Amadey Trojan distributed by DPRK-affiliated APT groups

-

 

Malicious Word doucments titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc” were recently uploaded to malware submission sites such as ANY.RUN, VMRay, and VirusTotal:

Analysis of the Word documents revealed that a VBA macro is used to drop a secondary payload and connects the infected device to the adversary’s command and control (C&C) server. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The payload is hosted on a compromised website and is retrieved by the Amadey Trojan once the malicious macros are enabled.

VirusTotal campaign graph:

Analysis:

Commodity malware, such as the Amadey Trojan, is a concern because it does not require its operator to have any development capability, only the capacity to deploy it. This increases the number of potential attackers in the ecosystem. Furthermore, commodity malware and open-source tools hinder attribution and reduce the cost of developing attack infrastructure for malicious actors. It is estimated that this trend is likely to continue, making campaigns easier to initiate and further frustrating attribution.

The theme of the malicious Word documents is noteworthy as North Korean cyber-operators often use similar weaponised lures to infiltrate their targets. Only a limited number of sources have also observed DPRK threat actors using Amadey in the past. In 2019, IssueMakersLab, Tencent, and EST Security shared reports of suspected North Korean threat actors using the Amadey botnet. The malware is also leveraged by the Russian cybercrime gang TA505, which has worked with North Korean APT groups in the past.

Interestingly, several of the domains connected to one of C&C servers (186.122.150[.]107) were sinkholed by Microsoft in a legal move of interdiction against Thallium - a North Korean state-affiliated APT group.

By leveraging the Amadey malware, North Korean threat actors are once again showing some degree of collusion with Eastern European cybercriminals. The APT groups also continue to demonstrate an interest in COVID-19. Kaspersky recently disclosed an attack campaign attributed to the Lazarus group targeting COVID-19 researchers. This intelligence-gathering operation targeted an unnamed pharmaceutical company and, in October, the group targeted a government ministry related to the COVID-19 response.

IOCs:

Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc:

  • 70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665

VBA

  • aab683fd88bc5f50e6eed4aaed3f53f66be874de4f27bdcf33ce58f9b86a6054
  • 189215def4bbba391070eaa31b850ed0189afbbef607731c733e89d129baf8b2

tlworker.exe

  • d1baefd0bdc7f3b0369c5b7126c3b98469a518cf4db788fad1d243d8661a17b9
  • efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060

Amadey C2s:

  • hxxp://186.122.150[.]107/cc/index.php
  • hxxp://108.62.118[.]185/cc/index.php

Compromised Sites:

  • hxxps://fd-com[.]fr/wp-content/themes/consultingservices/upload/tmp.txt
  • hxxps://www.rabadaun[.]com/wordpress/wp-content/themes/TEMP.so

References:

Sources:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more