In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s name and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing “BabyShark”.

REFERENCE:
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY:

Anomali Labs researchers recently discovered a phishing site masquerading as a login page for the United Nations (UN) Unite Unity, a single sign-on (SSO) application used by UN staff. When visitors attempt to login into the fraudulent page, their browser is redirected to an invitation for a film viewing at the Poland Embassy in Pyongyang dated September 2018. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting several email providers, financial institutions, and a payment card provider. We expect to see malicious actors continue to target the United Nations staff as well as the listed brands and their users with faux login pages designed to pilfer their user credentials for resale on criminal forums and marketplaces and in the case of financial accounts to steal payment card information.

REFERENCE:
https://www.anomali.com/blog/phishing-campaign-spoofs-united-nations-and-multiple-other-organizations

This attack is connected to the Korea Hydro and Nuclear Power (KHNP) attack in 2014.

REFERENCES:
https://blog.alyac.co.kr/2140
https://twitter.com/0xD0CF11E0A1B11/status/1098422117345910785
https://twitter.com/KevinPerlow/status/1098596362088787969
ADVERSARY:
INDUSTRIES:
TARGETED COUNTRY:

Beginning on February 16, 2019, 360Netlab has discovered that a large number of HiSilicon DVR/NVR Soc devices have been exploited by attackers to load an updated Fbot botnet program.

REFERENCES:
https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/
https://blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/
https://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/
https://telekomsecurity.github.io/2018/07/adb-botnet.html
https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/
TAG:
ADVERSARY:

Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems. Brushaloader is currently characterized by the use of various scripting elements, such as PowerShell, to minimize the number of artifacts left on infected systems. Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems.

REFERENCE:
https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html
ADVERSARY:
TARGETED COUNTRY:

Recently, FortiGuard Labs captured a fresh variant of Emotet. This time, it’s embedded in a Microsoft Word document. I did a quick analysis on it, and in this blog I’ll show you how it works on a victim’s machine.

REFERENCES:
https://www.fortinet.com/blog/threat-research/analysis-of-a-fresh-variant-of-the-emotet-malware.html
https://www.menlosecurity.com/blog/emotet-a-small-change-in-tactics-leads-to-a-spike-in-attacks
TAG:

Over the past few weeks, we have been monitoring suspicious activity directed against Russian-based companies that exposed a predator-prey relationship that we had not seen before. For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is problematic, the analysis below reveals intrinsic connections to the tactics, techniques and tools used by the North Korean APT group – Lazarus.

REFERENCE:
https://research.checkpoint.com/north-korea-turns-against-russian-targets/
TAG:
ADVERSARY:
TARGETED COUNTRY:

REFERENCE:
https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html
ADVERSARY:
TARGETED COUNTRY:

Within the last year, WICKED PANDA has been linked to numerous incidents involving a broad set of targets, including organizations in the mining, technology, manufacturing, and hospitality sectors. The broad target scope for this adversary group suggests they are contractors supporting high-priority operations as needed.

REFERENCE:
https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf
TAG:
GROUP:
ADVERSARY:
INDUSTRY:

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. Till this moment, 360 Threat Intelligence Center captured 29 bait documents, 62 Trojan samples and multiple related malicious domains in total. Attackers are targeting Windows platform and aiming at government institutions as well as big companies in Colombia.

REFERENCE:
https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
ADVERSARY:
TARGETED COUNTRY: