global covid 19-related phishing campaign by …...jun 18, 2020 · india 21 june 2020 individuals...
TRANSCRIPT
1 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
GLOBAL COVID 19-RELATED PHISHING CAMPAIGN BY NORTH
KOREAN OPERATIVES LAZARUS GROUP EXPOSED BY CYFIRMA
RESEARCHERS
Reporting Date: 18 June 2020
Assessment Period: 1 to 16 June 2020
Subject: Hacker groups are planning a large-scale phishing campaign targeted at more
than 5M individuals and businesses (small, medium, and large enterprises) across six countries
and multiple continents
Motivation: Financial Gains
Method: The hacking campaign involved using phishing emails under the guise of local
authorities in charge of dispensing government-funded Covid-19 support initiatives. These
phishing emails are designed to drive recipients to fake websites where they will be deceived
into divulging personal and financial information.
Executive Summary:
CYFIRMA Researchers have been tracking the Lazarus Group, a known hacker group
sponsored by North Korea, for many years. Investigations into the Group’s activities have
revealed detailed plans indicating an upcoming global phishing campaign.
There is a common thread across six targeted nations in multiple continents – the
governments of these countries have announced significant fiscal support to individuals and
businesses in their effort to stabilize their pandemic-ravaged economies. The following are
some of the government-funded programs:
• Singapore, a small nation-state in Southeast Asia, has announced almost SGD 100B
financial aid in various forms to stem unemployment and keep businesses afloat;
• Japan has announced stimulus funds of about 234 trillion yen;
• S. Korea government has allocated a total of US$200B of emergency relief funds for
industries including carmakers, telecoms, airlines, shipbuilders, and small merchants.
The relief funds include cash handouts to families with certain provinces extending
the support to tax-paying foreigners;
• Indian government has announced Rs 20 lakh crore (US$307B) of credit, finance and
collateral-free loans to micro, small and medium enterprises, as well as welfare
packages for citizens;
• N. America has set aside trillions of dollars to design Economic Impact Payment or
Stimulus Payments as well as Paycheck Protection Program to prop up its economy;
and
• As part of the UK government COVID-19 recovery strategy, a number of support
programs have been made available, such as Coronavirus Job Retention Scheme,
and Self-Employment Income Support Scheme. The Government’s package has also
been complemented by further contributions from the Bank of England.
The Lazarus Group’s upcoming phishing campaign is designed to impersonate government
agencies, departments, and trade associations who are tasked to oversee the disbursement
of the fiscal aid.
2 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
The hackers plan to capitalize on these announcements to lure vulnerable individuals and
companies into falling for the phishing attacks.
Given the potential victims are likely to be in need of financial assistance, this campaign
carries a significant impact on political and social stability.
CYFIRMA Researchers first picked up the lead on June 1, 2020, and have been analyzing the
planned campaign, decoding the threats, and gathering evidence. Evidence points to
hackers planning to launch attacks in six countries across multiple continents over a two-day
period. Further research uncovered seven different email templates impersonating
government departments and business associations.
As of time of reporting (18 Jun), we have not seen the phishing or impersonated sites defined
in the email templates. But our research shows the hackers were planning to set that up in
the next 24 hours.
We also observed that hackers are planning to spoof or create fake email IDs impersonating
various authorities. These are some of the emails discussed in their phishing campaign plan:
Campaign Launch Dates:
According to the hackers plans as observed by CYFIRMA Research, the phishing campaigns
are scheduled to launch in the following countries across multiple continents on the stated
dates.
Country Name Campaign Launch Date Target
USA 20 June 2020 Individuals
UK 20 June 2020 Businesses
Japan 20 June 2020 Individuals
India 21 June 2020 Individuals
Singapore 21 June 2020 Businesses
South Korea 21 June 2020 Individuals
Phishing Theme:
USA: Hackers claimed to have 1.4M curated email IDs. The Plan is to send the email below
via a spoofed USDA email account luring them with fake Direct Payment of USD 1000 and
inciting them to provide personal detail. Pls see email evidence below.
3 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
UK: Hackers claimed to have 180,000 business contacts. The plan is to send email below via a
spoofed Bank of England email account and luring them to provide business details, pressing
them to provide before 26 June 2020. Pls see email evidence below.
Japan: Hackers claimed to have 1.1M individual email IDs and planning to send phishing
email from a spoofed Ministry of Finance, Japan email account offering additional payment
of JPY 80,000 for all citizens and residents of Japan. Pls see email evidence below.
4 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
India: Hackers claimed to have 2M individual email IDs. The plan is to send emails free
COVID-19 testing for all residence of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad
inciting them to provide personal information. Pls see email evidence below.
