Analysis of Attack Strategies Targeting Centralized Management Solutions
Contents
Analysis of Attack Strategies Targeting
Centralized Management Solutions
2025. 1. 21.
Dongwook Kim, Seulgi Lee
KrCERT/CC
Introduction
Dongwook Kim
([email protected])
Incident Analyst
KrCERT/CC
Seulgi Lee
([email protected])
Digital Threat
Analysis Division
Malware Analyst
KrCERT/CC
Threat Hunting Analysis Team
Published Report
bit.ly/4263urj
Reason for Initiating the Investigation
Using an Email Account
to Access Hosting Services
Ransom Note Email
Hospital Ransomware
Email
Hosting Company
Victims
Maui Ransomware
Separating the TTPs of the
Attacker-Leased Server and
the Victim Organization
Google Email Activity
Search Queries from the Google Account
The Hacker's Account Activity Information Was Retained
Words Used in North Korea
Accessing the ‘조선중앙통신' in Japan
Attacker-Leased Server TTP
Tactic
Techniques
sub-techniques
Description
Reconnaissance
Active Scanning
Wordlist Scanning
Brute Force Attack on RDP Access
Vulnerability Scanning
Vulnerability Scanning Using Python
Search Open Technical Databases
Scan Databases
Target Scanning Using Shodan Search
Engine
Search Open Websites/Domains
Search Engines
Gathering Information Needed for the
Attack
Acquire Infrastructure
Server
Leasing Hosting Provider Servers for
Use in Attacks
Develop Capabilities
Malware
Develop Remote Control Malware and
Scanning Code
Exploits
Research on Software Zero-Day
Vulnerabilities
Malware
Use Publicly Available Malware
Exploits
Exploit Public Vulnerabilities
Tool
Use Publicly Available Tools
Resource
Development
Obtain Capabilities
Attacker-Leased Server
Develop Capabilites : Malware
RDP BitmapCache Artifact
Internet Search History
The Proportion of Malicious Code Developed Using Golang
is Increasing
Attacker-Leased Server
Develop Capabilites : Malware
Remote Control Malware Management Tool
…
Centralized Management Solutions
2025. 1. 21.
Dongwook Kim, Seulgi Lee
KrCERT/CC
Introduction
Dongwook Kim
([email protected])
Incident Analyst
KrCERT/CC
Seulgi Lee
([email protected])
Digital Threat
Analysis Division
Malware Analyst
KrCERT/CC
Threat Hunting Analysis Team
Published Report
bit.ly/4263urj
Reason for Initiating the Investigation
Using an Email Account
to Access Hosting Services
Ransom Note Email
Hospital Ransomware
Hosting Company
Victims
Maui Ransomware
Separating the TTPs of the
Attacker-Leased Server and
the Victim Organization
Google Email Activity
Search Queries from the Google Account
The Hacker's Account Activity Information Was Retained
Words Used in North Korea
Accessing the ‘조선중앙통신' in Japan
Attacker-Leased Server TTP
Tactic
Techniques
sub-techniques
Description
Reconnaissance
Active Scanning
Wordlist Scanning
Brute Force Attack on RDP Access
Vulnerability Scanning
Vulnerability Scanning Using Python
Search Open Technical Databases
Scan Databases
Target Scanning Using Shodan Search
Engine
Search Open Websites/Domains
Search Engines
Gathering Information Needed for the
Attack
Acquire Infrastructure
Server
Leasing Hosting Provider Servers for
Use in Attacks
Develop Capabilities
Malware
Develop Remote Control Malware and
Scanning Code
Exploits
Research on Software Zero-Day
Vulnerabilities
Malware
Use Publicly Available Malware
Exploits
Exploit Public Vulnerabilities
Tool
Use Publicly Available Tools
Resource
Development
Obtain Capabilities
Attacker-Leased Server
Develop Capabilites : Malware
RDP BitmapCache Artifact
Internet Search History
The Proportion of Malicious Code Developed Using Golang
is Increasing
Attacker-Leased Server
Develop Capabilites : Malware
Remote Control Malware Management Tool
…