Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
Contents
Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by UNC2970, contained the files
%temp%\<random>_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time on disk.
At the time Mandiant initially identified these files, we were unable to determine how they were dropped or the exact use for these files. It wasn't until later in the investigation, during analysis of a forensic image, where the pieces started falling into place. A consultant noticed multiple keyword references to the file
C:\ProgramData\USOShared\Share.DAT (MD5:
def6f91614cb47888f03658b28a1bda6). Upon initial glance at the Forensic Image, this file was no longer on disk. However, …
In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by UNC2970, contained the files
%temp%\<random>_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time on disk.
At the time Mandiant initially identified these files, we were unable to determine how they were dropped or the exact use for these files. It wasn't until later in the investigation, during analysis of a forensic image, where the pieces started falling into place. A consultant noticed multiple keyword references to the file
C:\ProgramData\USOShared\Share.DAT (MD5:
def6f91614cb47888f03658b28a1bda6). Upon initial glance at the Forensic Image, this file was no longer on disk. However, …
IoC
175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347
7e6e2ed880c7ab115fca68136051f9ce
9176f177bd88686c6beb29d8bb05f20c
ad452d161782290ad5004b2c9497074f
def6f91614cb47888f03658b28a1bda6
7e6e2ed880c7ab115fca68136051f9ce
9176f177bd88686c6beb29d8bb05f20c
ad452d161782290ad5004b2c9497074f
def6f91614cb47888f03658b28a1bda6