North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
Common Information
| Type | Value |
|---|---|
| UUID | 0eb2b4b0-fc7e-4b8d-a7e5-037938ed8fdf |
| Fingerprint | 9f13283a57d0a3a883ca9764a36a89bf66fea7dc73d011f1ed1ad9f9650870c3 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 18, 2018, 3:21 p.m. |
| Added to db | March 10, 2024, 12:47 a.m. |
| Last updated | Aug. 30, 2024, 10:25 p.m. |
| Headline | North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign |
| Title | North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign |
| Detected Hints/Tags/Attributes | 64/3/23 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2018-0116.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 22 | cve-2017-8291 |
|
| Details | CVE | 11 | cve-2015-6585 |
|
| Details | Domain | 546 | www.recordedfuture.com |
|
| Details | Domain | 1 | coinlink.co.kr |
|
| Details | Domain | 1 | pwncode.club |
|
| Details | md5 | 2 | da02193fc7f2a628770382d9b39fe8e0 |
|
| Details | md5 | 2 | 3d0d71fdedfd8945d78b64cdf0fb11ed |
|
| Details | md5 | 2 | 63069c9bcc4f8e16412ea1a25f3edf14 |
|
| Details | md5 | 2 | 8152e241b3f1fdb85d21bfcf2aa8ab1d |
|
| Details | md5 | 2 | 46d1d1f6e396a1908471e8a8d8b38417 |
|
| Details | md5 | 3 | 6b061267c7ddeb160368128a933d38be |
|
| Details | md5 | 2 | afa40517d264d1b03ac5c4d2fef8fc32 |
|
| Details | md5 | 2 | c270eb96deaf27dd2598bc4e9afd99da |
|
| Details | md5 | 2 | d897b4b8e729a408f64911524e8647db |
|
| Details | md5 | 2 | e1cc2dcb40e729b2b61cf436d20d8ee5 |
|
| Details | md5 | 2 | 231fe349faa7342f33402c562f93a270 |
|
| Details | IPv4 | 2 | 110.173.188.53 |
|
| Details | IPv4 | 2 | 70.60.36.183 |
|
| Details | IPv4 | 2 | 72.10.122.70 |
|
| Details | IPv4 | 2 | 112.160.75.159 |
|
| Details | IPv4 | 2 | 125.142.192.81 |
|
| Details | IPv4 | 2 | 175.213.42.234 |
|
| Details | Yara rule | 1 | rule apt_NK_Lazarus_SKOlympics_EPS {
meta:
author = "JAG-S, Insikt Group, RF"
desc = "CN terms in PostScript loader"
TLP = "Green"
version = "1.0"
md5 = "231fe349faa7342f33402c562f93a270"
strings:
$eps_strings1 = "/yinzi { token pop exch pop } bind def" ascii wide
$eps_strings2 = "/yaoshi <A3E6E7BB> def" ascii wide
$eps_strings8 = /\/yaoshi <[A-F0-9]{8}> def/ ascii wide
$eps_strings3 = "/yima{" ascii wide
$eps_strings4 = "/funcA exch def" ascii wide
$eps_strings5 = "0 1 funcA length 1 sub {" ascii wide
$eps_strings6 = "/funcB exch def" ascii wide
$eps_strings7 = "funcA funcB 2 copy get yaoshi funcB 4 mod get xor put" ascii wide
condition:
6 of them
} |