This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware.
The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S.
healthcare systems.
Observable TTPs
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations.
Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Acquire Infrastructure [T1583].
DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations.
Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
Obfuscate Identity.
DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
Purchase VPNs and VPSs [T1583.003].
DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
Gain Access [TA0001].
Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks.
Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133].
Observed CVEs used include:
CVE 2021-44228
CVE-2021-20038
CVE-2022-24990
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com.
xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111.
Sign Up For Threat Alerts
Jul 04, 2023
Rhysida Ransomware RaaS Crawls Out of Crimeware...
The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...
Jun 26, 2023
Operation Magalenha – Long-Running Campaign Pursues Portuguese...
The attackers can steal credentials and exfiltrate users' data and personal information, which can be...
Apr 24, 2023
Lazarus Group Adds Linux Malware to Arsenal...
Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...
Apr 23, 2023
Additional IOCs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.
Apr 23, 2023
Ex-Conti and FIN7 Actors Collaborate with New...
IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...
Apr 20, 2023
AuKill EDR killer malware abuses Process Explorer...
The AuKill tool abuses an outdated version of the driver used by version 16.32 of...
Apr 20, 2023
Fake Chrome updates spread malware
A campaign running since the end of last year is using hacked sites to push...
Apr 20, 2023
QBot using new attack vector in its...
QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...
Apr 20, 2023
CrossLock Ransomware Emerges: New Golang – Based...
The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...
Apr 20, 2023
Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...
A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
Additional IOcs for 3cx breach
Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...
Apr 18, 2023
APT36 Expands Interest Within Indian Education Sector
Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...
Apr 17, 2023
ChinaZ DDoS Bot Malware Distributed To Linux...
The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...
Apr 16, 2023
Resurgence Of The Mexals Cryptojacking Campaign
The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...