'JustJoin' Landing Page Linked to Suspected DPRK Activity Resurfaces
Contents
'JustJoin' Landing Page Linked to Suspected DPRK Activity Resurfaces
Published on
Published on
Published on
Jan 14, 2025
Jan 14, 2025
Jan 14, 2025
While scanning for DPRK-related infrastructure, Hunt researchers identified a server with HTTP response headers consistent with previously reported activity. Further analysis of the IP uncovered a small cluster of domains and a landing page on port 80 referencing 'JustJoin,' a macOS app designed for monitoring Zoom meetings.
Public reporting, most recently by SentinelOne, has linked TA444/BlueNoroff to spoofed domains, often leveraging themes related to virtual meeting platforms like Zoom in their campaign. Additionally, two other IPs were found to share SSH keys with the server, indicating potential coordination within a broader infrastructure.
This report outlines key findings to provide defenders with timely insights into this activity cluster.
TA444/BlueNoroff Infrastructure
BlueNoroff, also known as TA444, employs structured yet adaptable patterns in managing its infrastructure. The group often registers domains that mimic legitimate businesses, particularly in the cryptocurrency and …
Published on
Published on
Published on
Jan 14, 2025
Jan 14, 2025
Jan 14, 2025
While scanning for DPRK-related infrastructure, Hunt researchers identified a server with HTTP response headers consistent with previously reported activity. Further analysis of the IP uncovered a small cluster of domains and a landing page on port 80 referencing 'JustJoin,' a macOS app designed for monitoring Zoom meetings.
Public reporting, most recently by SentinelOne, has linked TA444/BlueNoroff to spoofed domains, often leveraging themes related to virtual meeting platforms like Zoom in their campaign. Additionally, two other IPs were found to share SSH keys with the server, indicating potential coordination within a broader infrastructure.
This report outlines key findings to provide defenders with timely insights into this activity cluster.
TA444/BlueNoroff Infrastructure
BlueNoroff, also known as TA444, employs structured yet adaptable patterns in managing its infrastructure. The group often registers domains that mimic legitimate businesses, particularly in the cryptocurrency and …
IoC
http://www.cryptorgram.com
http://hamzastrs.pro
http://make-hex-32332e3235342e3136372e323136-rr.1u.ms
http://a0info.v6.army-can
http://23.254.167.216
http://taglala.com
http://a0info.v6.army
http://cryptorgram.com
http://108.174.194.196
http://108.174.194.44
108.174.194.44
23.254.167.216
108.174.194.196
e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f
http://hamzastrs.pro
http://make-hex-32332e3235342e3136372e323136-rr.1u.ms
http://a0info.v6.army-can
http://23.254.167.216
http://taglala.com
http://a0info.v6.army
http://cryptorgram.com
http://108.174.194.196
http://108.174.194.44
108.174.194.44
23.254.167.216
108.174.194.196
e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f