North Korea Calling - Web3 Zoom Campaign
Contents
Executive Summary
Huntabil.IT was engaged on the 22nd of April to assist an organisation in responding to a cybersecurity incident. During this engagement we discovered an ongoing campaign targeting web3 organisations via social engineering to gain initial access and perform initial data theft of targeted applications. Huntabil.IT immediately started investigating the incident, and quickly identified that this is likely a widespread campaign targeting web3/crypto organisations. Since warning other Huntabil.IT ThreatOps customers in the web3 space of the techniques used in this campaign we have identified at least one other customer being targeted within the last 48 hours. As a result we are publishing urgently publishing this hunting note prior so that organisations can take effective action against this threat.
The threat actor, likely directed/sponsored by North Korea, impersonated trusted contact via Telegram and directed the target to book a meeting via Calendly. This resulted in an email that contained a link about …
Huntabil.IT was engaged on the 22nd of April to assist an organisation in responding to a cybersecurity incident. During this engagement we discovered an ongoing campaign targeting web3 organisations via social engineering to gain initial access and perform initial data theft of targeted applications. Huntabil.IT immediately started investigating the incident, and quickly identified that this is likely a widespread campaign targeting web3/crypto organisations. Since warning other Huntabil.IT ThreatOps customers in the web3 space of the techniques used in this campaign we have identified at least one other customer being targeted within the last 48 hours. As a result we are publishing urgently publishing this hunting note prior so that organisations can take effective action against this threat.
The threat actor, likely directed/sponsored by North Korea, impersonated trusted contact via Telegram and directed the target to book a meeting via Calendly. This resulted in an email that contained a link about …
IoC
https://github.com/SigmaHQ/sigma
https://dataupload.store/
http://104.168.151.116
https://writeup.live/test
http://dataupload.store
http://192.119.116.231
http://support.us05web-zoom.pro
http://192.236.146.22
http://23.254.247.53
http://142.11.241.62
http://safeup.store
http://firstfromsep.online
http://192.236.198.31
http://writeup.live
https://attack.mitre.org/techniques/T1059/001/
http://gumi-cryptos.us05web-zoom.pro
https://support.us05web-zoom.pro/update/<random
https://safeup.store/test
142.11.241.62
23.254.247.53
104.168.151.116
192.119.116.231
192.236.146.22
192.236.198.31
803d5db6296a5829b168ae45087356f49255579afbcb58fb43c4fb8c3819da28
41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
5fe5b1d879251d1618e275099cc63636d699a7f9b45176abe66283201b8ee877
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f
https://dataupload.store/
http://104.168.151.116
https://writeup.live/test
http://dataupload.store
http://192.119.116.231
http://support.us05web-zoom.pro
http://192.236.146.22
http://23.254.247.53
http://142.11.241.62
http://safeup.store
http://firstfromsep.online
http://192.236.198.31
http://writeup.live
https://attack.mitre.org/techniques/T1059/001/
http://gumi-cryptos.us05web-zoom.pro
https://support.us05web-zoom.pro/update/<random
https://safeup.store/test
142.11.241.62
23.254.247.53
104.168.151.116
192.119.116.231
192.236.146.22
192.236.198.31
803d5db6296a5829b168ae45087356f49255579afbcb58fb43c4fb8c3819da28
41660a23e5db77597994e17f9f773d02976f767276faf3b5bac0510807a9a36f
5fe5b1d879251d1618e275099cc63636d699a7f9b45176abe66283201b8ee877
469fd8a280e89a6edd0d704d0be4c7e0e0d8d753e314e9ce205d7006b573865f