DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
Contents
In an earlier post, this blog examined malware from a DPRK-affiliated campaign targeting security researchers. Since the initial public post about this activity from Google, multiple vendors have corroborated and supplemented the technical details in this attack.
Whereas the previous post examined a DLL file delivered via social engineering and VisualStudio, this post examines the inner-workings of a malicious .sys file likely delivered through a watering hole. In addition to reverse engineering, this post offers possible threat hunting avenues for identifying data associated with this file hidden in the registry of a compromised system.
For those purely interested in the hunting portion of this post (the malware reads, and likely executes, data from the registry), click here to skip ahead. As a disclaimer, the hunt workflow proposed is merely hypothetical, and should not be considered any sort of official security guidance.
(2/1 Update, Stage 2 can be found here)
Technical Analysis
Filename: helpsvc.sys
MD5: ae17ce1eb59dd82f38efb9666f279044
SHA1: 3b3acb4a55ba8e2da36223ae59ed420f856b0aaf
SHA256: …
Whereas the previous post examined a DLL file delivered via social engineering and VisualStudio, this post examines the inner-workings of a malicious .sys file likely delivered through a watering hole. In addition to reverse engineering, this post offers possible threat hunting avenues for identifying data associated with this file hidden in the registry of a compromised system.
For those purely interested in the hunting portion of this post (the malware reads, and likely executes, data from the registry), click here to skip ahead. As a disclaimer, the hunt workflow proposed is merely hypothetical, and should not be considered any sort of official security guidance.
(2/1 Update, Stage 2 can be found here)
Technical Analysis
Filename: helpsvc.sys
MD5: ae17ce1eb59dd82f38efb9666f279044
SHA1: 3b3acb4a55ba8e2da36223ae59ed420f856b0aaf
SHA256: …
IoC
3b3acb4a55ba8e2da36223ae59ed420f856b0aaf
7904d5ee5700c126432a0b4dab2776c9
79bd808e03ed03821b6d72dd8246995eb893de70
7c4ea495f9145bd9bdc3f9f084053a63a76061992ce16254f68e88147323a8ef
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
ae17ce1eb59dd82f38efb9666f279044
http://www.colasprint.com/_vti_log/upload.asp
http://www.dronerc.it/forum/uploads/index.php
http://www.fabioluciani.com/es/include/include.asp
7904d5ee5700c126432a0b4dab2776c9
79bd808e03ed03821b6d72dd8246995eb893de70
7c4ea495f9145bd9bdc3f9f084053a63a76061992ce16254f68e88147323a8ef
a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
ae17ce1eb59dd82f38efb9666f279044
http://www.colasprint.com/_vti_log/upload.asp
http://www.dronerc.it/forum/uploads/index.php
http://www.fabioluciani.com/es/include/include.asp