Today activity has been moderate but lower than yesterday.
Activity Observations
Phishing activity on JP Morgan Chase, PayPal, Bank of the West, Western Union, Salesforce, Docusign (Large targeted campaign), American Express, Capital One, USPS, and Adobe themes continues from yesterdays alert
Cryptojacking from a Go Lang malware called WatchDog has been observed and reported from partners
AppleJeus - another cryptocurrency malware variant. Largely North Korea uses hacking and cryptocurrency theft to fund their nuclear ambitions
Seeing continued phishing from various location that were added to our daily report
Today we noticed some indications that hackers are targeting Arcsight software updates. This may be similar to what has occurred with other attacks but it was notable and our analyst made a note in our system for end users. The attack vector was through CDN distributed content which continues to be a problem for supply chain security.
SMB scanning activity
Seeing many Big IP F-5 scans
Noted Netgear Router exploit activity and an uptick in scanning for these vulnerable devices to include default passwords on ISP routers (Shaw Cable and others)
Large amount of domains on domain webcindario[.]com hosting malware and other threats to include malicious APK files as well as Windows executables (Literally hundreds of affected subdomains)
AppleJeus Activity still being observed (also alert from US-CERT also alerted to this issue)
Ryuk Ransomware is observed increasing activity over previous days
In addition we added the following documents for reference
35 additional reference documents added to our threat intelligence platform/intelligence platform. Additional files were also imported concerning private North Korean activity around attacking cryptocurrency wallets and end user systems, infrastructure and additional vectors for theft of cryptocurrency centered activity.
February 17, 2021: Joint Cybersecurity Advisory: AppleJeus: Analysis of North Korea's Cryptocurrency Malware
February 17, 2021: Malware Analysis Report-10322463-1.v1: AppleJeus – Celas Trade Pro
February 17, 2021: Malware Analysis Report -10322463-2.v1: AppleJeus – JMT Trader
February 17, 2021: Malware Analysis Report -10322463-3.v1: AppleJeus – Union Crypto
February 17, 2021: Malware Analysis Report -10322463-4.v1: AppleJeus – Kupay Wallet
February 17, 2021: Malware Analysis Report -10322463-5.v1: AppleJeus – CoinGoTrade
February 17, 2021: Malware Analysis Report -10322463-6.v1: AppleJeus – Dorusio
February 17, 2021: Malware Analysis Report -10322463-7.v1: AppleJeus – Ants2Whale
See the listing below for previous Alerts and Malware Analysis Reports (MARs) on North Korea’s malicious cyber activities.
October 27, 2020: Joint CISA-CNMF-FBI Cybersecurity Advisory: North Korean Advanced Persistent Threat Focus: Kimsuky
August 26, 2020: Joint Technical Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
August 26, 2020: Malware Analysis Report (10301706-1.v1): North Korean Remote Access Tool: ECCENTRICBANDWAGON
August 26, 2020: Malware Analysis Report (10301706-2.v1): North Korean Remote Access Tool: VIVACIOUSGIFT
August 26, 2020: Malware Analysis Report (10257062-1.v2): North Korean Remote Access Tool: FASTCASH for Windows
August 19, 2020: Malware Analysis Report (10295134.r1.v1) – North Korean Remote Access Trojan: BLINDINGCAN
May 12, 2020: Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE
May 12, 2020: Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE
May 12, 2020: Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH
April 15, 2020 Alert: (AA20-106A) Guidance on the North Korean Cyber Threat
February 14, 2020: Malware Analysis Report (10265965-1.v1) – North Korean Trojan: BISTROMATH
February 14, 2020: Malware Analysis Report (10265965-2.v1) – North Korean Trojan: SLICKSHOES
February 14, 2020: Malware Analysis Report (10265965-3.v1) – North Korean Trojan: CROWDEDFLOUNDER
February 14, 2020: Malware Analysis Report (10271944-1.v1) – North Korean Trojan: HOTCROISSANT
February 14, 2020: Malware Analysis Report (10271944-2.v1) – North Korean Trojan: ARTFULPIE
February 14, 2020: Malware Analysis Report (10271944-3.v1) – North Korean Trojan: BUFFETLINE
February 14, 2020: Malware Analysis Report (10135536-8.v4) – North Korean Trojan: HOPLIGHT (updates October 31, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT, which updated April 10, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT
September 9, 2019: Malware Analysis Report (10135536-21) – North Korean Proxy Malware: ELECTRICFISH (updates May 9, 2019: Malware Analysis Report (10135536-21) – North Korean Tunneling Tool: ELECTRICFISH)
September 9, 2019: Malware Analysis Report (10135536-10) – North Korean Trojan: BADCALL (updates February 13, 2018: Malware Analysis Report (MAR-10135536-G) – North Korean Trojan: BADCALL and STIX file for MAR-10135536-G)
October 2, 2018: Alert TA18-275A - HIDDEN COBRA FASTCash Campaign
October 2, 2018: Malware Analysis Report MAR-10201537 - HIDDEN COBRA FASTCash-Related Malware
August 9, 2018: Malware Analysis Report (10135536-17) – North Korean Trojan: KEYMARBLE
June 14, 2018: Malware Analysis Report (10135536-12) – North Korean Trojan: TYPEFRAME
May 29, 2018: Alert: (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
May 29, 2018: Malware Analysis Report (MAR-10135536-3) – HIDDEN COBRA RAT/Worm
March 28, 2018: Malware Analysis Report (MAR-10135536.11) – North Korean Trojan: SHARPKNOT
STIX file for MAR-10135536.11
February 13, 2018: Malware Analysis Report (MAR-10135536-F) – North Korean Trojan: HARDRAIN
STIX file for MAR-10135536-F
December 21, 2017: Malware Analysis Report (MAR-10135536) – North Korean Trojan: BANKSHOT
STIX file for MAR-10135536
November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware
STIX file for MAR-10132963
June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
May 12, 2017: Alert (TA17-132A) Indicators Associated With WannaCry Ransomware
Some of our ISAC partners have also provided additional context on some of the above listed events that has been included in our threat intelligence data.
Other Notes
We have been letting customers know to monitor DNS and CDN network activity since 2017. We believe with the Solar Winds Orion incident and others similar to this story by show that we can expect continued targeting of supply chain on companies that would be presumed to have network level access at these companies. We have previously warned that DNS RPZ could be used to backdoor companies computing systems as well as the strange and sometimes unbelievable backdoors in common software observed on the CDN networks. Stay vigilant as we are seeing more and more of this activity. We will be publishing an in dept report on this in the coming days outlining specific examples, samples and other data that will allow you to make your own conclusions.
These are some of the most recent observations. In addition we are still seeing CDN and DNS manipulation that points to malware infections locations. It is not known whom is responsible for these as they are distributed far and wide.
Last Updated: 3:03 PM EST