RT @mstoned7: The suspected Kimsuky sent phishing emails from the Seoul Metropolitan Government's citizen account (@citizen.seoul.kr). htt…

@ShadowChasing1 For now, unfortunately not. Will let you know if I do though

Hey Shadow Chasers! Just my two cents on Lazarus. Unfortunately, the term "Lazarus" has become such a buzzword for any DPRK-related activity that I restrain myself from using it. But this is just my opinion based on my experience and the vendor I work with. Regarding the file, I haven't analyzed it in depth but looking at the code of the initial .lnk file and the C2 communication it looks to be CABBEACON, which leads me to say its probably Konni.

I wrote some more stuff regarding the above, but missed the time to edit the post with some more information so I am writing this again😅 After analyzing this a bit more I managed to find some more evidence that could be used for attribution to DPRK especially APT43, but I do not have 100% confidence in that assumption. One point would be the Whois Lookup data on installerfofo[.]kro[.]kr that shows the following email address: "cfa4a551515dc742s@gmail.com. This email address has been talked about by @Huntio and @Unit42 One reason I do not have 100% confidence in the attribution to DPRK is that the files on the open-dir at http://183.105.107[.]132 seem to be related to DarkCometRAT and using non-actor-specific malware for attribution can be risky when there is no relation to actor-run infra. (Haven't checked all of the samples communication, though) My other hypothesis might be that this is related to some SK crime gang but I do not have any data to support this. I thought about deleting the entire tweet completely but I think it is important to admit when you might be wrong, and we should also show the losses, and not only the wins of a CTI investigation. Leasons learned: - Admit when you might be wrong - Exhaust every hypothesis - Attribution is hard. For some curious minds, the hashes from the open-dir adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43 bound.exe f61460da72d458c5d509ef5d410bc4c2fd9ec68385cf50be3e72adac979733fe iexplore.exe 807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e installer3.exe 28c0c1e9dcfd9383d4f964fa3cfcf8fada3d76edb64b544c965d38bb5e38d15e installerwsbb.cmd 22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8 Microsoft.exe

@seunghoonhan 오, 맞는 것 같습니다! 감사합니다! 큰 도움이 됐습니다!

@smica83 @abuse_ch @JAMESWT_MHT @byrne_emmy12099 Nice catch, thank you! Seems to be related to what I posted a few hours earlier.

#CTI Some #DPRK #Kimsuky dropbox stuff fe84a4a119917f15418659ed30699d873b6445aa053d9303287b085e35bf1002 (system_first.ps1) 8e51819e39e4fc73d71b31e49b6775e47ee3b11af1fd9eb48a1e7d49dad62bc0 (payload_1.ps1) hxxps://dl.dropboxusercontent[.]com/scl/fi/3br2y8fin0jqgrunrq3mf/cjfansgmlans1-f.txt?rlkey=rxnknu51ncb5xgnj2lyxu0xyu&st=ohfmyo4p&dl=0 hxxps://dl.dropboxusercontent[.]com/scl/fi/nanwt6elsuxziz05hnlt4/cjfansgmlans1-x.txt?rlkey=l6gzro1rswkqbk6tinxnkuylv&st=iv78c1cg&dl=0 https://dl.dropboxusercontent[.]com/scl/fi/slx06ol4jmjqn16icggin/.pptx?rlkey=lky2lit5lpthkcscfnz3f91oa&st=gwpkys9h&dl=0 (downloads -> 지게차 중량물 윙바디 작업계획서.pptx)

RT @eastside_nci: 🇰🇵 New TEMP.Hermit/#Lazarus IOCs and tradecraft to look at for everyone. IPs: 45[.]59[.]163[.]…

RT @JAMESWT_MHT: Fake job interviews are a growing attack vector ❇️"InvisibleFerret Malware: Technical Analysis"❇️ ⛔️a malware from North…

RT @ESETresearch: #ESETresearch discovered and named 🇨🇳 China-aligned #APT group #PlushDaemon. It carried out a supply-chain compromise of…

@banthisguy9349 @bofheaded @dimitribest @500mk500 @cyberwar_15 @Cyber0verload @Gi7w0rm @StrikeReadyLabs @TuringAlex @RakeshKrish12 @k3yp0d @Jane_0sint @RexorVc0 @byrne_emmy12099 @suyog41 @lontze7 @knight0x07 @RacWatchin8872 @BlinkzSec @abuse_ch @_operations6_ @unpacker

RT @fs0c131y: On Friday, December 20, 2024, the U.S. DOJ charged Rostislav Panev, a dual Russian-Israeli national, as a LockBit ransomware…

RT @hypen1117: My first #Lazarus report at #Kaspersky is out ! The newly discovered #CookiePlus is a plugin-based malware that has the abil…