Amadey Trojan distributed by DPRK-affiliated APT groups
Contents
Amadey Trojan distributed by DPRK-affiliated APT groups
Malicious Word doucments titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc” were recently uploaded to malware submission sites such as ANY.RUN, VMRay, and VirusTotal:
Analysis of the Word documents revealed that a VBA macro is used to drop a secondary payload and connects the infected device to the adversary’s command and control (C&C) server. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The payload is hosted on a compromised website and is retrieved by the Amadey Trojan once the malicious macros are enabled.
VirusTotal campaign graph:
Analysis:
Commodity malware, such as the Amadey Trojan, is a concern because it does not require its operator to have any development capability, only the capacity to deploy it. This increases the number of potential attackers in …
Malicious Word doucments titled “Pyongyang stores low on foreign goods amid North Korean COVID-19 paranoia.doc” were recently uploaded to malware submission sites such as ANY.RUN, VMRay, and VirusTotal:
Analysis of the Word documents revealed that a VBA macro is used to drop a secondary payload and connects the infected device to the adversary’s command and control (C&C) server. The malware used in this attack is detected as the Amadey Trojan, a commodity tool used for credential harvesting and remote control by threat actors of all skill levels. The payload is hosted on a compromised website and is retrieved by the Amadey Trojan once the malicious macros are enabled.
VirusTotal campaign graph:
Analysis:
Commodity malware, such as the Amadey Trojan, is a concern because it does not require its operator to have any development capability, only the capacity to deploy it. This increases the number of potential attackers in …
IoC
108.62.118.185
186.122.150.107
189215def4bbba391070eaa31b850ed0189afbbef607731c733e89d129baf8b2
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665
aab683fd88bc5f50e6eed4aaed3f53f66be874de4f27bdcf33ce58f9b86a6054
be67b49137a1421fadec49108002b34ad9e2dbe79c8643d1a381f17f7d577dce
d1baefd0bdc7f3b0369c5b7126c3b98469a518cf4db788fad1d243d8661a17b9
efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060
http://108.62.118.185/cc/index.php
http://186.122.150.107
http://186.122.150.107/cc/index.php
186.122.150.107
189215def4bbba391070eaa31b850ed0189afbbef607731c733e89d129baf8b2
70fa2300d7932ab901c19878bf109bdd9e078e96380879ca2ce2c3f9fc5c7665
aab683fd88bc5f50e6eed4aaed3f53f66be874de4f27bdcf33ce58f9b86a6054
be67b49137a1421fadec49108002b34ad9e2dbe79c8643d1a381f17f7d577dce
d1baefd0bdc7f3b0369c5b7126c3b98469a518cf4db788fad1d243d8661a17b9
efc139dc0e280a374065dc59c55a45b5146f091a85a3abd6f0caf1a9a2f8b060
http://108.62.118.185/cc/index.php
http://186.122.150.107
http://186.122.150.107/cc/index.php