North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
Contents
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0530 is now tracked as Storm-0530 and PLUTONIUM is now tracked as Onyx Sleet.
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.
A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. …
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.
A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. …
IoC
10.10.3.42
193.56.29.123
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af
f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c
f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86
[email protected]
http://10.10.3.42
http://192.168.168.5
http://193.56.29.123
http://193.56.29.123:8888
http://193.56.29.123:8888/access.php?order=GetPubkey&cmn=[Victim_HostName
http://193.56.29.123:8888/access.php?order=golc_finish&cmn=[Victim_HostName]&
http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=1
http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=2
http://mail2tor.com
http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion
https://cloud-ex42.usaupload.com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg
rule SiennaBlue { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples" hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219" strings: $holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go" $holylocker_s2 = "HolyLocker/Main.EncryptionExtension" $holylocker_s3 = "HolyLocker/Main.ContactEmail" $holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer" $holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet" $holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go" $holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail" $holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension" $holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer" $holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet" $s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite" $s2 = ".h0lyenc" $go_prefix = "Go build ID:" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and $go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*)) }
rule SiennaPurple { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples" hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd" strings: $s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb" $s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion" $s3 = "[email protected]" $s4 = "We are <HolyGhost>. All your important files are stored and encrypted." $s5 = "aic^ef^bi^abc0" $s6 = "---------------------------3819074751749789153841466081" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and all of ($s*) }
193.56.29.123
541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219
99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd
bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af
f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c
f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86
[email protected]
http://10.10.3.42
http://192.168.168.5
http://193.56.29.123
http://193.56.29.123:8888
http://193.56.29.123:8888/access.php?order=GetPubkey&cmn=[Victim_HostName
http://193.56.29.123:8888/access.php?order=golc_finish&cmn=[Victim_HostName]&
http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=1
http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=2
http://mail2tor.com
http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion
https://cloud-ex42.usaupload.com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg
rule SiennaBlue { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples" hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86" hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219" strings: $holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go" $holylocker_s2 = "HolyLocker/Main.EncryptionExtension" $holylocker_s3 = "HolyLocker/Main.ContactEmail" $holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer" $holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet" $holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go" $holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail" $holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension" $holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer" $holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet" $s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite" $s2 = ".h0lyenc" $go_prefix = "Go build ID:" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and $go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*)) }
rule SiennaPurple { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples" hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd" strings: $s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb" $s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion" $s3 = "[email protected]" $s4 = "We are <HolyGhost>. All your important files are stored and encrypted." $s5 = "aic^ef^bi^abc0" $s6 = "---------------------------3819074751749789153841466081" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and all of ($s*) }