Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 | Mandiant
Tags
cmtmf-attack-pattern: Masquerading Process Injection
country: North Korea South Korea
maec-delivery-vectors: Watering Hole
attack-pattern: Data Clipboard Data - T1414 Cloud Services - T1021.007 Conditional Access Policies - T1556.009 Dll Search Order Hijacking - T1574.001 Dns - T1071.004 Dns - T1590.002 Hardware - T1592.001 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Multi-Factor Authentication - T1556.006 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Injection - T1631 Scheduled Task - T1053.005 Software - T1592.002 Timestomp - T1070.006 Template Injection - T1221 Tool - T1588.002 Clipboard Data - T1115 Dll Search Order Hijacking - T1038 Masquerading - T1036 Powershell - T1086 Process Injection - T1055 Scheduled Task - T1053 Timestomp - T1099 Masquerading
Show in Graph
Common Information
Type Value
UUID 35b0092f-d88c-4770-b722-825f63a4029f
Fingerprint 3850983345ae1784
Analysis status DONE
Considered CTI value 2
Text language
Published March 9, 2023, midnight
Added to db Nov. 6, 2023, 6:52 p.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
Title Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 | Mandiant
Detected Hints/Tags/Attributes 137/4/86
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
microsoft.management.services
Details Domain 1 
webinternal.anyplex.com
Details Domain 1 
www.fainstec.com
Details Domain 1 
ajayjangid.in
Details Domain 1 
sede.lamarinadevalencia.com
Details Domain 3 
leadsblue.com
Details Domain 1 
toptradenews.com
Details Domain 1 
mantis.quick.net.pl
Details Domain 1 
www.keewoom.co.kr
Details Domain 1 
abba-servicios.mx
Details Domain 1 
www.ruscheltelefonia.com.br
Details Domain 4 
olidhealth.com
Details Domain 1 
doug.org
Details Domain 1 
crickethighlights.today
Details File 1 
destextapi.dll
Details File 1 
manextapi.dll
Details File 1 
pathextapi.dll
Details File 1 
preextapi.dll
Details File 8 
wbemcomn.dll
Details File 68 
mscoree.dll
Details File 2 
netplwix.dll
Details File 3 
printfilterpipelinesvc.exe
Details File 1 
c:\windows\branding\netplwiz.exe
Details File 7 
p.dat
Details File 1 
normal.doc
Details File 1 
c:\programdata\mscoree.dll
Details File 1 
c:\windows\system32\presentationhost.exe
Details File 14 
presentationhost.exe
Details File 1 
query_image.jsp
Details File 4 
jquery.php
Details File 1 
contentlayout.jsp
Details File 1206 
index.php
Details File 3 
themes.php
Details File 2 
prod.php
Details File 94 
config.php
Details File 4 
compat.php
Details File 86 
admin.php
Details File 17 
contact.php
Details md5 1 
e97b13b7e91edeceeac876c3869cc4eb
Details md5 1 
a9e30c16df400c3f24fc4e9d76db78ef
Details md5 1 
f910ffb063abe31e87982bad68fd0d87
Details md5 1 
30358639af2ecc217bbc26008c5640a7
Details md5 1 
41dcd8db4371574453561251701107bc
Details md5 1 
866f9f205fa1d47af27173b5eb464363
Details md5 1 
8c597659ede15d97914cb27512a55fc7
Details md5 1 
a2109276dc704dedf481a4f6c8914c6e
Details md5 1 
3bf748baecfc24def6c0393bc2354771
Details md5 1 
91b6d6efa5840d6c1f10a72c66e925ce
Details md5 1 
300103aff7ab676a41e47ec3d615ba3f
Details md5 1 
49425d6dedb5f88bddc053cc8fd5f0f4
Details md5 1 
abd91676a814f4b50ec357ca1584567e
Details md5 1 
05b6f459be513bf6120e9b2b85f6c844
Details Mandiant Security Validation Actions 1 
A105-491
Details Mandiant Security Validation Actions 1 
A105-492
Details Mandiant Security Validation Actions 1 
A105-493
Details Mandiant Security Validation Actions 1 
A105-494
Details Mandiant Security Validation Actions 1 
A105-507
Details Mandiant Security Validation Actions 1 
A105-508
Details Mandiant Security Validation Actions 1 
A105-514
Details Mandiant Temporary Group Assumption 44 
TEMP.HERMIT
Details Mandiant Uncategorized Groups 44 
UNC2970
Details Mandiant Uncategorized Groups 9 
UNC577
Details Mandiant Uncategorized Groups 16 
UNC4034
Details Url 1 
http://webinternal.anyplex.com/images/query_image.jsp
Details Url 1 
http://www.fainstec.com/assets/js/jquery/jquery.php
Details Url 1 
https://ajayjangid.in/js/jquery/jquery.php
Details Url 1 
https://sede.lamarinadevalencia.com/tablonedictal/layout/contentlayout.jsp
Details Url 1 
https://leadsblue.com/wp-content/wp-utility/index.php
Details Url 1 
https://toptradenews.com/wp-content/themes/themes.php
Details Url 1 
