ĪPT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR. ĪPT37 collects the computer name, the BIOS model, and execution path. ĪPT37 has created scheduled tasks to run malicious scripts on a compromised host. ĪPT37 injects its malware variant, ROKRAT, into the cmd.exe process. ĪPT37's Freenki malware lists running processes using the Microsoft Windows API. ĪPT37 delivers malware using spearphishing emails with malicious HWP attachments. ĪPT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. ĪPT37 uses steganography to send images to users that are embedded with shellcode. ![]() ĪPT37 has signed its malware with an invalid digital certificates listed as "Tencent Technology (Shenzhen) Company Limited." ĪPT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection. Inter-Process Communication: Dynamic Data ExchangeĪPT37 has used Windows DDE for execution of commands and a malicious VBS. ĪPT37 has downloaded second stage malware from compromised websites. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. ĪPT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. ĪPT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR). ĪPT37 has collected data from victims' local systems. Ĭredentials from Password Stores: Credentials from Web BrowsersĪPT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers. ĪPT37 has used Python scripts to execute payloads. ĪPT37 executes shellcode and a VBA script to decode Base64 strings. ĪPT37 has used the command-line interface. ĪPT37 has used Ruby scripts to execute payloads. īoot or Logon Autostart Execution: Registry Run Keys / Startup FolderĪPT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\. ĪPT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input. Īpplication Layer Protocol: Web ProtocolsĪPT37 uses HTTPS to conceal C2 communications. The Lazarus Group may have been active since 2007, and the researchers have tied 45 different malware families with shared code to the hackers.Abuse Elevation Control Mechanism: Bypass User Account ControlĪPT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges. While North Korea ICT infrastructure is comparatively poor compared to developed countries, Novetta said cyber attacks were "no longer limited to highly-resourced nation states". The hackers may have attempted to hide themselves as hacktivists to throw trackers off the scent and to spread disinformation, according to the report.Ī previously unknown group, Guardians of Peace, claimed responsibility for the attack and posted the stolen sensitive data on the internet, only to completely disappear after the attack. "Although our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper attribution in the cyber realm, the FBI’s official attribution claims could be supported by our findings," the report stated. ![]() Now, however, the security vendors that investigated the hack believe the FBI was probably right. At the time, several security researchers cast doubt on the FBI's claims, arguing the hack was more likely performed by insiders with access to SPE's systems.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |