From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering | Proofpoint US
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the No...
North Korea’s Post-Infection Python Payloads – One Night in Norfolk
Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.
A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask
As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.
The Updated APT Playbook: Tales from the Kimsuky threat actor group | Rapid7 Blog
Within Rapid7 Labs we continually track and monitor threat groups. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.
N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection
The North Korean threat actors behind macOS malware strains such as RustBucket and KANDYKORN have been observed "mixing and matching" different elements of the two disparate attack chains, leveraging RustBucket droppers to deliver KANDYKORN.
Two apparently separate North Korean crypto theft campaigns targeting macOS users appear to be linked as threat actors mix and match droppers and payloads.
Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors
Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage.
We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX, a complex, lengthy intrusion that has the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts…
ZINC weaponizing open-source software - Microsoft Security Blog
In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
Lazarus hackers abuse Dell driver bug using new FudModule rootkit
The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.
MagicRAT: Lazarus’ latest gateway into victim networks
Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. * Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms. * We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently. * TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.
Kimsuky’s GoldDragon cluster and its C2 operations | Securelist
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity
ESET research uncovers attacks against several high-profile aerospace and military companies in Europe and the Middle East, with several hints suggesting a possible link to the Lazarus group.
North Korean hackers use signed macOS malware to target IT job seekers
North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector.
Justice Department seizes $500K from North Korean hackers who targeted US medical organizations
The US Justice Department seized approximately half a million dollars that North Korean government-backed hackers had either extorted from US health care organizations or used to launder ransom payments, deputy Attorney General Lisa Monaco said Tuesday as she touted an aggressive US strategy to claw back money for victims of ransomware attacks.
North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
A group of actors originating from North Korea that MSTIC tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name.
ZINC weaponizing open-source software - Microsoft Security Blog
In recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.
Lazarus hackers abuse Dell driver bug using new FudModule rootkit
The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.
MagicRAT: Lazarus’ latest gateway into victim networks
* Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. * Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms. * We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently. * TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.
Kimsuky’s GoldDragon cluster and its C2 operations | Securelist
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity
ESET research uncovers attacks against several high-profile aerospace and military companies in Europe and the Middle East, with several hints suggesting a possible link to the Lazarus group.
North Korean hackers use signed macOS malware to target IT job seekers
North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector.
Justice Department seizes $500K from North Korean hackers who targeted US medical organizations
The US Justice Department seized approximately half a million dollars that North Korean government-backed hackers had either extorted from US health care organizations or used to launder ransom payments, deputy Attorney General Lisa Monaco said Tuesday as she touted an aggressive US strategy to claw back money for victims of ransomware attacks.
North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
A group of actors originating from North Korea that MSTIC tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name.