Singapore: Hackers claimed to have 8,000 business contact details and planning to send
phishing email from a spoofed Ministry of Manpower email account offering additional
payment of SGD 750 for all employees these companies have employed. Pls see email
evidences below.
5 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
South Korea: Hackers claimed they have 700,000 individual email IDs and will send phishing
email to all citizens announcing an additional 1M Won payment in cash and shopping
vouchers. The fake email will be spoofed to impersonate the South Korean Government. Pls
see email evidence below.
Technical Discovery:
On 1 June 2020, DeCYFIR, our proprietary cloud-based cyber threat discovery and cyber
intelligence platform detected a suspicious folder name hosted on Nine IP addresses namely
“건강 문제 -2020”, which loosely translates to “Health-Problem-2020”.
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Tr
ojan/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
Mexico
177.205.
181.88
Reg
Date:
2002-07-
26
2020-05-
26
Unknown Unknown Undetected, can
be used for
malicious activity.
Correlation:
1 undetected hash
(myfile.exe)
00c1a347741607953
534290a82b303da775df2d7ef777b9fdfd
a8f54b46b6807)
https://ww
w.virustotal.
com/gui/ip-
address/177
.205.181.88/
detection
177.205.
183.153
2020-02-
29
2020-05-
26
Unknown Unknown Undetected, can
be used for malicious activity.
https://ww
w.virustotal.com/gui/ip-
address/177
.205.183.153
/detection
Ukraine
91.222.2
47.27
2020-01-
05
2020-06-
16
Unknown:
TOR Node, VPN
Unknown Undetected, can
be used for malicious activity.
https://ww
w.virustotal.com/gui/ip-
6 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Tr
ojan/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
Correlation:
4 undetected
hashes in VT
(myfile.exe)
6134ec59c7ade889
96bc373a755388641
92aff4b73380af937f
ebc1976e033e8,
540e082fa61625561
d473b33719539c980
1367f39d3c1a35115
1100fb2dc4240,
98340bb66a293fdde
011d75fe10ca9eaf0
e73c6c75cf8645d1f
d3314a4fe0309,
1232e05d42b5c2914
916fd1e8e70ef3b42
cfa6d8866336943f46
745ee1e17e0c
address/91.
222.247.27/
detection
91.228.5
3.86
2020-01-
05
2020-06-
17
C&C,
Ransomwar
e
Lazarus
Group
(Confidence:
Medium),
Zombie
Spider
(Confidence:
Medium)
Undetected, can
be used for
malicious activity.
Correlation:
Multiple hashes
detected, utilized
for Tofsee malware
(TA), shade
ransomware (TA)
https://ww
w.virustotal.
com/gui/ip-
address/91.
228.53.86/d
etection
Switzerland
77.109.1
91.140
2019-12-
21
2020-06-
17
C&C,
Trojan,
Ransomwar
e
TA-505
(Confidence:
Medium)
Undetected, can
be used for
malicious activity.
Correlation:
Multiple hashes
detected, utilized
for Locky malware
(TA), MaktubLocker
ransomware
https://ww
w.virustotal.
com/gui/ip-
address/77.
109.191.140
/detection
France
37.187.1
07.91
2019-12-
20
2020-06-
17
C&C,
Trojan,
Ransomwar
e
Lazarus
Group
(Confidence:
Medium),
Zombie
Spider
(Confidence:
Medium)
Suspected to be
used for distributing
spam.
Correlation:
Multiple hashes
detected, utilized
for Emotet banking
trojan (TA), Shade
ransomware (TA)
https://ww
w.virustotal.
com/gui/ip-
address/37.
187.107.91/
detection
104.244.
73.193
2020-04-
07
2020-06-
17
Malware
Hosting
No direct
association
Suspected to be
used for distributing
spam.
Correlation:
Multiple hashes
detected; I Spam
https://ww
w.virustotal.
com/gui/ip-
address/104
.244.73.193/
detection
7 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Tr
ojan/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
(http://104.244.73.1
93/)
United States
45.33.47.
218
2020-01-
05
2020-06-
17
C&C,
Ransomwar
e
Lazarus
Group
(Confidence:
Medium)
Suspected to be
used for distributing
spam.
Correlation:
Locky (TA), Tofsee
(TA), Maktublocker
https://ww
w.virustotal.
com/gui/ip-
address/45.
33.47.218/re
lations
45.56.90.
176
2020-01-
05
2020-06-
17
C&C,
Ransomwar
e
APT-
33/Charming
Kitten
(Confidence:
Medium)
Suspected to be
used for distributing
spam.
