What were seeing today 18 Feb 2021


Today activity has been moderate but lower than yesterday.



Activity Observations

  • Phishing activity on JP Morgan Chase, PayPal, Bank of the West, Western Union, Salesforce, Docusign (Large targeted campaign), American Express, Capital One, USPS, and Adobe themes continues from yesterdays alert

  • Cryptojacking from a Go Lang malware called WatchDog has been observed and reported from partners

  • AppleJeus - another cryptocurrency malware variant. Largely North Korea uses hacking and cryptocurrency theft to fund their nuclear ambitions

  • Seeing continued phishing from various location that were added to our daily report

  • Today we noticed some indications that hackers are targeting Arcsight software updates. This may be similar to what has occurred with other attacks but it was notable and our analyst made a note in our system for end users. The attack vector was through CDN distributed content which continues to be a problem for supply chain security.

  • SMB scanning activity

  • Seeing many Big IP F-5 scans

  • Noted Netgear Router exploit activity and an uptick in scanning for these vulnerable devices to include default passwords on ISP routers (Shaw Cable and others)

  • Large amount of domains on domain webcindario[.]com hosting malware and other threats to include malicious APK files as well as Windows executables (Literally hundreds of affected subdomains)

  • AppleJeus Activity still being observed (also alert from US-CERT also alerted to this issue)

  • Ryuk Ransomware is observed increasing activity over previous days


In addition we added the following documents for reference

35 additional reference documents added to our threat intelligence platform/intelligence platform. Additional files were also imported concerning private North Korean activity around attacking cryptocurrency wallets and end user systems, infrastructure and additional vectors for theft of cryptocurrency centered activity.


February 17, 2021: Joint Cybersecurity Advisory: AppleJeus: Analysis of North Korea's Cryptocurrency Malware

  • February 17, 2021: Malware Analysis Report-10322463-1.v1: AppleJeus – Celas Trade Pro

  • February 17, 2021: Malware Analysis Report -10322463-2.v1: AppleJeus – JMT Trader

  • February 17, 2021: Malware Analysis Report -10322463-3.v1: AppleJeus – Union Crypto

  • February 17, 2021: Malware Analysis Report -10322463-4.v1: AppleJeus – Kupay Wallet

  • February 17, 2021: Malware Analysis Report -10322463-5.v1: AppleJeus – CoinGoTrade

  • February 17, 2021: Malware Analysis Report -10322463-6.v1: AppleJeus – Dorusio

  • February 17, 2021: Malware Analysis Report -10322463-7.v1: AppleJeus – Ants2Whale

See the listing below for previous Alerts and Malware Analysis Reports (MARs) on North Korea’s malicious cyber activities.

  • October 27, 2020: Joint CISA-CNMF-FBI Cybersecurity Advisory: North Korean Advanced Persistent Threat Focus: Kimsuky

  • August 26, 2020: Joint Technical Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

  • August 26, 2020: Malware Analysis Report (10301706-1.v1): North Korean Remote Access Tool: ECCENTRICBANDWAGON

  • August 26, 2020: Malware Analysis Report (10301706-2.v1): North Korean Remote Access Tool: VIVACIOUSGIFT

  • August 26, 2020: Malware Analysis Report (10257062-1.v2): North Korean Remote Access Tool: FASTCASH for Windows

  • August 19, 2020: Malware Analysis Report (10295134.r1.v1) – North Korean Remote Access Trojan: BLINDINGCAN

  • May 12, 2020: Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE

  • May 12, 2020: Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE

  • May 12, 2020: Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH

  • April 15, 2020 Alert: (AA20-106A) Guidance on the North Korean Cyber Threat

  • February 14, 2020: Malware Analysis Report (10265965-1.v1) – North Korean Trojan: BISTROMATH

  • February 14, 2020: Malware Analysis Report (10265965-2.v1) – North Korean Trojan: SLICKSHOES

  • February 14, 2020: Malware Analysis Report (10265965-3.v1) – North Korean Trojan: CROWDEDFLOUNDER

  • February 14, 2020: Malware Analysis Report (10271944-1.v1) – North Korean Trojan: HOTCROISSANT

  • February 14, 2020: Malware Analysis Report (10271944-2.v1) – North Korean Trojan: ARTFULPIE

  • February 14, 2020: Malware Analysis Report (10271944-3.v1) – North Korean Trojan: BUFFETLINE

  • February 14, 2020: Malware Analysis Report (10135536-8.v4) – North Korean Trojan: HOPLIGHT (updates October 31, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT, which updated April 10, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT

  • September 9, 2019: Malware Analysis Report (10135536-21) – North Korean Proxy Malware: ELECTRICFISH (updates May 9, 2019: Malware Analysis Report (10135536-21) – North Korean Tunneling Tool: ELECTRICFISH)

  • September 9, 2019: Malware Analysis Report (10135536-10) – North Korean Trojan: BADCALL (updates February 13, 2018: Malware Analysis Report (MAR-10135536-G) – North Korean Trojan: BADCALL and STIX file for MAR-10135536-G)

  • October 2, 2018: Alert TA18-275A - HIDDEN COBRA FASTCash Campaign

  • October 2, 2018: Malware Analysis Report MAR-10201537 - HIDDEN COBRA FASTCash-Related Malware

  • August 9, 2018: Malware Analysis Report (10135536-17) – North Korean Trojan: KEYMARBLE

  • June 14, 2018: Malware Analysis Report (10135536-12) – North Korean Trojan: TYPEFRAME

  • May 29, 2018: Alert: (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

  • May 29, 2018: Malware Analysis Report (MAR-10135536-3) – HIDDEN COBRA RAT/Worm

  • March 28, 2018: Malware Analysis Report (MAR-10135536.11) – North Korean Trojan: SHARPKNOT

  • STIX file for MAR-10135536.11


  • February 13, 2018: Malware Analysis Report (MAR-10135536-F) – North Korean Trojan: HARDRAIN

  • STIX file for MAR-10135536-F


  • December 21, 2017: Malware Analysis Report (MAR-10135536) – North Korean Trojan: BANKSHOT

  • STIX file for MAR-10135536


  • November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL

  • November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer

  • August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware

  • STIX file for MAR-10132963


  • June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

  • May 12, 2017: Alert (TA17-132A) Indicators Associated With WannaCry Ransomware


Some of our ISAC partners have also provided additional context on some of the above listed events that has been included in our threat intelligence data.


Other Notes

We have been letting customers know to monitor DNS and CDN network activity since 2017. We believe with the Solar Winds Orion incident and others similar to this story by show that we can expect continued targeting of supply chain on companies that would be presumed to have network level access at these companies. We have previously warned that DNS RPZ could be used to backdoor companies computing systems as well as the strange and sometimes unbelievable backdoors in common software observed on the CDN networks. Stay vigilant as we are seeing more and more of this activity. We will be publishing an in dept report on this in the coming days outlining specific examples, samples and other data that will allow you to make your own conclusions.


These are some of the most recent observations. In addition we are still seeing CDN and DNS manipulation that points to malware infections locations. It is not known whom is responsible for these as they are distributed far and wide.


Last Updated: 3:03 PM EST




4 views0 comments

Recent Posts

See All