ioc[.]one - OSINT Cyber Threat Intelligence Database

North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

Show in Graph

Image Description

Common Information

Type	Value
UUID	22eac38e-aafa-4a7d-b82e-748e77e6c069
Fingerprint	6481486a6acb43be8db2161890903ce4b0b168cf713962a4075805f06575f667
Analysis status	DONE
Considered CTI value	2
Text language
Published	None
Added to db	March 10, 2024, 12:47 a.m.
Last updated	Aug. 30, 2024, 10:24 p.m.
Headline	North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
Title	North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign
Detected Hints/Tags/Attributes	8/1/19

Source URLs

	Redirection	Url
Details	Source	https://go.recordedfuture.com/hubfs/reports/cta-2018-0116-appendix.pdf

URL Provider

Details	Provider	Source level domain
Details	recordedfuture.com	go.recordedfuture.com

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	546		www.recordedfuture.com
Details	md5	2		da02193fc7f2a628770382d9b39fe8e0
Details	md5	2		3d0d71fdedfd8945d78b64cdf0fb11ed
Details	md5	2		63069c9bcc4f8e16412ea1a25f3edf14
Details	md5	2		8152e241b3f1fdb85d21bfcf2aa8ab1d
Details	md5	2		46d1d1f6e396a1908471e8a8d8b38417
Details	md5	3		6b061267c7ddeb160368128a933d38be
Details	md5	2		afa40517d264d1b03ac5c4d2fef8fc32
Details	md5	2		c270eb96deaf27dd2598bc4e9afd99da
Details	md5	2		d897b4b8e729a408f64911524e8647db
Details	md5	2		e1cc2dcb40e729b2b61cf436d20d8ee5
Details	md5	2		231fe349faa7342f33402c562f93a270
Details	IPv4	2		110.173.188.53
Details	IPv4	2		70.60.36.183
Details	IPv4	2		72.10.122.70
Details	IPv4	2		112.160.75.159
Details	IPv4	2		125.142.192.81
Details	IPv4	2		175.213.42.234
Details	Yara rule	1		rule apt_NK_Lazarus_Fall2017_payload_minCondition { meta: desc = "Minimal condition set to detect payloads from Fall 2017 Lazarus Campaign against Cryptocurrency Exchanges and Friends of MOFA 11" author = "JAGS, Insikt Group, Recorded Future" version = "2.0" TLP = "Green" md5 = "46d1d1f6e396a1908471e8a8d8b38417" md5 = "6b061267c7ddeb160368128a933d38be" md5 = "afa40517d264d1b03ac5c4d2fef8fc32" md5 = "c270eb96deaf27dd2598bc4e9afd99da" md5 = "d897b4b8e729a408f64911524e8647db" md5 = "e1cc2dcb40e729b2b61cf436d20d8ee5" strings: $sub1800115A0 = { 48 8D 54 24 60 48 8D 8D B0 05 00 00 41 FF 94 24 88 20 00 00 4C 8B E8 48 83 F8 FF 0F 84 EA 01 00 00 48 8D 8D C0 07 00 00 33 D2 41 B8 00 40 00 00 E8 } $sub18000A720 = { 33 C0 48 8B BC 24 98 02 00 00 48 8B 9C 24 90 02 00 00 48 8B 8D 60 01 00 00 48 33 CC E8 } condition: uint16(0) == 0x5A4D and filesize < 5MB and any of them }