Correlation:
Remcos RAT (TA)
https://ww
w.virustotal.
com/gui/ip-
address/45.
56.90.176/re
lations
The folder name “건강 문제 -2020” aka “Health-Problem-2020”, attracted our researchers’
attention as recent months have seen an increased in pandemic-themed malware and
campaigns. Our researcher found a folder called “꾸러미” and under which they noticed a
file “스크립트 20.txt” which translates to ‘script20.txt’ written in Korean.
스크립트 20.txt screenshot:
8 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
After running this file through a translation tool, we noticed there is a well-thought detailed
plan to launch a phishing campaign against six nations across multiple continents. The plan
includes dates, personalized email templates, and Command and Control center details.
[건강 문제 -2020 Screenshot]
Folder names and their associated English names:
미국 -USA
영국 – UK
일본 – Japan
인도 – India
싱가포르 – Singapore
대한민국 – South Korea
The well-thought out sophisticated plan includes personalized email templates designed for
each country. The cybercriminals seem to have invested significant effort to ensure each of
these emails are relevant to the country’s context. This way they can increase their phishing
campaign’s success rate.
From “스크립트 20.txt” aka ‘script20.txt’ we picked up the following hacked email servers
which will be potentially used to send out the phishing emails. Although we cannot confirm if
these mail servers were hacked, CYFIRMA’s DeCYFIR platform detected and flagged these
as malicious. The assessment is also corroborated by public tools like VirusTotal and AlienVault
OTX.
9 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
112.85.4
2.194
2014- 11-
12
2020-03-
14
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
1 Hash detected
(d51bd6ac8f03895a
f1cd5eff41af0a03f1
99e84f98d13f401ee
9d7c63ba2fc15), 1
Spam
(http://112.85.42.19
4/)
https://ww
w.virustotal.
com/gui/ip-
address/112
.85.42.194/d
etection
108.58.4
1.139
2020-01-
8
2020-06-
17
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
1 Domain detected
(ool-
6c3a298b.static.opt
online.net), 1 Spam
(http://108.58.41.13
9/)
https://ww
w.virustotal.
com/gui/ip-
address/108
.58.41.139/d
etection
41.230.1
7.249
2020-01-
05
2020-06-
16
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
I spam detected
(http://41.230.17.24
9/)
https://ww
w.virustotal.
com/gui/ip-
address/41.
230.17.249/
detection
119.10.1
77.94
2020-01-
19
2020-05-
19
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
1 Hash detected
(83ce2e12c6de29fe
6155be554f8ea011d
47c21af92b7ebb8e
b58e288b3a38d46),
1 Spam
(https://119.10.177.9
4:4145)
https://ww
w.virustotal.
com/gui/ip-
address/119
.10.177.94/d
etection
45.190.2
20.241
2020-02-
12
2020-06-
16
Malware
Hosting
No direct
association
Found to be
Malicious,
suspected to be
used for distributing
spam
https://ww
w.virustotal.
com/gui/ip-
address/45.
190.220.241
/detection
89.203.1
42.18
2020-01-
5
2020-06-
16
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
1 HTML detected
(nocookies.html,
1444dd391144e74e
2f67baba0cdee7bbfc2f693d1c4128d8d
https://ww
w.virustotal.
com/gui/ip-
address/89.
203.142.18/
detection
10 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
a55d77dc20860bc),
1 Spam
(http://89.203.142.1
8/)
104.181.
50.170
2020-01-
18
2020-05-
10
Unknown Unknown Suspected
malicious signature.
Correlation:
1 undetected hash
6492e4dc103780ee
cbdcc4e3fcf9f9d79
1fcbfc1cafd6b54d3
0e4f66bf487938
https://ww
w.virustotal.
com/gui/ip-
address/104
.181.50.170/
detection
104.192.
200.144
2019-12-
13
2020-05-
06
Unknown Unknown Suspected
malicious signature.
https://ww
w.virustotal.
com/gui/ip-
address/104
.192.200.144
/detection
41.190.2
32.130
2019-12-
13
2020-05-
04
Unknown Unknown Suspected
malicious signature.
https://ww
w.virustotal.
com/gui/ip-
address/41.
190.232.130
/detection
43.250.1
27.98
2019-12-
13
2020-06-
16
Malicious Unknown Suspected to be
used for distributing
trojan.
Correlation:
1 Hash detected
(6a6b8cc2e2f44c67
dfea05593d08c3362
2058ba4e6f09333b9
3ddb6c9f65664c), 1
spam url
(http://43.250.127.9
8/)
https://ww
w.virustotal.
com/gui/ip-
address/43.
