Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
Contents
By Securonix Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov
Jul 28, 2023
tldr:
An interesting new ongoing attack campaign which lures its victims using US military related documents to run malware staged from legitimate compromised Korean websites has been identified by Securonix Threat Research.
Caption: Example of an MNRS recruitment post.
The Securonix Threat Research (STR) team has been monitoring a new attack campaign tracked by STR as STARK#MULE. The campaign appears to be targeting Korean-speaking victims based on the nomenclature and names of documents used, and based on the contents of the lure document. There is a possibility that the malicious threat actor (MTA) originates from North Korea (this is still to be confirmed). In this case, the documents suggest they contain information regarding US Army/military recruitment resources. It appears the goal is to spark the recipient’s curiosity enough to have them open the attached documents, and inadvertently execute the contained malware.
Based on …
Jul 28, 2023
tldr:
An interesting new ongoing attack campaign which lures its victims using US military related documents to run malware staged from legitimate compromised Korean websites has been identified by Securonix Threat Research.
Caption: Example of an MNRS recruitment post.
The Securonix Threat Research (STR) team has been monitoring a new attack campaign tracked by STR as STARK#MULE. The campaign appears to be targeting Korean-speaking victims based on the nomenclature and names of documents used, and based on the contents of the lure document. There is a possibility that the malicious threat actor (MTA) originates from North Korea (this is still to be confirmed). In this case, the documents suggest they contain information regarding US Army/military recruitment resources. It appears the goal is to spark the recipient’s curiosity enough to have them open the attached documents, and inadvertently execute the contained malware.
Based on …
IoC
019E4327B8292DAD32C92209A1E0FA03636381B1163AC57941CD8CC711A40097
182.162.94.42
183.111.169.84
6149D861F38DB6D6F5110B234EDB1BA31800F7EB621AD27B6CBF99F05DDEAE18
6F11C52F01E5696B1AC0FAF6C19B0B439BA6F48F1F9851E34F0FA582B09DFA48
7893C8B41A2E4281E73A1761061AC9EEE52920B6840E43697AABF606F701D11A
89062A28F33021539AB3D197C124040177E5AE94A05E1AC7A4F1C852D6B498CF
C90EBF988F96C9A51D6AD0B23AD7260C6B7F8D3B7C905ACC20E18A7227E46237
E4A8610461D3B3C534346B9C874EDFF6D37CA085D578365FF75B25F682EC5FD0
http://182.162.94.42
http://183.111.169.84
http://www.jkmusic.co.kr
http://www.jkmusic.co.kr/shop/data/theme/c9665058c3ef16b
http://www.jkmusic.co.kr/shop/data/theme/e6a137162c56087
http://www.notebooksell.kr
http://www.notebooksell.kr/mall/m_schema.php
182.162.94.42
183.111.169.84
6149D861F38DB6D6F5110B234EDB1BA31800F7EB621AD27B6CBF99F05DDEAE18
6F11C52F01E5696B1AC0FAF6C19B0B439BA6F48F1F9851E34F0FA582B09DFA48
7893C8B41A2E4281E73A1761061AC9EEE52920B6840E43697AABF606F701D11A
89062A28F33021539AB3D197C124040177E5AE94A05E1AC7A4F1C852D6B498CF
C90EBF988F96C9A51D6AD0B23AD7260C6B7F8D3B7C905ACC20E18A7227E46237
E4A8610461D3B3C534346B9C874EDFF6D37CA085D578365FF75B25F682EC5FD0
http://182.162.94.42
http://183.111.169.84
http://www.jkmusic.co.kr
http://www.jkmusic.co.kr/shop/data/theme/c9665058c3ef16b
http://www.jkmusic.co.kr/shop/data/theme/e6a137162c56087
http://www.notebooksell.kr
http://www.notebooksell.kr/mall/m_schema.php