2019-04-02 11:15:32 +08:00
|
|
|
|
# APT_REPORT collected by @blackorbird https://twitter.com/blackorbird
|
2020-01-13 16:28:18 +08:00
|
|
|
|
Interesting apt report & sample & malware & technology & intellegence collection
|
2019-04-02 10:24:51 +08:00
|
|
|
|
|
2019-04-23 11:01:05 +08:00
|
|
|
|
# APT Group for country
|
2019-04-02 10:24:51 +08:00
|
|
|
|
|
2021-05-08 18:26:30 +08:00
|
|
|
|
## Sample
|
|
|
|
|
|
|
2019-04-02 15:04:12 +08:00
|
|
|
|
### Group123
|
2019-04-02 10:24:51 +08:00
|
|
|
|
|
2019-05-14 10:06:05 +08:00
|
|
|
|
▶ScarCruft continues to evolve, introduces Bluetooth harvester
|
|
|
|
|
|
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
|
|
|
|
|
|
(May 13, 2019)
|
|
|
|
|
|
|
2019-05-08 11:32:34 +08:00
|
|
|
|
▶Group123 Attempts to attack 'printing paper' APT disguised as a guide to organization and conferences
|
|
|
|
|
|
https://blog.alyac.co.kr/2287
|
|
|
|
|
|
(May 2 , 2019)
|
|
|
|
|
|
|
2019-04-23 14:32:17 +08:00
|
|
|
|
▶Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive
|
|
|
|
|
|
https://blog.alyac.co.kr/2268
|
|
|
|
|
|
(April 22 , 2019)
|
|
|
|
|
|
|
2019-04-02 10:53:27 +08:00
|
|
|
|
▶ group123 APT organization, 'Operation High Expert'
|
2019-04-02 10:24:51 +08:00
|
|
|
|
https://blog.alyac.co.kr/2226
|
|
|
|
|
|
(April 2 , 2019)
|
|
|
|
|
|
|
|
|
|
|
|
▶ Rocketman APT Campaign Returned to Operation Holiday Wiper
|
|
|
|
|
|
https://blog.alyac.co.kr/2089
|
2019-04-03 12:06:12 +08:00
|
|
|
|
(Jan 23, 2019)
|
2019-04-02 10:24:51 +08:00
|
|
|
|
|
|
|
|
|
|
▶ 'Operation Blackbird', the mobile invasion of the '
|
|
|
|
|
|
https://blog.alyac.co.kr/2035
|
|
|
|
|
|
(Dec 13, 2018)
|
|
|
|
|
|
|
2019-04-02 10:53:27 +08:00
|
|
|
|
▶ group123 'Operation Korean Sword' is underway
|
2019-04-02 10:24:51 +08:00
|
|
|
|
https://blog.alyac.co.kr/1985
|
|
|
|
|
|
(Nov. 16, 2018)
|
|
|
|
|
|
|
2019-04-02 10:53:27 +08:00
|
|
|
|
▶ group123 Group's latest APT campaign - 'Operation Rocket Man'
|
2019-04-02 10:24:51 +08:00
|
|
|
|
https://blog.alyac.co.kr/1853
|
|
|
|
|
|
(Aug. 22, 2018)
|
|
|
|
|
|
|
2019-04-03 12:06:12 +08:00
|
|
|
|
▶ group123, Flash Player Zero-Day (CVE-2018-4878) Attack Attention
|
|
|
|
|
|
https://blog.alyac.co.kr/1521
|
|
|
|
|
|
(Feb 02, 2018)
|
|
|
|
|
|
|
2019-04-02 10:53:27 +08:00
|
|
|
|
▶ 'group123' group 'survey on the total number of discovery of separated families in North and South'
|
2019-04-02 10:24:51 +08:00
|
|
|
|
https://blog.alyac.co.kr/1767
|
|
|
|
|
|
(July 28, 2014)
|
|
|
|
|
|
|
2019-04-03 12:06:12 +08:00
|
|
|
|
▶ Rocketman APT campaign, 'Operation Golden Bird'
|
|
|
|
|
|
https://blog.alyac.co.kr/2205
|
|
|
|
|
|
(March 20, 2013)
|
2019-04-02 14:21:34 +08:00
|
|
|
|
|
2019-04-09 12:23:54 +08:00
|
|
|
|
▶ Korea In The Crosshairs
|
|
|
|
|
|
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
|
|
|
|
|
|
(Jan 16, 2018)
