.dronerc[.]it/shop_testbr/upload/upload.php
https//www.edujikim[.]com/intro/blue/insert.asp
https//www.fabioluciani[.]com/es/include/include.asp
http//trophylab[.]com/notice/images/renewal/upload.asp
http//www.colasprint[.]com/_vti_log/upload.asp

Table of Contents

Request an easy and customized demo for free