# APT_REPORT collected by @blackorbird https://twitter.com/blackorbird Interesting apt report collection # APT Group for country ### Group123 ▶ScarCruft continues to evolve, introduces Bluetooth harvester https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ (May 13, 2019) ▶Group123 Attempts to attack 'printing paper' APT disguised as a guide to organization and conferences https://blog.alyac.co.kr/2287 (May 2 , 2019) ▶Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019) ▶ group123 APT organization, 'Operation High Expert' https://blog.alyac.co.kr/2226 (April 2 , 2019) ▶ Rocketman APT Campaign Returned to Operation Holiday Wiper https://blog.alyac.co.kr/2089 (Jan 23, 2019) ▶ 'Operation Blackbird', the mobile invasion of the ' https://blog.alyac.co.kr/2035 (Dec 13, 2018) ▶ group123 'Operation Korean Sword' is underway https://blog.alyac.co.kr/1985 (Nov. 16, 2018) ▶ group123 Group's latest APT campaign - 'Operation Rocket Man' https://blog.alyac.co.kr/1853 (Aug. 22, 2018) ▶ group123, Flash Player Zero-Day (CVE-2018-4878) Attack Attention https://blog.alyac.co.kr/1521 (Feb 02, 2018) ▶ 'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014) ▶ Rocketman APT campaign, 'Operation Golden Bird' https://blog.alyac.co.kr/2205 (March 20, 2013) ▶ Korea In The Crosshairs https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html (Jan 16, 2018) ▶FreeMilk: A Highly Targeted Spear Phishing Campaign https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/ (Oct 5, 2017) ### baby related kimsuky ▶BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat (April 26, 2019) https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ ▶Operation Giant Baby, a giant threat (March 28, 2019) https://blog.alyac.co.kr/2223 ▶ Malicious code installed with coin purse program(Alibaba) (March 15, 2019) https://asec.ahnlab.com/1209 ▶ New BabyShark Malware Targets U.S. National Security Think Tanks (Feb. 22, 2019) https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ ▶ Korea's latest APT attack, Operation Mystery Baby Attention! (Feb 11, 2018) https://blog.alyac.co.kr/1963 ▶ Returned to Korea as Operation Baby Coin, APT attacker, overseas target in 2010 (Apr. 19, 2014) https://blog.alyac.co.kr/1640 ### kimsuky ▶Kimsuky, cyber security bureau Cryptographic Cases (May 28 , 2019) https://blog.alyac.co.kr/2338 ▶Kimsuky, Korea Cryptographic Exchange Event Impersonation APT Attack (May 28 , 2019) https://blog.alyac.co.kr/2336 ▶Kimsuky 'Fake striker' APT campaign aimed at Korea (May 20 , 2019) https://blog.alyac.co.kr/2315 ▶ Analysis of "Smoke Screen" in APT campaign aimed at Korea and America (April 17 , 2019) https://blog.alyac.co.kr/2243 ▶ Encrypted APT attack, Kimsuky organization's 'smoke screen' PART 2 (May 13 , 2019) https://blog.alyac.co.kr/2299 ▶ Kimsuky Organization, Operation Stealth Power Silence Operation (April 3 , 2019) https://blog.alyac.co.kr/2234 ▶ Kimsuky Organization, Watering Hole Started "Operation Low Kick"(March 21, 2019) https://blog.alyac.co.kr/2209 ### Jaku ▶ SiliVaccine: Inside North Korea’s Anti-Virus (May 1, 2018) https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/ ### Lazarus ▶LAZARUS APT TARGETS MAC USERS WITH POISONED WORD DOCUMENT https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/ ### Konni ▶APT Campaign 'Konni' & 'Kimsuky' find commonality in organizations (June 10, 2019) https://blog.alyac.co.kr/2347 ▶Korean Kusa Konni Organization, Blue Sky Utilizing 'Amadey' Russia Botnet (May 16, 2019) https://blog.alyac.co.kr/2308 ▶The Konni APT Campaign and 'Operation Hunter Adonis' (Jan 1 ,2019) https://blog.alyac.co.kr/2061 ### Oceanlotus ▶Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus (July 1, 2019) https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html ▶Analysis report on the attack on mobile devices by Oceanlotus (May 24, 2019) https://mp.weixin.qq.com/s/L-tCvLPOOMhP0ndgdqhkNQ ▶ Oceanlotus in the first quarter of 2019 for the attack technology of China.(April 24, 2019) https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A ▶ Deobfuscating APT32 Flow Graphs with Cutter and Radare2 (April 24, 2019) https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/ ▶ OceanLotus Steganography Malware Analysis White Paper (April 2 , 2019) https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html ▶OceanLotus: macOS malware update(April 9 , 2019) https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/ ### APT28 ▶ CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders (April 5 , 2019) https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/ ### Turla ▶ A dive into Turla PowerShell usage (May 29 , 2019) https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ ### tick ▶ tick group new campaign, attack north korean and japan https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=28186 (April 1 , 2019) ### Winnti ▶ bayer-says-has-detected-contained-cyber-attack (April 5 , 2019) https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN https://www.tagesschau.de/inland/hackerangriff-bayer-101.html ## Middle East Asia ### Muddywater ▶ Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques(May 20,2019) https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html ### ZooPark ▶ APT-C-38 attack activity revealed (May 27,2019) http://blogs.360.cn/post/analysis-of-APT-C-38.html # APT Group for finance ### CARBANAK ▶ CARBANAK Week Part One: A Rare Occurrence (April 22, 2019) https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html ### londonblue (Nigeria) ▶ Evolving Tactics: London Blue Starts Spoofing Target Domains (April 4 , 2019) PDF is in the folder https://www.agari.com/email-security-blog/london-blue-evolving-tactics/ ### Fin6 ▶ Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware(April 5 , 2019) https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html ### Fin7 ▶ On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation (August 01, 2018) https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html