|
|
|
|
|
|
|
|
|
|
|
|
▶FreeMilk: A Highly Targeted Spear Phishing Campaign
|
|
|
|
|
|
https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/
|
|
|
|
|
|
(Oct 5, 2017)
|
|
|
|
|
|
|
|
|
|
|
|
|
2019-04-02 15:04:12 +08:00
|
|
|
|
### baby related kimsuky
|
|
|
|
|
|
|
2019-04-27 11:14:43 +08:00
|
|
|
|
▶BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat (April 26, 2019)
|
|
|
|
|
|
https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
|
|
|
|
|
|
|
2019-04-02 15:04:12 +08:00
|
|
|
|
▶Operation Giant Baby, a giant threat (March 28, 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2223
|
|
|
|
|
|
|
2019-04-03 12:06:12 +08:00
|
|
|
|
▶ Malicious code installed with coin purse program(Alibaba) (March 15, 2019)
|
|
|
|
|
|
https://asec.ahnlab.com/1209
|
|
|
|
|
|
|
|
|
|
|
|
▶ New BabyShark Malware Targets U.S. National Security Think Tanks (Feb. 22, 2019)
|
|
|
|
|
|
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
|
|
|
|
|
|
|
2019-04-02 15:04:12 +08:00
|
|
|
|
▶ Korea's latest APT attack, Operation Mystery Baby Attention! (Feb 11, 2018)
|
|
|
|
|
|
https://blog.alyac.co.kr/1963
|
|
|
|
|
|
|
|
|
|
|
|
▶ Returned to Korea as Operation Baby Coin, APT attacker, overseas target in 2010 (Apr. 19, 2014)
|
|
|
|
|
|
https://blog.alyac.co.kr/1640
|
|
|
|
|
|
|
|
|
|
|
|
|
2019-04-03 11:58:22 +08:00
|
|
|
|
### kimsuky
|
|
|
|
|
|
|
2019-12-05 14:22:28 +08:00
|
|
|
|
▶Kimsuky, Blue House Green Support / Sangchunjae Estimate
|
|
|
|
|
|
https://blog.alyac.co.kr/2645
|
|
|
|
|
|
|
2019-05-28 18:44:05 +08:00
|
|
|
|
▶Kimsuky, cyber security bureau Cryptographic Cases (May 28 , 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2338
|
|
|
|
|
|
|
|
|
|
|
|
▶Kimsuky, Korea Cryptographic Exchange Event Impersonation APT Attack (May 28 , 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2336
|
|
|
|
|
|
|
2019-05-20 14:38:41 +08:00
|
|
|
|
▶Kimsuky 'Fake striker' APT campaign aimed at Korea (May 20 , 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2315
|
|
|
|
|
|
|
2019-04-17 09:53:25 +08:00
|
|
|
|
▶ Analysis of "Smoke Screen" in APT campaign aimed at Korea and America (April 17 , 2019)
|
2019-04-17 09:47:53 +08:00
|
|
|
|
https://blog.alyac.co.kr/2243
|
|
|
|
|
|
|
2019-05-14 10:06:05 +08:00
|
|
|
|
▶ Encrypted APT attack, Kimsuky organization's 'smoke screen' PART 2 (May 13 , 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2299
|
|
|
|
|
|
|
2019-04-03 11:58:22 +08:00
|
|
|
|
▶ Kimsuky Organization, Operation Stealth Power Silence Operation (April 3 , 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2234
|
|
|
|
|
|
|
|
|
|
|
|
▶ Kimsuky Organization, Watering Hole Started "Operation Low Kick"(March 21, 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2209
|
|
|
|
|
|
|
2019-04-26 10:26:22 +08:00
|
|
|
|
### Jaku
|
|
|
|
|
|
|
|
|
|
|
|
