group123/README.MD

# Group123

## 20190423

two relate phishing operation:

Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019)
'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014)

email_93682646.html
88107e3c785d3d30e5f6fc191622a157
memo.utr
86f83586c96943ce96309e3017a3500c

email:
Lee Soo-hyun <loveshlee@unikorea.go.kr>
211.197.11.18

info:
http://155.138.236.240/sec[.]png?id=

phishing:
input password and login it will redirect to unikorea.go.kr
https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png
https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png

The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background.

download:memo.utr
google drive owner: 한국정치학회
Gmail:kpsapress@gmail.com

decode PE and collect private information 
post to "pcloud"
the authorize email is kcrc1214@hanmail.net ,2018.12.3 join


The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'.

D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty)

HTML code feature

<meta http-equiv ='Content-Type'content ='text / html; charset = UTF-8'/>
<meta http-equiv ='Cache-Control'content ='no-cache'/>
<meta http-equiv ='Pragma'content ='no-cache'/>
<meta http-equiv ='Expires'content ='0'/>
<meta http-equiv =“X-UA-Compatible”content =“IE = Edge”/>
group123 2019-04-23 14:55:40 +08:00			`# Group123`

			`## 20190423`

			`two relate phishing operation:`

			`Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019)`
			`'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014)`

			`email_93682646.html`
			`88107e3c785d3d30e5f6fc191622a157`
			`memo.utr`
			`86f83586c96943ce96309e3017a3500c`

			`email:`
			`Lee Soo-hyun <loveshlee@unikorea.go.kr>`
			`211.197.11.18`

			`info:`
			`http://155.138.236.240/sec[.]png?id=`

			`phishing:`
			`input password and login it will redirect to unikorea.go.kr`
			`https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png`
			`https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png`

			`The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background.`

			`download:memo.utr`
			`google drive owner: 한국정치학회`
			`Gmail:kpsapress@gmail.com`

			`decode PE and collect private information`
			`post to "pcloud"`
			`the authorize email is kcrc1214@hanmail.net ,2018.12.3 join`


			`The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'.`

			`D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty)`

			`HTML code feature`

			`<meta http-equiv ='Content-Type'content ='text / html; charset = UTF-8'/>`
			`<meta http-equiv ='Cache-Control'content ='no-cache'/>`
			`<meta http-equiv ='Pragma'content ='no-cache'/>`
			`<meta http-equiv ='Expires'content ='0'/>`
			`<meta http-equiv =“X-UA-Compatible”content =“IE = Edge”/>`