Back

Threat Assessment: North Korean Threat Groups

Sept. 10, 2024, 8:56 a.m.

Tags

malware
espionage
cybercrime
northkorea
rats
comebacker
rustbucket
kandykorn
2024-09-10
collectionrat
fullhouse
poolrat
odicloader
objcshellz
pondrat
smoothoperator

External References

https://unit42.paloaltonetworks.com/

https://otx.alienvault.com/

Description

This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows, macOS, and Linux systems, providing technical insights into their functionality and Palo Alto Networks Cortex XDR's capability to detect and mitigate these threats.

Date

Published Created Modified
Sept. 10, 2024, 8:23 a.m. Sept. 10, 2024, 8:23 a.m. Sept. 10, 2024, 8:56 a.m.

Indicators

fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7

f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703

f1713afaf5958bdf3e975ebbab8245a98a84e03f8ce52175ef1568de208116e0

d8565d58ad8e4f5558b5cd70df0ad12be9cf44e32ad07aaac6f65b816edbf414

cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86

c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b

c6a48365c3db9761bd60981bdcdd87aced23d8e60067caa30fee501bf4b47b84

bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b

bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80

a03d13c9825e150810e6e6aaf053d71ec5a53b86581414dd982a74d4a8bc5475

99dbc6fe3c3e465052fcefa1642861747dc9e069eeb244589b605bd710b1e0d1

91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd

87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c

7667d1b8fcc4f712084e3e3f8b4ab505ab150c52aea7b219249ec508b4b0e224

689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94

5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8

5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456

5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a

492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd

479038eb12ed07893ee0dcc04fbdcf182489bbb271f5a4f90f83874881a80ce3

3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e

2546d239a262c24a6f8ea01d890cbc459a22db79b379b6ec3b24fbb56efb5381

15d53bb839e00405a34a8b690ec181f5555fc4f891b8248ae7fa72bad28315a9

0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7

081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48

973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c

63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c

8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4

c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe

c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8

2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1

3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940

927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6

6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59

db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67

88.119.174.148

38.132.124.88

23.254.226.90

23.227.202.54

198.244.135.250

146.19.173.125

www.talesseries.com

http://www.talesseries.com/write.php

http://rgedist.com/sfxl.php

Attack Patterns

OdicLoader

PondRAT

POOLRAT

Fullhouse

ObjCShellz

SmoothOperator

Comebacker

KANDYKORN

CollectionRAT

RustBucket

Various North Korean groups under the Reconnaissance General Bureau

T1009

T1045

T1486

T1070

T1564

T1518

T1106

T1105

T1083

T1071

T1543

T1055

T1210

T1219

T1036

T1204

T1027

T1053

T1562

T1059