Skip to content

Latest commit

 

History

History
519 lines (417 loc) · 57.1 KB

lazarus-evolution.md

File metadata and controls

519 lines (417 loc) · 57.1 KB

The Sprawling Shitshow of Ever-Evolving DPRK Threat Groups (and their names)

Mandiant:

Unit42:

  • Threat Assessment: North Korean Threat Groups
  • These groups have been reportedly active as early as 2007 [PDF]. Activity under the RGB can be categorized into at least six threat groups:
  • Alluring Pisces (aka APT38 [PDF], Bluenoroff, Sapphire Sleet): This group has targeted financial institutions, cryptocurrency businesses and ATMs. It has also conducted significant cyber heists.
  • Gleaming Pisces (aka Citrine Sleet): This group performed attacks targeting the cryptocurrency industry and is known for its association with the AppleJeus campaign.
  • Jumpy Pisces (aka Andariel, Hidden Cobra, Onyx Sleet): This group has primarily conducted cyberespionage, but it has also conducted ransomware activity.
  • Selective Pisces (aka Diamond Sleet, TEMP.Hermit [PDF], ZINC): This group has targeted media, defense and IT organizations. It focuses on espionage, financial gain and network destruction.
  • Slow Pisces (aka Jade Sleet, UNC4899): This group has targeted blockchain and cryptocurrency companies. It was also involved in a supply chain attack targeting a U.S.-based software platform and is known for distributing a series of malicious applications called TraderTraitor.
  • Sparkling Pisces (aka APT43 [PDF], Emerald Sleet, Kimsuky, THALLIUM): This group conducts intelligence collection and has used cybercrime to fund espionage.