▶ SiliVaccine: Inside North Korea’s Anti-Virus (May 1, 2018)
|
|
|
|
|
|
https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/
|
|
|
|
|
|
|
2019-04-26 19:21:43 +08:00
|
|
|
|
### Lazarus
|
2019-12-05 14:22:28 +08:00
|
|
|
|
|
|
|
|
|
|
▶Lazarus Group Goes 'Fileless',an implant w/ remote download & in-memory execution
|
|
|
|
|
|
https://objective-see.com/blog/blog_0x51.html
|
|
|
|
|
|
|
2019-05-16 10:25:30 +08:00
|
|
|
|
▶LAZARUS APT TARGETS MAC USERS WITH POISONED WORD DOCUMENT
|
2019-04-26 19:21:43 +08:00
|
|
|
|
https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/
|
|
|
|
|
|
|
2019-05-16 10:25:30 +08:00
|
|
|
|
|
|
|
|
|
|
### Konni
|
2019-06-10 15:55:06 +08:00
|
|
|
|
|
2019-09-27 10:11:04 +08:00
|
|
|
|
▶Konni's APT Group conducts attacks with Russian-North Korean trade and economic investment documents
|
|
|
|
|
|
https://blog.alyac.co.kr/2535
|
|
|
|
|
|
|
2019-06-10 15:55:06 +08:00
|
|
|
|
▶APT Campaign 'Konni' & 'Kimsuky' find commonality in organizations (June 10, 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2347
|
|
|
|
|
|
|
2019-05-16 10:25:30 +08:00
|
|
|
|
▶Korean Kusa Konni Organization, Blue Sky Utilizing 'Amadey' Russia Botnet (May 16, 2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2308
|
|
|
|
|
|
|
2019-06-10 16:44:50 +08:00
|
|
|
|
▶The Konni APT Campaign and 'Operation Hunter Adonis' (Jan 1 ,2019)
|
|
|
|
|
|
https://blog.alyac.co.kr/2061
|
|
|
|
|
|
|
2019-04-03 14:30:23 +08:00
|
|
|
|
### Oceanlotus
|
2019-04-24 17:59:45 +08:00
|
|
|
|
|
2019-07-02 14:28:39 +08:00
|
|
|
|
▶Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus (July 1, 2019)
|
|
|
|
|
|
https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html
|
|
|
|
|
|
|
2019-05-24 17:29:58 +08:00
|
|
|
|
▶Analysis report on the attack on mobile devices by Oceanlotus (May 24, 2019)
|
2019-05-24 17:34:19 +08:00
|
|
|
|
|
2019-05-24 17:29:58 +08:00
|
|
|
|
https://mp.weixin.qq.com/s/L-tCvLPOOMhP0ndgdqhkNQ
|
|
|
|
|
|
|
2019-04-24 18:00:12 +08:00
|
|
|
|
▶ Oceanlotus in the first quarter of 2019 for the attack technology of China.(April 24, 2019)
|
2019-04-24 17:59:45 +08:00
|
|
|
|
https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
|
|
|
|
|
|
|
|
|
|
|
|
▶ Deobfuscating APT32 Flow Graphs with Cutter and Radare2 (April 24, 2019)
|
|
|
|
|
|
https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/
|
|
|
|
|
|
|
2019-04-03 14:30:23 +08:00
|
|
|
|
▶ OceanLotus Steganography Malware Analysis White Paper (April 2 , 2019)
|
|
|
|
|
|
https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html
|
|
|
|
|
|
|
2019-04-09 22:00:31 +08:00
|
|
|
|
▶OceanLotus: macOS malware update(April 9 , 2019)
|
2019-05-24 17:34:19 +08:00
|
|
|
|
|
2019-04-09 22:00:31 +08:00
|
|
|
|
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
|
2019-04-08 15:05:01 +08:00
|
|
|
|
|
|
|
|
|
|
### APT28
|
|
|
|
|
|
