APT37’s Pretexting-Based Targeted Intrusion: Analysis of Facebook Reconnaissance and Software Tampering Attacks
Contents
◈ Key Findings
- Conducted reconnaissance using two Facebook accounts claiming to be from Pyongyang and Pyongsong, North Korea
- Built trust by adding targets as Facebook friends, then moved the conversation to Messenger and lured them using specific topics
- Tricked targets into installing a dedicated PDF viewer under the pretense of sharing an encrypted PDF document on military weapons
- Executed shellcode and gained initial access through a carefully tampered Wondershare PDFelement installer
- Delivered follow-up commands through a JPG-disguised payload delivered via the Seoul branch website of a Japanese real estate information service
- Behavior-based EDR is required to detect the identified indicators of compromise (IoCs) and respond to APT evasion techniques
1. Overview
Genians Security Center conducted an in-depth analysis of a targeted intrusion campaign carried out by the APT37 threat actor through a social networking platform.
The analysis showed that the threat actor used two Facebook accounts with their location set to Pyongyang and …
- Conducted reconnaissance using two Facebook accounts claiming to be from Pyongyang and Pyongsong, North Korea
- Built trust by adding targets as Facebook friends, then moved the conversation to Messenger and lured them using specific topics
- Tricked targets into installing a dedicated PDF viewer under the pretense of sharing an encrypted PDF document on military weapons
- Executed shellcode and gained initial access through a carefully tampered Wondershare PDFelement installer
- Delivered follow-up commands through a JPG-disguised payload delivered via the Seoul branch website of a Japanese real estate information service
- Behavior-based EDR is required to detect the identified indicators of compromise (IoCs) and respond to APT evasion techniques
1. Overview
Genians Security Center conducted an in-depth analysis of a targeted intrusion campaign carried out by the APT37 threat actor through a social networking platform.
The analysis showed that the threat actor used two Facebook accounts with their location set to Pyongyang and …
IoC
http://ipinfo.io/json
http://japanroom.com/board/DATA/1288247428101.jpg
http://222.122.49.15
http://38.32.68.195
http://japanroom.com
222.122.49.15
38.32.68.195
[email protected]
[email protected]
[email protected]
c681fe3f42e82e9240afe97c23971cbc
c637b3e7d74c2d678663454d16311b15
085128b4e96633c82beb2101f5c525e4
28d0143718153bf04c1919a26bb70c2d
d44a22d2c969988a65c7d927e22364c8
36be2cbb59cd1c3f745d5f80f9aee21c
http://japanroom.com/board/DATA/1288247428101.jpg
http://222.122.49.15
http://38.32.68.195
http://japanroom.com
222.122.49.15
38.32.68.195
[email protected]
[email protected]
[email protected]
c681fe3f42e82e9240afe97c23971cbc
c637b3e7d74c2d678663454d16311b15
085128b4e96633c82beb2101f5c525e4
28d0143718153bf04c1919a26bb70c2d
d44a22d2c969988a65c7d927e22364c8
36be2cbb59cd1c3f745d5f80f9aee21c