Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)
Contents
Malware mentioned in “North Korean hackers have targeted security researchers via social media report” published by Google Threat Analysis Group (TAG) is considered to be a ThreatNeedle which is dubbed by Kaspersky. We already disclosed the deep analysis regarding C2 communication of ThreatNeedle at DCC 2019 and Kaspersky SAS Lightning Talk 2019.
In addition, the malware and C2 communication have in common with Operation MalBus.
Additional Reference for Operation MalBus
> MalBus Actor Changed Market from Google Play to ONE Store
We briefly delivers only the essential fact in Medium, and for other details, please refer to the attached PDF file which is presented at DCC and Kaspersky SAS.
Below is tweet from Seongsu Park of Kaspersky GReAT team stating that this malware is ThreatNeedle.
ThreatNeedle is already known that it has been used by the Lazarus group along with Manuscrypt from the past. Most of them operate through HTTP communication, and C&C servers are written …
In addition, the malware and C2 communication have in common with Operation MalBus.
Additional Reference for Operation MalBus
> MalBus Actor Changed Market from Google Play to ONE Store
We briefly delivers only the essential fact in Medium, and for other details, please refer to the attached PDF file which is presented at DCC and Kaspersky SAS.
Below is tweet from Seongsu Park of Kaspersky GReAT team stating that this malware is ThreatNeedle.
ThreatNeedle is already known that it has been used by the Lazarus group along with Manuscrypt from the past. Most of them operate through HTTP communication, and C&C servers are written …
IoC
011cc019872f75c30cfa1d41201fc2341418bf53457449f8e066379e6df1ad12
07375a711dda055cfb8777d31aff9cfecb5f5142e88712cf93d41e2a317abe22
1a327cced0b0c0bf99146f276fb7a93148cd9a396ef06c73ab069365d079c869
3fd610f69ef1808431b090c40a065621d15f591bbf2470cd8a14f1ae352b6c2f
46196370d2cd24b19bd1272a9c3632e5ff9fbeb986960caa03b1e8186fb37239
9f5e407601032063e1f1d263e9a2b11c99fbf094e2a0fe65bfa5ad72716cdbd8
cd4658151e41749ec71fe64d9e88b35fcd82afb8d3654bb6db9879bb4854d76a
e0a62ba2c58b1a8e9484f1c4452aaafcab6a1ccfe44bfd680edbe859044049d2
07375a711dda055cfb8777d31aff9cfecb5f5142e88712cf93d41e2a317abe22
1a327cced0b0c0bf99146f276fb7a93148cd9a396ef06c73ab069365d079c869
3fd610f69ef1808431b090c40a065621d15f591bbf2470cd8a14f1ae352b6c2f
46196370d2cd24b19bd1272a9c3632e5ff9fbeb986960caa03b1e8186fb37239
9f5e407601032063e1f1d263e9a2b11c99fbf094e2a0fe65bfa5ad72716cdbd8
cd4658151e41749ec71fe64d9e88b35fcd82afb8d3654bb6db9879bb4854d76a
e0a62ba2c58b1a8e9484f1c4452aaafcab6a1ccfe44bfd680edbe859044049d2