Hermit(隐士)活动续:继续针对朝鲜半岛进行的APT攻击活动

2019-05-24 Tencent Hermit activity continues: APT attacks continue targeting the Korean Peninsula

https://s.tencent.com/research/report/727.html

Thumbnail for Hermit(隐士)活动续:继续针对朝鲜半岛进行的APT攻击活动

Tencent's preserved Hermit report says the group continued APT activity against the Korean Peninsula while also targeting blockchain, cryptocurrency, financial, and diplomatic entities. The attack chain used spear-phishing Word documents with malicious macros that downloaded a second document, copied certutil as ct.exe, retrieved batch-script stages, decoded a CAB file, and installed victory.exe under the public documents path with registry persistence. Tencent identified victory.exe as Amadey-family malware that collected local and antivirus information before requesting an additional payload from C2, then described sp.exe as a Babyface RAT communicating with 5.252.198.93:7337. The report links the macro style, decoding method, scripts, and tooling to earlier Hermit activity and notes continued Syscon/Sandy backdoor activity.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN clean.1apps.com 2019-05-24 2020-01-05
DOMAIN ftpupload.net 2019-05-24 2020-01-05
IPv4 185.27.134.11 2019-05-24 2020-01-05
IPv4 5.252.198.93 2019-05-24 2019-08-29
DOMAIN alabamaok0515.1apps.com 2019-05-16 2019-08-29
DOMAIN fighiting1013.org 2019-05-16 2019-08-29
DOMAIN 071790.000webhostapp.com 2018-11-29 2019-08-29
DOMAIN 881.000webhostapp.com 2018-11-29 2019-08-29
DOMAIN attach10132.1apps.com 2018-11-29 2019-08-29
DOMAIN mail.naver-download.com 2019-05-16 2019-08-24
HASH 68b080cdc748e9357e75a65fba30eaa7 2019-05-24 2019-08-19
URL http://clean.1apps.com/4.txt 2019-05-24 2019-08-19
URL http://clean.1apps.com/1.txt 2019-05-24 2019-08-19
HASH fb42ddf48bc581fb9aa8d13f1e4636d1 2019-05-24 2019-05-24
HASH c0c007ce1a2d9fb8420c421d419f9f87 2019-05-24 2019-05-24
HASH 268fb8da9c7d4c18d0ea1e9a3cbbc449 2019-05-24 2019-05-24
HASH 46f3540f9a850d3114261e9f1c88100d 2019-05-24 2019-05-24
HASH f2d2a2ea4654b2369378fae0b4b9574d 2019-05-24 2019-05-24
HASH c2c2a8e9c5b8298d77a225bf3476b7ae 2019-05-24 2019-05-24
HASH d896402609e63fc48c7f2433b10c1038 2019-05-24 2019-05-24
HASH a5406729bf6acda782022ac5486436c3 2019-05-24 2019-05-24
HASH 7d842177155e20b7b42b0a68ba9081e3 2019-05-24 2019-05-24
HASH 51ce85fdf98e29acf3cce5493888b6bb 2019-05-24 2019-05-24
HASH ed527d42819ad7ed9bbaa2791e8bb445 2019-05-24 2019-05-24
HASH a9bd8c69ba5ea70002e776c9f618157b 2019-05-24 2019-05-24
HASH 9768b1208506e7f026625be173cdb2ee 2019-05-24 2019-05-24
HASH 63dc47d134d7dade7fa3e290d879eba4 2019-05-24 2019-05-24
HASH f38d61237d4ecfb87b58cfcd4fd9dd44 2019-05-24 2019-05-24
HASH dabccfdd50e593a8cb961a39296f0edf 2019-05-24 2019-05-24
HASH a59dbf872d4d275415caed24f93a4d02 2019-05-24 2019-05-24
HASH 237026e58e0ac6ce109d874d43d3d64e 2019-05-24 2019-05-24
HASH 2df5a0be61f9b09f380a3fc20945afc0 2019-05-24 2019-05-24
HASH 43cbadadaead6f11295bf8843bd909ed 2019-05-24 2019-05-24
HASH 5968b80e0567a25909273ccf3527dd83 2019-05-24 2019-05-24
HASH 0072b08eb4c1fe2201c52e26833beeb0 2019-05-24 2019-05-24
HASH eb800f555ad690d99d34b1a3b05f610a 2019-05-24 2019-05-24
URL https://071790.000webhostapp.co… 2019-05-24 2019-05-24
URL http://tgbabcrfv.1apps.com/1.txt 2019-05-24 2019-05-24
URL http://csewater.co.kr/workfolde… 2019-05-24 2019-05-24
URL http://fighiting1013.org/2/modi… 2019-05-24 2019-05-24
URL http://csewater.co.kr/workfolde… 2019-05-24 2019-05-24
DOMAIN csewater.co.kr 2019-05-24 2019-05-24
URL http://fighiting1013.org/2/sp.e… 2019-05-16 2019-05-24
DOMAIN tgbabcrfv.1apps.com 2019-05-16 2019-05-24
DOMAIN charley-online.com 2019-05-16 2019-05-24
HASH 3e4015366126dcdbdcc8b5c508a6d25c 2018-11-29 2019-05-24
URL http://s8877.1apps.com/vip/1.txt 2018-11-29 2019-05-24
URL http://a7788.1apps.com/att/1.txt 2018-11-29 2019-05-24
DOMAIN s8877.1apps.com 2018-11-29 2019-05-24
DOMAIN a7788.1apps.com 2018-11-29 2019-05-24
DOMAIN hanbosston.000webhostapp.com 2018-11-29 2019-05-24

Related Actors

Related Reports

« Back