APT Down: The North Korea Files
Contents
• Noticeable are the SSL certificates and auth.log. The
source code for phishing attacks are discussed further
below.
1.1 - Defense Counterintelligence Command
(dcc.mil.kr)
Drop Location: vps/var/www/html/
The Defense Counterintelligence Command (DCC) is an
intelligence organization of the South Korean Armed
Forces. The DCC is primarily responsible for intelligence
missions such as clandestine and covert operations, and
counterintelligence.
The logs show a phishing attack against the dcc.mil.kr as
recently as three days ago.
The same logs contain The Supreme Prosecutor Office
(spo.go.kr), korea.kr, daum.net, kakao.com, and naver.
com. It should be noted that the Admin-C for dcc.mil.kr is
registered to hyuny [email protected].
grep -Fhr 'dec.mil kr' log | uniq
[email protected]_amFuZHkzOTEyQGRjYy5taWwua3I=|
[email protected]_ZGkwMzExMTFAZGNjLm1pbC5rcg==
[email protected]_ZGlkY2RiYUBkY2MubWlsLmty
[email protected]_amhjZ29k0DhAZGNjLm1pbC5rcg==
[email protected]_Y2hhbmNoYW4wNjE2QGRjYy5taWwua3I=
[email protected]_eWliMTAwQGRjYy5taWwua3I= [email protected]_RHNj0DA4QGRjYy5taWwua3I=
[ . . . ]
The tools used in this attack are discussed
under 2.1 (Generator).
A P T D o w n : T h e N o r t h Korea F i l e s
1.2 - Access to South Korea Ministry
of foreign Affairs repository
A copy of South Korean Ministry of foreign affairs email
platform was found inside a file …
source code for phishing attacks are discussed further
below.
1.1 - Defense Counterintelligence Command
(dcc.mil.kr)
Drop Location: vps/var/www/html/
The Defense Counterintelligence Command (DCC) is an
intelligence organization of the South Korean Armed
Forces. The DCC is primarily responsible for intelligence
missions such as clandestine and covert operations, and
counterintelligence.
The logs show a phishing attack against the dcc.mil.kr as
recently as three days ago.
The same logs contain The Supreme Prosecutor Office
(spo.go.kr), korea.kr, daum.net, kakao.com, and naver.
com. It should be noted that the Admin-C for dcc.mil.kr is
registered to hyuny [email protected].
grep -Fhr 'dec.mil kr' log | uniq
[email protected]_amFuZHkzOTEyQGRjYy5taWwua3I=|
[email protected]_ZGkwMzExMTFAZGNjLm1pbC5rcg==
[email protected]_ZGlkY2RiYUBkY2MubWlsLmty
[email protected]_amhjZ29k0DhAZGNjLm1pbC5rcg==
[email protected]_Y2hhbmNoYW4wNjE2QGRjYy5taWwua3I=
[email protected]_eWliMTAwQGRjYy5taWwua3I= [email protected]_RHNj0DA4QGRjYy5taWwua3I=
[ . . . ]
The tools used in this attack are discussed
under 2.1 (Generator).
A P T D o w n : T h e N o r t h Korea F i l e s
1.2 - Access to South Korea Ministry
of foreign Affairs repository
A copy of South Korean Ministry of foreign affairs email
platform was found inside a file …