250.127.98/
detection
94.176.1
89.140
2019-12-
20
2020-06-
17
Malicious Unknown Suspected to be
used for distributing
spam.
Correlation:
Multiple spams, XML
excel sheets and
domains detected
https://ww
w.virustotal.
com/gui/ip-
address/94.
176.189.140
/detection
79.124.6
1.139
2020-05-
17
2020-06-
16
Unknown Unknown Undetected, can
be used for
malicious activity.
Correlation:
2 domains
detected
(ns2.avcilararcelikse
rvisi.com,
ns1.avcilararcelikser
visi.com)
https://ww
w.virustotal.
com/gui/ip-
address/79.
124.61.139/
detection
14.248.1
36.215
2020-06-
15
2020-06-
16
Unknown Unknown Suspected to be
used for distributing
spam.
Public tool
assessment:
https://ww
11 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP
Address
First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
w.virustotal.
com/gui/ip-
address/14.
248.136.215
/detection
95.30.21
8.148
2020-01-
17
2020-01-
17
Unknown Unknown Undetected, can
be used for
malicious activity.
https://ww
w.virustotal.
com/gui/ip-
address/95.
30.218.148/
detection
58.22.21
7.122
RegDat
e: 2004-
05-03
Update
d: 2010-
07-30
Unknown Unknown Undetected, can
be used for
malicious activity.
Public tool
assessment:
https://ww
w.virustotal.
com/gui/ip-
address/58.
22.217.122/
detection
Following are the observed Command and Control center or data collection servers as per
hacker’s plan. Fake or impersonated URLs will be hosted on these servers.
Attributed to Lazarus Group using CYFIRMA’s DeCYFIR platform. The assessment is also
corroborated by public tools like VirusTotal and AlienVault OTX.
IP Address First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
218.255.24
.226
2020-01-
05
2020-06-
17
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
Medium)
Multiple
associations,
Using Nukesped
RAT (TA)
https://www.
virustotal.co
m/gui/ip-
address/218.
255.24.226/d
etection
195.158.23
4.60
2019-12-
27
2020-06-
16
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
Medium)
Multiple
associations,
Using Nukesped
RAT (TA)
https://www.
virustotal.co
m/gui/ip-
address/195.
158.234.60/d
etection
111.68.7.7
4
2020-01-
13
2020-06-
16
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
Low)
Multiple
associations,
Using Razy trojan
(commodity
malware) (TA)
https://www.
virustotal.co
m/gui/ip-
address/111.
68.7.74/dete
ction
172.217.17
.110
2020-01-
05
2020-06-
17
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
Medium),
Multiple
associations,
using
Polyransom
malware (TA)
https://www.
virustotal.co
m/gui/ip-
address/172.
217.17.110/d
etection
12 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP Address First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
69.172.201
.153
2020-01-
05
2020-06-
16
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
High)
Multiple
associations,
Using Coinminer,
Emotet,
Mydoom
(Operation
Blockbuster)
https://www.
virustotal.co
m/gui/ip-
address/69.1
72.201.153/d
etection
31.170.163
.101
2019-12-
11
2020-06-
17
C&C,
Commodity
Malware
Lazarus
Group
(Confidence:
Medium)
Multiple
associations,
Using Strictor,
Razy (TA)
https://www.
virustotal.co
m/gui/ip-
address/31.1
70.163.101/d
etection
180.120.38
.159
RegDat
e: 2009-
04-29
Update
d: 2010-
07-30
Commodity
Malware
Lazarus
Group
(Confidence:
Medium),
Suspected to be
used for
distributing spam
and malware.
Correlation:
2 URLs (Seems
used for
malware
hosting), 1 hash
e15e93db3ce3a
8a22adb4b18e0
e37b93f39c495e
4a97008f9b1a9a
42e1fac2b0
(Mirai)(TA)
https://www.
virustotal.co
m/gui/ip-
address/180.
120.38.159/d
etection
80.78.250.
92
2019-12-
11
2020-06-
17
C&C Gothic
Panda
(Confidence:
Medium),
Multiple
associations,
Using Sality,
Bayrob (TA)
https://www.
virustotal.co
m/gui/ip-
address/80.7
8.250.92/dete
ction
84.22.138.
150
2019-12-
13
2020-05-
29
Malicious Unknown Multiple
associations
suspected to be
used for
distributing spam
and malware.
Correlation:
2 URLs (seem to
be used for
spam)
https://84.22.138.
150/,
http://84.22.138.
150/
https://www.
virustotal.co
m/gui/ip-
address/84.2
2.138.150/det
ection
182.254.13
7.202
2020-01-
01
2020-06-
16
Malicious Gothic
Panda
(Confidence:
Medium)
Correlation:
1 url
http://182.254.13
7.202/
(Malicious), 1
domain
(opteeq.com, seems to be
https://www.
virustotal.co
m/gui/ip-
address/182.
