Group123
20191111
Group123,North Korean defector sponsor 'Dragon Messenger' mobile APT attack
https://blog.alyac.co.kr/2588 (Nov 11 , 2019)
20190423
Spear Phishing operation:
Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive
https://blog.alyac.co.kr/2268 (April 22 , 2019)
related:
'group123' group 'survey on the total number of discovery of separated families in North and South'
https://blog.alyac.co.kr/1767 (July 28, 2014)
IOC:
email_93682646.html
88107e3c785d3d30e5f6fc191622a157
memo.utr
86f83586c96943ce96309e3017a3500c
email: Lee Soo-hyun loveshlee@unikorea.go.kr 211.197.11.18
info: http://155.138.236.240/sec[.]png?id=
phishing:
input password and login it will redirect to unikorea.go.kr
https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png
The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background.
download:memo.utr google drive owner: 한국정치학회 Gmail:kpsapress@gmail.com
decode PE and collect private information
post to "pcloud"
the authorize email is kcrc1214@hanmail.net ,2018.12.3 join
The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'.