| https://twitter.com/unpacker |
Just dropped our research on DPRK's campaigns: Contagious Interview & WageMole.
Key takeaways:
1️⃣Threat actors are rapidly evolving tools in Contagious Interview.
2️⃣Successful infection across platforms in record time.
3️⃣WageMole shows in-depth interview prep & precise target selection.
4️⃣They're enhancing interview prep with data stolen from Contagious Interview & Generative AI tech.
Thrilled to shared #Kimsuky's latest activity using TRANSLATEXT to focus on the South Korean education sector in an intelligence gathering effort. 🕵️♂️
https://www.zscaler.com/blogs/security-research/kimsuky-deploys-translatext-target-south-korean-academia
What caught our attention:
▶️ Found a Chrome extension on a attacker-controlled GitHub.
▶️ It snags cookies, screenshots, and even email passwords.
▶️ Can bypass security measures from email providers.
▶️ Uses a dead drop resolver to receive extra commands via a legitimate blog service.
▶️ Target confirmed: South Korean education sector linked to North Korea research.
A comprehensive blog from Microsoft details a new threat actor named Moonstone Sleet, which combines several TTPs from known DPRK threat actors.
https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
Recently, I have also observed that several of these groups show collaboration or a transition of TTPs, indicating significant internal changes. 🤔
Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that combines many tried-and-true techniques used by other North Korean threat actors, as well as unique attack methodologies to target companies for its financial and cyberespionage objectives.
Exploring the latest instance of Contagious Interview campaign via this Reddit thread: https://reddit.com/r/hacking/comments/18npzcl/obfuscated_code_a_recruiter_sent_me/
The actor continues with familiar tactics, incorporating a cleverly obfuscated BeaverTail script. The endgame remains the InvisibleFerret script, with the C2 using IP addresses previously employed by the actor: hxxp://147.124.212[.]89:1244/
Check out the original and insightful research by Unit42 here: https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
🔍 Intriguing insights on DPRK-affiliated threat actors:
1️⃣ Launching 0-day attacks on security researchers again.
🔗 https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/]
2️⃣ Unrelenting focus on the defense industry, even in Russia.
🔗 https://blogs.microsoft.com/on-the-issues/2023/09/07/digital-threats-cyberattacks-east-asia-china-north-korea/]
Personally, BlueNoroff is not a threat actor that is particularly quick to evolve, but they are active and remain a concern. This time, they have unveiled an updated malware infection chain and malware, allowing them to bypass security measures.
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
TL;DR:
1. Still using old techniques we published before: zip with .lnk file, Word document.
2. To evade MOTW mitigation, they adopted .iso and .vhd file types
3. Testing other file types: VBS, Batch script, PE
4. Created spoofing domains similar to banks and venture capital
