OSINT Reporting Regarding DPRK and TA505 Overlap
Contents
Yesterday, at SAS2019, BAE Systems presented findings related to DPRK SWIFT heist activity that took place in 2018. As part of this research (a leaked video of the presentation is available online), BAE included two key points not previously disclosed in the public domain:
– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace
– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.
This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions have been available in open source for quite some time.
In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published …
– The existence of a PowerShell backdoor attributable to DPRK, which the researchers dubbed PowerBrace
– A possible overlap between TA505 intrusions and DPRK intrusions, suggesting a possible hand-off between the two groups.
This blog will leave a full analysis of those two points and the supporting context to the people that found them, as it’s theirs to share; however, data that may support such conclusions have been available in open source for quite some time.
In early January, VNCert issued an alert regarding attacks targeting financial institutions, containing a mix of DPRK IOCs (including a keylogger referred to as PSLogger previously analyzed by this blog), TA505 IOCs (previously published …
IoC
09e4f724e73fccc1f659b8a46bfa7184
192.95.14.128
26f09267d0ec0d339e70561a610fb1fd
2e0d13266b45024153396f002e882f15
34404a3fb9804977c6ab86cb991fb130
3be75036010f1f2102b6ce09a9299bca
53F7BE945D5755BB628DEECB71CDCBF2
5B7244C47104F169B0840440CDEDE788
7c651d115109fd8f35fddfc44fd24518
8a41520c89dce75a345ab20ee352fef0
9c35e9aa9255aa2214d704668b039ef6
E00499E21F9DCF77FC990400B8B3C2B5
b12325a1e6379b213d35def383da2986
b88d4d72fdabfc040ac7fb768bf72dcd
cc29adb5b78300b0f17e566ad461b2c7
192.95.14.128
26f09267d0ec0d339e70561a610fb1fd
2e0d13266b45024153396f002e882f15
34404a3fb9804977c6ab86cb991fb130
3be75036010f1f2102b6ce09a9299bca
53F7BE945D5755BB628DEECB71CDCBF2
5B7244C47104F169B0840440CDEDE788
7c651d115109fd8f35fddfc44fd24518
8a41520c89dce75a345ab20ee352fef0
9c35e9aa9255aa2214d704668b039ef6
E00499E21F9DCF77FC990400B8B3C2B5
b12325a1e6379b213d35def383da2986
b88d4d72fdabfc040ac7fb768bf72dcd
cc29adb5b78300b0f17e566ad461b2c7