🔑 SquidSquad / Sapphire Sleet / DangerousPassword

🔑 SquidSquad - Fake VC Shit

🔐 DangerousPassword / Job Shit

👛 TraderTraitor / Jade Sleet

🍎 Applejeus / Citrine Sleet

💼 DPRK IT Workers

🎙️ Contagious Interview

Chain From Label From Address To Label To Address Txn Hash
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Murall, CloudAI, Wilder World Hacker 0xee2e4fbe10a437e1b1561687d4e5133dd397ab96 0x5050716351458db5b1a90d820a345ff8f0654e044ce7c18d8f975f5c8e6ff187
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Murall, CloudAI, Wilder World Hacker 0xee2e4fbe10a437e1b1561687d4e5133dd397ab96 0xbaac7fb8a0095c68d3a5627c1c0df8ba3cec54744465d8216527cbf625f82b4d
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Murall Hacker 2 0xfa715532c453163bdc8611c15d196b2527e689b2 0xb61fe770807a5345c2d609004927afdae8869799dd27c305be4a3103976abf9d
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Murall Hacker 1 0x01720163e9385e832ffe3387ba7098be4df303e0 0x482cd1e25b03a5946bd1f9f5a4752726b288212d72b8a703b35bfa7c6a3c8252
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Serenity Shield Hacker 0x93a8b27c8dc2089bb071c22491a715dcb381f554 0x01fd8832829f605048991bfc332e62bcb4d1f1ffaeb52c86082b0c362a823fc6
BSC GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO OKX DEX Hacker 0xfd681a9aa555391ef772c53144db8404aec76030 0xe200c4b52f9e3f9eff1456379a13bcb34cfc484af713e112f62e9dc2f417fd6d
ETH Murall Hacker 4 0x5e440f184aace9e6e85a182c9bb0e134f0a18fb9 SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0x4d49639166a05bb28f876016afa721931cb449a2c5d11a269fa37a9ff1c0c31d
ETH OKX Dex Hacker 3 0x0519eFACB73A1f10b8198871E58D68864e78B8A5 SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0x4b3282cacea399e4fb7dda332d5f8e6116c944dc81862e0bbc8bd4048bfaeb43
ETH OKX Dex Hacker 1 0xFacf375Af906f55453537ca31fFA99053A010239 SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0x1189e018ba672b46f21f992520a984d72bf215616d59a6d5d34bc24a42593018
AVAX OKX Team Member (Compromised) 0xc82ea2afe1fd1d61c4a12f5ceb3d7000f564f5c6 SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0xa7e3fa2707ab632ba61e9cbd998e33614ce23a46da7921785c473fdedd72a20e
ETH OKX Team Member (Compromised) 0xc82ea2afe1fd1d61c4a12f5ceb3d7000f564f5c6 SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0x303213f79454700cac5b6aece0f3b72dc4a30028739d3412beaa0206b0025ee5
AVAX UnoReDAO Hacker 1 0x86d49a933d1f6aa1218dfa91250733d9818e36fa SENDS TO GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 0x7e4a30d9aa9591980156b0029d5e279b7292654cca8841e9b20cd6206b763508
BSC OKX Dex Hacker 0xb2a722870178e92ba681236c77609214265d25d1 SENDS TO Serenity Shield Hacker 0x93a8b27c8dc2089bb071c22491a715dcb381f554 0xe2c3fee5d623e0e932bf22752c8d70b18910574a6e6536b869df48f7276b83bd
ETH OKX Dex Hacker 2 0x1f14e38666cdd8e8975f9acc09e24e9a28fbc42d SENDS TO OKX DEX Hacker 0xfd681a9aa555391ef772c53144db8404aec76030 0xacd1ba5bf5df47f713546a35afb94221d28665661e8be8598641eb05f68428f6
ETH ARB OKX Dex Hacker 2 0x1f14e38666cdd8e8975f9acc09e24e9a28fbc42d ETH vs ARB ConcentricFi Hacker 0x1f14e38666cdd8e8975f9acc09e24e9a28fbc42d is same address silly
BSC OKX Dex Hacker 0x0d1712a7d4eaf64c134701acd672f4904784033b SENDS TO ConcentricFi Hacker 0x232b1f770e7637f2656ce08ed42ec6fb4c84590e 0xadb78d8923743d180d1a94951b006d80a7c22f362952cf956561c2a33d29b1bd
ETH Serenity Shield Hacker 0x93a8b27c8dc2089bb071c22491a715dcb381f554 SENDS TO Murall Hacker 0x01720163e9385e832ffe3387ba7098be4df303e0 0x0520195f57c3a5fe886aa95778dafe684854b78c252d20f29cbe0c9c4c4bbddd
ETH Murall, CloudAI, Wilder World Hacker 0xee2e4fbe10a437e1b1561687d4e5133dd397ab96 SENDS TO Serenity Shield Hacker 0x93a8b27c8dc2089bb071c22491a715dcb381f554 0x75202ac6ac2a403122feb07ed147947d5d74c6f9a03e70682bfc05ad53217631
ETH Murall Hacker 4 0x5e440f184aace9e6e85a182c9bb0e134f0a18fb9 SENDS TO CloudAI Hacker 0x3c685ad9e63872259b2c3563378a1d92defad517 0xb1b02f0a713d60ed752edbca6ba23c58c63d3b2e7f785f4465bcfb700614344e
ETH GNUS Hacker 0x1db4d664d818d4c710d0aeb2d7d6b3ad885a8f19 SENDS TO Upwork Crypto Developer Job Scam 0x89dc4eabade33dcf6b0a1166348802dc24ee16f7 0xd8c5b55bd0280929368f2949520c162b233f3dad27032240cad65dda1d05ac95
BSC Spoock Theft / Waygate 0x55066e19abdb8cb38f6a98a96186c0b657ce3295 SENDS TO UnoReDAO 0x86d49a933d1f6aa1218dfa91250733d9818e36fa 0x5098ca1dcf9232058dd2e2a394000a57e460870d1efcbc6aaf5dfcac3f2c4627
ETH UnoReDAO Hacker 2 0x9ada20b835aa178813a8c174f1f93b1dc1bfa775 SENDS TO OKX DEX Exploiter 0xfacf375af906f55453537ca31ffa99053a010239 0x372fdb551de2ec82337bf696b05690dc5919fde084e81e710637791475ed34c9
ETH Spoock Theft / Waygate 0x55066e19abdb8cb38f6a98a96186c0b657ce3295 SENDS TO UnoReDAO 0x2618eb69b40e6db8ca732ddb2df5416a4d36e7ae 0x36cb3a9832284a098d711702960f7592a949fefc15ba0a017a927debb81a15d9
FTM BSC UnoReDAO Hacker 1 0x86d49a933d1f6aa1218dfa91250733d9818e36fa BRIDGES TO CloudAI Hacker 0x3c685ad9e63872259b2c3563378a1d92defad517 0x397a14ca24aa1964a6227ca23452ae36500d2a1a56725f5e1dad38ad927ab0e6

👛 / ⁉️

🎙️ / 💼 / ⁉️

Andariel / APT45 / Onyx Sleet / UNC614 / Jumpy Pisces

TEMP.Hermit / Diamond Sleet / UNC2970

UNC3782 - NFT Phishing

Operation Dream Job

APT37

PyPi, NPM, Targetting Security Researchers

APT38 / TA444 / Bluenoroff

APT43 / Emerald Sleet / Kimsuky

Hybrid Operations & UNC2226

  • Mandiant has observed operations that include tactics and tools from multiple groups, which suggests that in certain cases, operations may be undertaken by multiple groups that fluidly perform ad hoc tasks in support of another group, or due to temporary tasking. This is consistent with public reporting that identified a group that aligns with an alleged RGB Bureau, designated ‘325’, which was publicly announced in January 2021, when the structure of the RGB likely shifted in response to the COVID-19 pandemic.
  • Mandiant assesses that UNC2226 is one of the collections of activity supporting the aforementioned mission. UNC2226, like other seemingly ad hoc created efforts, appears to have changed or even expanded targeting to fulfill intelligence gathering efforts. Other clusters, such as UNC3782, have a similar composition and are focused on cryptocurrency theft among other seemingly ad hoc tasks.
  • The operations initially appeared to focus almost exclusively on intelligence gathering operations against COVID-19 research and vaccine development/manufacturing organizations. Over time, Mandiant perceived these operations shift from strictly COVID-19 efforts to the targeting of defectors, defense and governments, bloggers, media, cryptocurrency services, and financial institutions.

