TTP Tuesday: APT38 - DarkSeoul
Contents
TTP Tuesday: APT38 - DarkSeoul
Downloaders, packers, and wipers - oh my!
Theme Overview
Our last release looked at APT40 harvesting credentials and exfiltrating potentially interesting documents.
For this week’s TTP Tuesday we are releasing a new APT38 themed chain based on Castov malware used by DarkSeoul (APT 38) to target South Korean financial industry and government targets.
Trojan.Castov
Castov was used extensively by DarkSeoul as a downloader for second stage malware. The initial infection vector, in the case of the 2013 DDoS against the South Korean government, was a trojanized file downloaded from a compromised server.
When executed, Castov downloads and unpacks a second stage Castov payload hidden in a JPG file. Once unpacked, the second stage malware downloads a second packed JPG over the TOR network that contains the final payload - a DDoS malware.
In this week’s chain, we’re simulating the downloader and compression packer functionality seen in Castov.
Introducing CastOff packer
CastOff is a simple tool …
Downloaders, packers, and wipers - oh my!
Theme Overview
Our last release looked at APT40 harvesting credentials and exfiltrating potentially interesting documents.
For this week’s TTP Tuesday we are releasing a new APT38 themed chain based on Castov malware used by DarkSeoul (APT 38) to target South Korean financial industry and government targets.
Trojan.Castov
Castov was used extensively by DarkSeoul as a downloader for second stage malware. The initial infection vector, in the case of the 2013 DDoS against the South Korean government, was a trojanized file downloaded from a compromised server.
When executed, Castov downloads and unpacks a second stage Castov payload hidden in a JPG file. Once unpacked, the second stage malware downloads a second packed JPG over the TOR network that contains the final payload - a DDoS malware.
In this week’s chain, we’re simulating the downloader and compression packer functionality seen in Castov.
Introducing CastOff packer
CastOff is a simple tool …