http://mantis.quick.net.pl/library/securimage/index.php
Details Url 1 
http://www.keewoom.co.kr/prod_img/201409/prod.php
Details Url 1 
http://abba-servicios.mx/wordpress/wp-content/themes/config.php
Details Url 1 
http://www.ruscheltelefonia.com.br/public/php/index.php
Details Url 1 
https://olidhealth.com/wp-includes/php-compat/compat.php
Details Url 1 
https://doug.org/wp-includes/admin.php
Details Url 1 
https://crickethighlights.today/wp-content/plugins/contact.php
Details Windows Registry Key 25 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Details Yara rule 1 
rule M_Hunt_APT_PLANKWALK_Code_String {
	meta:
		author = "Mandiant"
		description = "Detects a format string containing code and token found in PLANKWALK"
	strings:
		$hex = { 63 6F 64 65 [1-6] 3D 25 64 26 [1-6] 75 73 65 72 [1-6] 3D 25 73 26 [1-6] 74 6F 6B 65 }
	condition:
		(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and $hex
}
Details Yara rule 1 
rule M_APT_Loader_Win_LIDSHIFT_1 {
	meta:
		author = "Mandiant"
		description = "Detects LIDSHIFT implant"
	strings:
		$anchor1 = "%s:%s:%s"
		$encloop = { 83 ?? 3F 72 ?? EB ?? 8D ?? ?? B8 ?? 41 10 04 F7 ?? 8B ?? 2B ?? D1 ?? 03 ?? C1 ?? 05 6B ?? 3F 2B ?? 42 0F ?? ?? ?? 41 ?? ?? }
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_APT_Loader_Win_LIDSHOT_1 {
	meta:
		author = "Mandiant"
		description = "Detects LIDSHOT implant"
	strings:
		$code1 = { 4C 89 6D ?? 4C 89 6D ?? C7 45 ?? 01 23 45 67 C7 45 ?? 89 AB CD EF C7 45 ?? FE DC BA 98 C7 45 ?? 76 54 32 10 4C 89 6C 24 ?? 48 C7 45 ?? 0F 00 00 00 C6 44 24 ?? 00 }
		$code2 = { B8 1F 85 EB 51 41 F7 E8 C1 FA 03 8B CA C1 E9 1F 03 D1 6B CA 19 }
		$code3 = { C7 45 ?? 30 6B 4C 6C 66 C7 45 ?? 55 00 }
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_APT_Loader_Win_CLOUDBURST_1 {
	meta:
		author = "Mandiant"
	strings:
		$anchor1 = "Microsoft Enhanced Cryptographic Provider v1.0" ascii wide
		$code1 = { 74 79 70 }
		$code2 = { 65 71 75 69 }
		$code3 = { 62 6F 78 69 }
		$code4 = { E8 ?? ?? ?? ?? FF C6 B8 99 99 99 99 F7 EE D1 FA 8B C2 C1 E8 1F 03 D0 8D 04 16 8D 34 90 85 F6 75 ?? }
		$str1 = "%s%X"
	condition:
		uint16(0) == 0x5a4d and all of them
}
Details Yara rule 1 
rule M_DropperMemonly_TOUCHSHIFT_1 {
	meta:
		author = "Mandiant"
		description = "Hunting rule for TOUCHSHIFT"
	strings:
		$p00_0 = { 09 43 ?? EB ?? FF 43 ?? B0 ?? EB ?? E8 [4] C7 00 [4] E8 [4] 32 C0 }
		$p00_1 = { 4C 63 05 [4] BA [4] 4C 8B 0D [4] 48 8B 0D [4] FF 15 [4] 4C 63 05 [4] BA [4] 4C 8B 0D [4] 48 8B 0D }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (70000 .. 90000) and $p00_1 in (0 .. 64000)))
}
Details Yara rule 1 
rule M_APT_Backdoor_Win_SIDESHOW_1 {
	meta:
		author = "Mandiant"
		description = "Detects string deobfuscation function in SIDESHOW, may also detect other variants of malware from the same actor"
	strings:
		$code1 = { 41 0F B6 ?? 33 ?? 48 ?? ?? 0F 1F 80 00 00 00 00 3A ?? 74 ?? FF ?? 48 FF ?? 83 ?? 48 72 ?? EB ?? 41 0F ?? ?? 2B ?? ?? 39 8E E3 38 83 ?? 48 F7 ?? C1 ?? 04 8D ?? ?? C1 ?? 03 2B ?? ?? 39 8E E3 38 }
	condition:
		uint16(0) == 0x5a4d and (all of them)
}
Details Yara rule 1 
rule M_Hunting_TOUCHKEY {
	meta:
		author = "Mandiant"
		description = "Hunting rule For TOUCHKEY"
	strings:
		$a1 = "Normal.dost"
		$a2 = "Normal.docb"
		$c1 = "[SELECT]" ascii wide
		$c2 = "[SLEEP]" ascii wide
		$c3 = "[LSHIFT]" ascii wide
		$c4 = "[RSHIFT]" ascii wide
		$c5 = "[ENTER]" ascii wide
		$c6 = "[SPACE]" ascii wide
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and (5 of ($c*)) and $a1 and $a2
}
Details Yara rule 1 
rule M_Hunting_TOUCHSHOT {
	meta:
		author = "Mandiant"
		description = "Hunting rule For TOUCHSHOT"
	strings:
		$path = "%s\\Microsoft\\Windows\\Themes\\" wide
		$format = "ddd-ddd"
		$s1 = "EnumDisplaySettingsExW"
		$s2 = "GetSystemMetrics"
		$s3 = "GetDC"
		$s5 = "ReleaseDC"
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and (3 of ($s*)) and $path and $format
}
Details Yara rule 1 
rule M_Hunting_HOOKSHOT {
	meta:
		author = "Mandiant"
		description = "Hunting rule for HOOKSHOT"
	strings:
		$p00_0 = { 8B B1 [4] 40 88 73 ?? 85 F6 75 ?? 48 8B 81 [4] 48 8B 88 [4] 48 85 C9 74 ?? E8 }
		$p00_1 = { 8B F3 48 8B EA 85 DB 0F 84 [4] 4C 8D 2D [4] 66 90 4C 8D 44 24 ?? 8B D6 48 8B CD }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (470000 .. 490000) and $p00_1 in (360000 .. 380000)))
}