RokRAT

More RATs

Kaspersky

Rustbucket

  • MacOS Malware
  • Malware type: Backdoor
  • Group: SquidSquad / Sapphire Sleet
  • First seen: 2023
  • RustBucket is macOS malware first reported in 2023. Since then, multiple variants of the malware have been observed in the wild. Most RustBucket infections are composed of three stages.
  • The first stage usually is an AppleScript file contained inside an application or inside a ZIP archive masquerading as a legitimate file. This AppleScript file is responsible for retrieving the second stage downloader.
  • The second stage downloader masquerades as a PDF viewer application. Some variants of this second stage downloader are written in Swift, while others are written in Objective-C.
  • The third stage is the final payload retrieved by the second stage downloader. Figure 2 shows an alert from Cortex XDR that blocks a RustBucket sample from downloading the next stage of malware.
  • The third stage payloads are Mach-O binaries written in Rust, hence the name RustBucket. Later variants of stage three employ persistence via a LaunchAgent, a feature that did not exist in older variants.
  • Stage three has two main commands: Download and execute a file and self-terminate the malware
  • https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
  • Apr 2023 | BlueNoroff APT group targets macOS with ‘RustBucket’ Malware

Kandykorn

  • macOS
  • Malware type: Backdoor
  • Group: SquidSquad / Sapphire Sleet
  • First seen: 2023
  • First discovered in 2023, KANDYKORN is the payload of a five-stage infection chain targeting macOS systems. Known infections of KANDYKORN start with social engineering, tricking the victim into downloading a malicious ZIP archive containing a malicious Python script. If the victim executes the Python file, it downloads stage two of the infection, which is a second Python script that is saved into a folder named _log.
  • The second stage of the infection involves two additional Python scripts. The first Python script saved to the _log directory downloads another script saved to the /Users/Shared/ directory, which in turn downloads a stage three file, saving it as /Users/shared/.sld.
  • Stage three of the infection is a downloader and loader dubbed SUGARLOADER. For persistence, SUGARLOADER saves itself as /Users/shared/.log.
  • Upon execution, SUGARLOADER checks for the existence of a configuration file at /Library/Caches/com.apple.safari.ck. If that configuration file is missing, SUGARLOADER downloads it using a default IP address provided in the command line.
  • The configuration file at /Library/Caches/com.apple.safari.ck contains the location to download the next stage from. In Figure 3, we see part of a Cortex XDR alert that reveals the installation of this configuration file.

SmoothOperator

  • macOs
  • Malware type: Backdoor
  • Group: Undetermined, under RGB
  • First seen: 2023
  • In the beginning of 2023, multiple vendors discovered Trojanized macOS installers for the legitimate 3CX client application known as 3CXDesktopApp. These Trojanized installers contained multi-staged malware called SmoothOperator.
  • SmoothOperator can execute payloads and extract data related to 3CX from infected hosts. It is written in Objective-C and targets 64-bit Intel-based macOS users.
  • The Trojanized component of SmoothOperator inside the 3CXDesktopApp application is a module called libffmpeg.dylib, which is a legitimate dependency that appears to have been altered or tampered with by the threat actors. The main purpose of this tampered libffmpeg.dylib file is to collect the infected device’s environment information and to deliver additional payloads.
  • When downloading an additional payload, the module writes the payload into a file named UpdateAgent and executes it. Below, Figure 7 shows disassembled code from a tampered libffmpeg.dylib file related to saving the follow-up payload as UpdateAgent.
  • UpdateAgent collects the victim's 3CX account information, then it removes itself. The relatively limited capabilities of UpdateAgent likely prevent it from deploying a wide variety of payloads, and we have only noted SmoothOperator as the final payload from this infection chain. Figure 8 shows a Cortex XDR alert detecting a 3CX desktop app for SmoothOperator.

ObjCShellz

  • Malware type: Backdoor
  • Group: SquidSquad / Sapphire Sleet
  • First seen: 2023
  • OS type: macOS
  • ObjCShellz is a relatively simple backdoor Jamf Threat Labs discovered and named in November 2023. It serves as a remote shell and allows an attacker to execute arbitrary commands. Attackers reportedly deliver ObjCShellz as a second stage payload to an already compromised system.
  • Like other macOS malware, ObjCShellz is written in Objective-C. Jamf Threat Labs reported attackers using it as a part of the RustBucket campaign. Figure 9 below shows a Cortex XDR alert detecting a sample of ObjCShellz.
  • Nov 2023 | jamf: BlueNoroff strikes again with new macOS malware