North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 46d683b0-0141-4e46-828e-e8cf3a8911ce |
| Fingerprint | 273029199447969d |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | July 14, 2022, 9 a.m. |
| Added to db | Sept. 11, 2022, 12:35 p.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware |
| Title | North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog |
| Detected Hints/Tags/Attributes | 104/2/39 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 10 | cve-2022-26352 |
|
| Details | Domain | 2 | matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion |
|
| Details | Domain | 54 | mail2tor.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | File | 2 | btlc_c.exe |
|
| Details | File | 2 | holyrs.exe |
|
| Details | File | 2 | holylock.exe |
|
| Details | File | 2 | bltc.exe |
|
| Details | File | 1 | bltc_c.exe |
|
| Details | File | 5 | access.php |
|
| Details | File | 1 | holylocker.exe |
|
| Details | File | 2 | btlc.exe |
|
| Details | File | 1 | c:\for_decrypt.html |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 1 | 1100x800_cropped.jpg |
|
| Details | File | 1 | main.contact |
|
| Details | File | 1 | mainfunc.contact |
|
| Details | Github username | 21 | azure |
|
| Details | sha256 | 1 | f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c |
|
| Details | sha256 | 2 | 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd |
|
| Details | sha256 | 2 | f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86 |
|
| Details | sha256 | 2 | bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af |
|
| Details | sha256 | 1 | 541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219 |
|
| Details | IPv4 | 2 | 193.56.29.123 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 1 | 10.10.3.42 |
|
| Details | IPv4 | 1 | 192.168.168.5 |
|
| Details | Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development) | 11 | DEV-0530 |
|
| Details | Pdb | 1 | btlc_c.pdb |
|
| Details | Url | 2 | http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion |
|
| Details | Url | 1 | http://193.56.29.123:8888 |
|
| Details | Url | 1 | http://193.56.29.123:8888/access.php?order=getpubkey&cmn=[victim_hostname] |
|
| Details | Url | 1 | http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[victim_hostname]&type=1 |
|
| Details | Url | 1 | http://193.56.29.123:8888/access.php?order=golc_key_add&cmn=[victim_hostname]&type=2 |
|
| Details | Url | 1 | http://193.56.29.123:8888/access.php?order=golc_finish&cmn=[victim_hostname]& |
|
| Details | Url | 1 | https://cloud-ex42.usaupload.com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg |
|
| Details | Url | 1 | https://github.com/azure/azure-sentinel/blob/master/detections/securityalert/dev-0530avhits.yaml |
|
| Details | Yara rule | 1 | rule SiennaPurple {
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples"
hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd"
strings:
$s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb"
$s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion"
$s3 = "H0lyGh0st@mail2tor.com"
$s4 = "We are <HolyGhost>. All your important files are stored and encrypted."
$s5 = "aic^ef^bi^abc0"
$s6 = "---------------------------3819074751749789153841466081"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and all of ($s*)
} |
|
| Details | Yara rule | 1 | rule SiennaBlue {
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219"
strings:
$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"
$holylocker_s3 = "HolyLocker/Main.ContactEmail"
$holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer"
$holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet"
$holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go"
$holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail"
$holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension"
$holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer"
$holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet"
$s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite"
$s2 = ".h0lyenc"
$go_prefix = "Go build ID:"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 7MB and filesize > 1MB and $go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*))
} |