2023-02-09 09:43:48 +08:00
# Group123/APT37
2019-04-23 14:55:40 +08:00
2022-12-08 10:49:45 +08:00
## 20221208
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/
2022-12-08 10:53:57 +08:00
word-template[.]net
openxmlformat[.]org
ms-office[.]services
ms-offices[.]com
template-openxml[.]com
2022-12-08 10:49:45 +08:00
2021-11-29 22:31:06 +08:00
## 20211129
ScarCruft surveilling North Korean defectors and human rights activists
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
2019-11-11 15:35:21 +08:00
## 20191111
2019-04-23 14:55:40 +08:00
2019-11-11 15:35:05 +08:00
Group123,
2019-11-11 15:34:22 +08:00
https://blog.alyac.co.kr/2588 (Nov 11 , 2019)
## 20190423
2019-04-23 15:03:52 +08:00
### Spear Phishing operation:
2019-04-23 14:55:40 +08:00
2019-04-23 15:00:55 +08:00
Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive
https://blog.alyac.co.kr/2268 (April 22 , 2019)
2019-04-23 15:03:52 +08:00
related:
2019-04-23 15:00:55 +08:00
'group123' group 'survey on the total number of discovery of separated families in North and South'
https://blog.alyac.co.kr/1767 (July 28, 2014)
2019-04-23 14:55:40 +08:00
2019-04-23 15:01:34 +08:00
IOC:
2019-04-23 15:01:49 +08:00
2019-04-23 14:55:40 +08:00
email_93682646.html
2019-04-23 15:01:49 +08:00
2019-04-23 14:55:40 +08:00
88107e3c785d3d30e5f6fc191622a157
2019-04-23 15:01:49 +08:00
2019-04-23 14:55:40 +08:00
memo.utr
2019-04-23 15:01:49 +08:00
2019-04-23 14:55:40 +08:00
86f83586c96943ce96309e3017a3500c
email:
Lee Soo-hyun <loveshlee@unikorea.go.kr>
211.197.11.18
info:
http://155.138.236.240/sec[.]png?id=
2019-04-23 15:01:34 +08:00
### phishing:
2019-04-23 15:00:25 +08:00
### input password and login it will redirect to unikorea.go.kr
2019-04-23 14:55:40 +08:00
https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png
https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png
2019-04-23 15:00:25 +08:00
### The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background.
2019-04-23 14:55:40 +08:00
download:memo.utr
google drive owner: 한국정치학회
Gmail:kpsapress@gmail.com
decode PE and collect private information
2019-04-23 15:00:25 +08:00
### post to "pcloud"
2019-04-23 14:55:40 +08:00
the authorize email is kcrc1214@hanmail.net ,2018.12.3 join
The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'.
2019-04-23 15:00:25 +08:00
### D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty)
2019-04-23 14:55:40 +08:00
2019-04-23 15:00:25 +08:00
### HTML code feature
2019-04-23 14:55:40 +08:00
<meta http-equiv ='Content-Type'content ='text / html; charset = UTF-8'/>
<meta http-equiv ='Cache-Control'content ='no-cache'/>
<meta http-equiv ='Pragma'content ='no-cache'/>
<meta http-equiv ='Expires'content ='0'/>
<meta http-equiv =“X-UA-Compatible”content =“IE = Edge”/>
