Continue to distribute malware related to cryptocurrency exchange
Contents
SUMMARY
After Trump Kim Singapore summit, since June 1, a hacking group suspected of North Korea has continuously distributed malware that have been distributed to people related with the cryptocurrency exchange. (total 6 cases since June 1)
- Aug 6, 2018 “유사수신행위 위반통보.hwp” document malware distribution
- July 27, 2018 “알트플래닛이해하기.hwp” document malware distribution
- July 27, 2018 “백서v1.0.hwp” document malware distribution
- July 25, 2018 “전자지갑개발자_김OO.hwp” document malware distribution
- June 21, 2018 “젠더 트러블.hwp” document malware distribution
- June 21, 2018 “젠더 트러블.hwp” document malware distribution
* Same the author and additional malware of the malicious document distributed on June 1. (C&C Server address only differ)
- June 15, 2018 “금융안정 컨퍼런스 개최결과.hwp” document malware distribution
- June 14, 2018 “국제금융체제 실무그룹 회의결과.hwp” document malware distribution
* The contents of the document are related to regulation of cryptocurrency exchange in G20.
* It is presumed that it was used for spear-phishing after adding malware to the press -release HWP file …
After Trump Kim Singapore summit, since June 1, a hacking group suspected of North Korea has continuously distributed malware that have been distributed to people related with the cryptocurrency exchange. (total 6 cases since June 1)
- Aug 6, 2018 “유사수신행위 위반통보.hwp” document malware distribution
- July 27, 2018 “알트플래닛이해하기.hwp” document malware distribution
- July 27, 2018 “백서v1.0.hwp” document malware distribution
- July 25, 2018 “전자지갑개발자_김OO.hwp” document malware distribution
- June 21, 2018 “젠더 트러블.hwp” document malware distribution
- June 21, 2018 “젠더 트러블.hwp” document malware distribution
* Same the author and additional malware of the malicious document distributed on June 1. (C&C Server address only differ)
- June 15, 2018 “금융안정 컨퍼런스 개최결과.hwp” document malware distribution
- June 14, 2018 “국제금융체제 실무그룹 회의결과.hwp” document malware distribution
* The contents of the document are related to regulation of cryptocurrency exchange in G20.
* It is presumed that it was used for spear-phishing after adding malware to the press -release HWP file …
IoC
06cfc6cda57fb5b67ee3eb0400dd5b97
2228fea495bee51dc88c1a0ed953450a
23f8a0c5efb2ca33e389e0a3d98c254e
2898a8bb7cc7639b7bd1080f9ad00e79
298a17c20a517dc02bc5388bc645837d
361c2c5be75439dda958daa6032cab49
631f1c63ff87399e5e73c7d94d62532f
667cf9e8ec1dac7812f92bd77af702a1
69ad5bd4b881d6d1fdb7b19939903e0b
71c78b84f0153ba64d30ea986c3e682b
778a7ed1aa3ce2d8eb719765cac3c166
78292E4C5DA3B5D067F081B736E5D593
786124b0d0845785c0d156e400ff3e8d
86685ec8c3c717aa2a9702e2c9dec379
87e252e3da6c02bf531a6cfb788f122a
912f87392a889070dbb1097a82ccd93f
a43dfbfad77b5aa974cd475744ab8182
a6d1424e1c33ac7a95eb5b92b923c511
a7c804b62ae93d708478949f498342f9
aa7f506b0c30d76557c82dba45116ccc
cf09201f02f2edb9c555942a2d6b01d4
e8bf331858b173eac8bd2b2227821022
eb6275a24d047e3be05c2b4e5f50703d
http://919xy.com/contactus/about.php
http://aedlifepower.com/include/image.php
http://markcoprintandcopy.com/data/helper.php
http://www.33cow.com/include/control.php
http://www.92myhw.com/include/inc/inc_common.php
http://www.97nb.net/include/arc.sglistview.php
http://www.aisou123.com/include/dialog/common.php
http://www.aloe-china.com/include/bottom.php
http://www.anlway.com/include/arc.search.class.php
http://www.ap8898.com/include/arc.search.class.php
http://www.apshenyihl.com/include/arc.speclist.class.php
http://www.marmarademo.com/include/extend.php
http://www.nuokejs.com/contactus/about.php
http://www.pakteb.com/include/left.php
http://www.qdbazaar.com/include/footer.php
https://itaddnet.com/res/prof3.db
https://itaddnet.com/res/prof6.db
https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/
https://sfacor.com/upload/profile_2.dmg
https://sfacor.com/upload/profile_4.dmg
https://tpddata.com/flash/gcoin2.swf
https://tpddata.com/flash/gcoin4.swf
https://tpddata.com/skins/skin-6.thm
https://tpddata.com/skins/skin-8.thm
https://wifispeedcheck.net/upload/conf3.dat
https://wifispeedcheck.net/upload/conf6.dat
2228fea495bee51dc88c1a0ed953450a
23f8a0c5efb2ca33e389e0a3d98c254e
2898a8bb7cc7639b7bd1080f9ad00e79
298a17c20a517dc02bc5388bc645837d
361c2c5be75439dda958daa6032cab49
631f1c63ff87399e5e73c7d94d62532f
667cf9e8ec1dac7812f92bd77af702a1
69ad5bd4b881d6d1fdb7b19939903e0b
71c78b84f0153ba64d30ea986c3e682b
778a7ed1aa3ce2d8eb719765cac3c166
78292E4C5DA3B5D067F081B736E5D593
786124b0d0845785c0d156e400ff3e8d
86685ec8c3c717aa2a9702e2c9dec379
87e252e3da6c02bf531a6cfb788f122a
912f87392a889070dbb1097a82ccd93f
a43dfbfad77b5aa974cd475744ab8182
a6d1424e1c33ac7a95eb5b92b923c511
a7c804b62ae93d708478949f498342f9
aa7f506b0c30d76557c82dba45116ccc
cf09201f02f2edb9c555942a2d6b01d4
e8bf331858b173eac8bd2b2227821022
eb6275a24d047e3be05c2b4e5f50703d
http://919xy.com/contactus/about.php
http://aedlifepower.com/include/image.php
http://markcoprintandcopy.com/data/helper.php
http://www.33cow.com/include/control.php
http://www.92myhw.com/include/inc/inc_common.php
http://www.97nb.net/include/arc.sglistview.php
http://www.aisou123.com/include/dialog/common.php
http://www.aloe-china.com/include/bottom.php
http://www.anlway.com/include/arc.search.class.php
http://www.ap8898.com/include/arc.search.class.php
http://www.apshenyihl.com/include/arc.speclist.class.php
http://www.marmarademo.com/include/extend.php
http://www.nuokejs.com/contactus/about.php
http://www.pakteb.com/include/left.php
http://www.qdbazaar.com/include/footer.php
https://itaddnet.com/res/prof3.db
https://itaddnet.com/res/prof6.db
https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/
https://sfacor.com/upload/profile_2.dmg
https://sfacor.com/upload/profile_4.dmg
https://tpddata.com/flash/gcoin2.swf
https://tpddata.com/flash/gcoin4.swf
https://tpddata.com/skins/skin-6.thm
https://tpddata.com/skins/skin-8.thm
https://wifispeedcheck.net/upload/conf3.dat
https://wifispeedcheck.net/upload/conf6.dat