북한 해커들이 적극적으로 컴퓨터 해킹 정보공유 및 국제대회 사이트인 ‘코드쉐프’(CodeChef), ‘해커랭크’(hackerrank) 등에 가입하고,
국제대회를 통해 해킹에 필요한 정보와 기술을 습득해 사이버 공격을 벌이고 있다.
실제 ‘코드쉐프’에 북한 국적자 최소 24명 이상, 그리고 ‘해커랭크’에 최소 5명 이상이 가입한 것으로 확인됐으며,
사이버 공격에 필요한 ‘코딩’ 정보를 공유하고 습득하는 것으로 나타났다.
북한 가입자들은 ‘룡남산’(Ryongnamsan)을 의미하는 ‘rns’나 김책공업종합대학(Kim Chaek University of Technology)의 영문 약자인 ‘kut’가 포함된 계정 아이디를 만들고, 국적을 북한이라고 밝히고 있다.
Indicators of Compromise (IoCs)
Samples
SHA-1FilenameESET detection nameDescription
| DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067 | powerctl.exe | Win32/NukeSped.HX | Installer |
| 69529EED679B0C7F1ACC1FD782A4B443CEC0CF83 | powerctl.dll | Win32/NukeSped.HX | Loader (x86) |
| 043ADDFB93A10D187DDE4999D78096077F26E9FD | wwanauth.dll | Win64/NukeSped.EQ | Loader (x64) |
| 1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59 | wwansec.dll | Win32/NukeSped.HX | Loader (x86) |
| 4D7ADD8145CB096359EBC3E4D44E19C2735E0377 | msobjs.drx | - | Backdoor (encrypted) |
| 92F5469DBEFDCEE1343934BE149AFC1241CC8497 | msobjs.drx | Win32/NukeSped.HX | Backdoor (decrypted with fixed MZ header) |
| A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552 | JET76C5.tmp | - | Backdoor Tor library (encrypted) |
| 66D17344A7CE55D05A324E1C6BE2ECD817E72680 | JET76C5.tmp | Win32/NukeSped.HY | Backdoor Tor library (decrypted with fixed MZ header) |
Filenames
%WINDIR%\System32\powerctl.exe
%WINDIR%\SysWOW64\powerctl.exe
%WINDIR%\System32\power.dat
%WINDIR%\SysWOW64\power.dat
%WINDIR%\System32\wwanauth.dll
%WINDIR%\SysWOW64\wwanauth.dll
%WINDIR%\System32\wwansec.dll
%WINDIR%\SysWOW64\wwansec.dll
%WINDIR%\System32\powerctl.dll
%WINDIR%\SysWOW64\powerctl.dll
%WINDIR%\System32\JET76C5.tmp
%WINDIR%\SysWOW64\JET76C5.tmp
%WINDIR%\System32\msobjs.drx
%WINDIR%\SysWOW64\msobjs.drx
MITRE ATT&CK techniques
This table was built using version 8 of the MITRE ATT&CK framework.
Tactic ID Name Description
| Execution | T1569.002 | System Services: Service Execution | Vyveva loader executes via a service. |
| T1106 | Native API | Vyveva backdoor uses the CreateProcessA API to execute files. | |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service | Vyveva installer creates a new service to establish persistence for its loader. |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | Vyveva decrypts strings and components (backdoor, Tor library). |
| T1070.006 | Indicator Removal on Host: Timestomp | Vyveva backdoor can timestomp files. | |
| T1036.004 | Masquerading: Masquerade Task or Service | Vyveva installer can create a service with attributes mimicking existing services. | |
| T1112 | Modify Registry | Vyveva stores its configuration in the registry. | |
| T1027 | Obfuscated Files or Information | Vyveva has encrypted strings and components. | |
| Discovery | T1083 | File and Directory Discovery | Vyveva backdoor can obtain file and directory listings. |
| T1057 | Process Discovery | Vyveva backdoor can list running processes. | |
| T1082 | System Information Discovery | Vyveva backdoor can obtain system information, including computer name, ANSI code page, OS version and architecture. | |
| T1016 | System Network Configuration Discovery | Vyveva backdoor can obtain the local IP address of the victim computer. | |
| T1033 | System Owner/User Discovery | Vyveva backdoor can obtain victim's username. | |
| T1124 | System Time Discovery | Vyveva backdoor can obtain system time and time zone. | |
| Collection | T1560.002 | Archive Collected Data: Archive via Library | Vyveva backdoor can compress files with zlib before sending to C&C. |
| T1005 | Data from Local System | Vyveva backdoor can collect files from computer. | |
| T1025 | Data from Removable Media | Vyveva backdoor can notify C&C about newly inserted removable media and collect files from them. | |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Vyveva backdoor encrypts C&C traffic using XOR. |
| T1573.002 | Encrypted Channel: Asymmetric Cryptography | Vyveva backdoor communicates with C&C via Tor. | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Vyveva exfiltrates data to C&C server. |
관련 레퍼선스
www.rfa.org/korean/in_focus/nkhacking-04092021154624.html
www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
'CyberWar > North Korea intelligence' 카테고리의 다른 글
| North Korean Hackers Information (0) | 2021.04.11 |
|---|---|
| 북한 “남한 청년들 영끌, 빚투, 벼락거지로 비참” ㅋㅋㅋㅋㅋ (0) | 2021.04.11 |
| 북한 등의 해킹범죄 수법·예방대책 정보 공개와 관련된 건 (0) | 2021.04.02 |
| 구글에서 공개한 가짜 보안 사이트로 위장한 북한의 사이버 공격 사례 IOC (0) | 2021.04.01 |
| 북한 해커 3명 기소와 관련된 자료 (0) | 2021.03.27 |
WRITTEN BY
- J cert
Freedom of Liberty and the establishment of a law to establish the law of cyberspace will defend freedom and try to build a just society.
