Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Contents
◈ Key Findings
- A spear phishing campaign disguised as advertising URLs was used to bypass security filtering mechanisms and user awareness
- Poorly secured WordPress websites were abused as malware distribution points and C2 infrastructure
- “Poseidon” was identified as an internally named and operated attack operation unit attributed to the Konni APT
- The EndRAT malware was loaded through the execution of an AutoIt script masquerading as a PDF file
- EDR responses providing behavior-based endpoint detection are essential
1. Overview
Genians Security Center conducted an in-depth analysis of Operation Poseidon, an attack campaign attributed to the Konni APT.
As a result, the threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea, while continuously conducting highly sophisticated and targeted attacks against specific targets.
[Figure 1-1] Operation Poseidon Timeline
Google announced its plan to acquire DoubleClick, an internet advertising technology company, in 2007 and completed …
- A spear phishing campaign disguised as advertising URLs was used to bypass security filtering mechanisms and user awareness
- Poorly secured WordPress websites were abused as malware distribution points and C2 infrastructure
- “Poseidon” was identified as an internally named and operated attack operation unit attributed to the Konni APT
- The EndRAT malware was loaded through the execution of an AutoIt script masquerading as a PDF file
- EDR responses providing behavior-based endpoint detection are essential
1. Overview
Genians Security Center conducted an in-depth analysis of Operation Poseidon, an attack campaign attributed to the Konni APT.
As a result, the threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea, while continuously conducting highly sophisticated and targeted attacks against specific targets.
[Figure 1-1] Operation Poseidon Timeline
Google announced its plan to acquire DoubleClick, an internet advertising technology company, in 2007 and completed …
IoC
http://77.246.101.72
http://ad.doubleclick.net
http://tatukikai.jp
http://compromised-example.com/wp-admin/malware.zip
http://aceeyl.com
http://ad.doubleclick.net/searchads/link/click?ds_dest_url
http://nationalinterestparty.com
http://genuinashop.com
http://appoitment.dotoit.media
http://igamingroundtable.com
http://77.246.108.96
http://kppe.pl
http://anupamaivf.com
http://althouqroastery.com
http://sparkwebsolutions.space
http://vintashmarket.com
http://pomozzi.com
http://109.234.36.135
http://kyowaind.co.jp
http://mkt.naver.com
http://encryptuganda.org
http://mkt.naver.com/p1/atrb?channel_id=naver_pcstockbottom&campaign_id=2503-shopping-001&target
http://jlrandsons.co.uk
http://creativepackout.co
http://optique-leclercq.be
http://144.124.247.97
109.234.36.135
77.246.101.72
77.246.108.96
144.124.247.97
0777781dedd57f8016b7c627411bdf2c
639b5489d2fb79bcb715905a046d4a54
a9a52e2f2afe28778a8537f955ee1310
ad6273981cb53917cb8bda8e2f2e31a8
d4b06cb4ed834c295d0848b90a109f09
6a4c3256ff063f67d3251d6dd8229931
d6aa7e9ff0528425146e64d9472ffdbd
f5842320e04c2c97d1f69cebfd47df3d
94935397dce29684f384e57f85beeb0a
8b8fa6c4298d83d78e11b52f22a79100
a58ef1e53920a6e528dc31001f302c7b
303c5e4842613f7b9ee408e5c6721c00
908d074f69c0bf203ed225557b7827ec
0171338d904381bbf3d1a909a48f4e92
http://ad.doubleclick.net
http://tatukikai.jp
http://compromised-example.com/wp-admin/malware.zip
http://aceeyl.com
http://ad.doubleclick.net/searchads/link/click?ds_dest_url
http://nationalinterestparty.com
http://genuinashop.com
http://appoitment.dotoit.media
http://igamingroundtable.com
http://77.246.108.96
http://kppe.pl
http://anupamaivf.com
http://althouqroastery.com
http://sparkwebsolutions.space
http://vintashmarket.com
http://pomozzi.com
http://109.234.36.135
http://kyowaind.co.jp
http://mkt.naver.com
http://encryptuganda.org
http://mkt.naver.com/p1/atrb?channel_id=naver_pcstockbottom&campaign_id=2503-shopping-001&target
http://jlrandsons.co.uk
http://creativepackout.co
http://optique-leclercq.be
http://144.124.247.97
109.234.36.135
77.246.101.72
77.246.108.96
144.124.247.97
0777781dedd57f8016b7c627411bdf2c
639b5489d2fb79bcb715905a046d4a54
a9a52e2f2afe28778a8537f955ee1310
ad6273981cb53917cb8bda8e2f2e31a8
d4b06cb4ed834c295d0848b90a109f09
6a4c3256ff063f67d3251d6dd8229931
d6aa7e9ff0528425146e64d9472ffdbd
f5842320e04c2c97d1f69cebfd47df3d
94935397dce29684f384e57f85beeb0a
8b8fa6c4298d83d78e11b52f22a79100
a58ef1e53920a6e528dc31001f302c7b
303c5e4842613f7b9ee408e5c6721c00
908d074f69c0bf203ed225557b7827ec
0171338d904381bbf3d1a909a48f4e92