▶ CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders (April 5 , 2019)
|
|
|
|
|
|
https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/
|
|
|
|
|
|
|
2019-05-29 18:29:57 +08:00
|
|
|
|
### Turla
|
|
|
|
|
|
▶ A dive into Turla PowerShell usage (May 29 , 2019)
|
|
|
|
|
|
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
|
2019-04-09 12:23:54 +08:00
|
|
|
|
|
2019-04-02 15:04:12 +08:00
|
|
|
|
### tick
|
2019-04-02 14:21:34 +08:00
|
|
|
|
|
|
|
|
|
|
▶ tick group new campaign, attack north korean and japan
|
|
|
|
|
|
https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=28186
|
2019-04-02 14:22:45 +08:00
|
|
|
|
(April 1 , 2019)
|
2019-04-08 18:27:01 +08:00
|
|
|
|
|
|
|
|
|
|
### Winnti
|
|
|
|
|
|
|
|
|
|
|
|
▶ bayer-says-has-detected-contained-cyber-attack (April 5 , 2019)
|
2019-04-08 18:41:31 +08:00
|
|
|
|
|
2019-04-08 18:27:01 +08:00
|
|
|
|
https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN
|
2019-04-08 18:41:31 +08:00
|
|
|
|
|
2019-04-08 18:27:01 +08:00
|
|
|
|
https://www.tagesschau.de/inland/hackerangriff-bayer-101.html
|
2019-04-08 18:38:50 +08:00
|
|
|
|
|
2019-05-27 12:23:27 +08:00
|
|
|
|
## Middle East Asia
|
|
|
|
|
|
|
2019-05-21 19:32:13 +08:00
|
|
|
|
### Muddywater
|
|
|
|
|
|
|
|
|
|
|
|
▶ Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques(May 20,2019)
|
|
|
|
|
|
|
|
|
|
|
|
https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html
|
2019-04-23 11:01:05 +08:00
|
|
|
|
|
2019-05-27 12:23:27 +08:00
|
|
|
|
### ZooPark
|
|
|
|
|
|
|
2019-05-27 12:23:50 +08:00
|
|
|
|
▶ APT-C-38 attack activity revealed (May 27,2019)
|
|
|
|
|
|
http://blogs.360.cn/post/analysis-of-APT-C-38.html
|
2019-05-27 12:23:27 +08:00
|
|
|
|
|
2019-04-23 11:01:05 +08:00
|
|
|
|
# APT Group for finance
|
|
|
|
|
|
|
|
|
|
|
|
### CARBANAK
|
|
|
|
|
|
|
|
|
|
|
|
▶ CARBANAK Week Part One: A Rare Occurrence (April 22, 2019)
|
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html
|
|
|
|
|
|
|
2019-04-08 18:38:50 +08:00
|
|
|
|
### londonblue (Nigeria)
|
2019-04-08 18:41:46 +08:00
|
|
|
|
|
2019-04-08 18:39:21 +08:00
|
|
|
|
▶ Evolving Tactics: London Blue Starts Spoofing Target Domains (April 4 , 2019)
|
2019-04-08 18:41:46 +08:00
|
|
|
|
PDF is in the folder
|
2019-04-08 18:38:50 +08:00
|
|
|
|
https://www.agari.com/email-security-blog/london-blue-evolving-tactics/
|
|
|
|
|
|
|
2019-04-23 11:01:05 +08:00
|
|
|
|
### Fin6
|
|
|
|
|
|
▶ Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware(April 5 , 2019)
|
|
|
|
|
|
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
2019-04-23 11:11:20 +08:00
|
|
|
|
|
|
|
|
|
|
### Fin7
|
2019-04-23 14:32:17 +08:00
|
|
|
|
▶ On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation (August 01, 2018)
|
2019-04-23 11:11:20 +08:00
|
|
|
|
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
|
|
|
|
|
|
|
|
|
|
|
|
|
