From 2fbc104e4b7537d629d9483f5db26a34cb86ef97 Mon Sep 17 00:00:00 2001 From: blackorbird <137812951@qq.com> Date: Tue, 23 Apr 2019 14:55:40 +0800 Subject: [PATCH] group123 --- group123/README.MD | 52 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 group123/README.MD diff --git a/group123/README.MD b/group123/README.MD new file mode 100644 index 0000000..ab13663 --- /dev/null +++ b/group123/README.MD @@ -0,0 +1,52 @@ +# Group123 + +## 20190423 + +two relate phishing operation: + +Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019) +'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014) + +email_93682646.html +88107e3c785d3d30e5f6fc191622a157 +memo.utr +86f83586c96943ce96309e3017a3500c + +email: +Lee Soo-hyun +211.197.11.18 + +info: +http://155.138.236.240/sec[.]png?id= + +phishing: +input password and login it will redirect to unikorea.go.kr +https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png +https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png + +The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background. + +download:memo.utr +google drive owner: 한국정치학회 +Gmail:kpsapress@gmail.com + +decode PE and collect private information +post to "pcloud" +the authorize email is kcrc1214@hanmail.net ,2018.12.3 join + + +The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'. + +D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty) + +HTML code feature + + + + + + + + + +