Multi-staged, crossplatform, and likely targeted DPRK campaign
Contents
1/ Recently @MalwareHunterTeam shared an interesting sample with our team, which we initially didn’t believe to be such a rabbit hole. However, it turned out to be a multi-staged, crossplatform, and likely targeted #DPRK campaign. During our research we also highlighted some logical similarities with a previous DPRK’s Go backdoor campaign. A related campaign was mentioned by @KL4R10N (Previously S4T4N) earlier as well. Take a loot at what we've found so far 👇
2/ Our assumption regarding previous DPRK campaigns is based on the similar attack stages (initial phishing targeting #cryptocurrency branch, scripts used for early OS reconnaissance, backdoor installation, data exfiltration), as well as because of a delivery tactic: previous campaign we described used source code Go files and its pre-compiled binaries along the way, while this one does the same - with NodeJS used this time instead.
3/ The initial infection vector is a compiled AppleScript, falsely given a .docx …
2/ Our assumption regarding previous DPRK campaigns is based on the similar attack stages (initial phishing targeting #cryptocurrency branch, scripts used for early OS reconnaissance, backdoor installation, data exfiltration), as well as because of a delivery tactic: previous campaign we described used source code Go files and its pre-compiled binaries along the way, while this one does the same - with NodeJS used this time instead.
3/ The initial infection vector is a compiled AppleScript, falsely given a .docx …