admin/APT_REPORT
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b1d128294f7517a275f0aaf556f5b13a84e50da8
APT_REPORT/group123/README.MD
blackorbird e9a1af1839 Update README.MD
2023-02-09 09:43:48 +08:00

91 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Group123/APT37
## 20221208
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/
word-template[.]net
openxmlformat[.]org
ms-office[.]services
ms-offices[.]com
template-openxml[.]com
## 20211129
ScarCruft surveilling North Korean defectors and human rights activists
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
## 20191111
Group123North Korean defector sponsor 'Dragon Messenger' mobile APT attack
https://blog.alyac.co.kr/2588 (Nov 11 , 2019)
## 20190423
### Spear Phishing operation:
Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive
https://blog.alyac.co.kr/2268 (April 22 , 2019)
related
'group123' group 'survey on the total number of discovery of separated families in North and South'
https://blog.alyac.co.kr/1767 (July 28, 2014)
IOC
email_93682646.html
88107e3c785d3d30e5f6fc191622a157
memo.utr
86f83586c96943ce96309e3017a3500c
email:
Lee Soo-hyun <loveshlee@unikorea.go.kr>
211.197.11.18
info:
http://155.138.236.240/sec[.]png?id=
### phishing:
### input password and login it will redirect to unikorea.go.kr
https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png
https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png
### The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background.
download:memo.utr
google drive owner: 한국정치학회
Gmail:kpsapress@gmail.com
decode PE and collect private information
### post to "pcloud"
the authorize email is kcrc1214@hanmail.net ,2018.12.3 join
The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'.
### D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty)
### HTML code feature
<meta http-equiv ='Content-Type'content ='text / html; charset = UTF-8'/>
<meta http-equiv ='Cache-Control'content ='no-cache'/>
<meta http-equiv ='Pragma'content ='no-cache'/>
<meta http-equiv ='Expires'content ='0'/>
<meta http-equiv =“X-UA-Compatible”content =“IE = Edge”/>
Reference in New Issue View Git Blame Copy Permalink