254.137.202/d
etection
13 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP Address First
Seen
Last
Seen
Purpose
(Malware/Troj
an/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public
reference
semiconductor
and
manufacturing
site operating
from
Guangdong)
45.147.200
.145
2020-01-
27
2020-02-
24
Malicious Unknown Multiple
associations
(looks to be
used for
phishing)
https://www.
virustotal.co
m/gui/ip-
address/45.1
47.200.145/d
etection
201.163.36
.134
RegDat
e: 2003-
04-03
Update
d: 2010-
07-21
Unknown Unknown Undetected,
can be used for
malicious
activity.
Correlation:
1 Email file
detected in
(722ce7b47a390
5248158ff0a2f4a
af8583a759d59e
2c8d4aee9a0fd
d567ac4fd)
https://www.
virustotal.co
m/gui/ip-
address/201.
163.36.134/d
etection
42.231.162
.212
2020-01-
25
2020-02-
24
Malicious Unknown Multiple
associations
suspected to be
used for
distributing
spam.
Correlation:
Referring to 7
email files (1 has
trojan detected)
and 1 URL
(spam)
https://www.
virustotal.co
m/gui/ip-
address/42.2
31.162.212/d
etection
187.150.36
.168
2020-02-
06
2020-05-
31
Unknown Unknown Undetected,
can be used for
malicious
activity.
https://www.
virustotal.co
m/gui/ip-
address/187.
150.36.168/d
etection
120.194.77
.41
2020-03-
31
2020-04-
04
Unknown Unknown Undetected,
can be used for
malicious
activity.
https://www.
virustotal.co
m/gui/ip-
address/120.
194.77.41/det
ection
Further analysis of script20.txt file revealed the following additional hashes which shows a trail
linking to Lazarus Group.
14 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP Address First
Seen
Last
Seen
Purpose
(Malware/Tr
ojan/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public reference
149a6964
72d4a189f
5896336a
b16cc34
First
Submissi
on
2020-06-
01
Last
Analysis
2020-06-
11
Malicious Lazarus
Group
(Confidence:
High)
Using
NukeSped
RAT (TA),
Used in
campaign
leverages
fake
cryptocurren
cy
exchanges
(TA)
https://www.viru
stotal.com/gui/fil
e/572a124f5665
be68eaa472590f
3ba75bf34b0ea
2942b5fcbfd3e7
4654202dd09/de
tection,
https://otx.alienv
ault.com/indicat
or/file/149a6964
72d4a189f58963
36ab16cc34
98c1ecc4
aed0099f
b8c797b1
ce72f3c0
First
Submissi
on
2020-05-
19
Last
Analysis
2020-06-
05
Malicious Lazarus
Group
(Confidence:
High)
Using
OpenCarrot
Malware (TA)
https://www.viru
stotal.com/gui/fil
e/333b4da63627
1f57c2f16acba9
adc389c66fc4d7
e215050f0e4f502
18b52c979/dete
ction
c59d5018
9a12e0b0
c3982358f
084d1db
First
Submissi
on
2019-07-
27
Last
Submissi
on
2019-11-
02
Malicious Lazarus
Group
(Confidence:
High)
Using Shaitan
Malware (TA)
https://www.viru
stotal.com/gui/fil
e/dd1232df0703
e028418f59026f7
eb3f68cdb7eb1
5352229dc2db04
e3ee5e90da/de
tection
88de31ad
947927004
ab56ab1e
855fd64
First
Submissi
on
2020-06-
01
Last
Analysis
2020-06-
15
Malicious Lazarus
Group
(Confidence:
High)
Using
NukeSped
RAT (TA),
FakeCoinTra
der
https://www.viru
stotal.com/gui/fil
e/3e5442440aea
07229a1bf6ca2f
df78c5e2e5eaa
c312a325ccb49
d45da14f97f4/d
etection
211.192.23
9.232
RegDat
e: 1996-
06-30
Update
d: 2010-
08-02
C&C,
Malicious
Lazarus
Group
(Confidence:
High)
Using
TAINTEDSCRIB
E malware
(TA),
NukeSped
RAT (TA)
https://www.viru
stotal.com/gui/i
p-
address/211.192.
239.232/detectio
n
67.43.239.
146
2019-12-
12
2020-04-
29
C&C,
Malicious
Lazarus
Group
(Confidence:
High)
Using New
MacOS Dacls
RAT (TA)
https://www.viru
stotal.com/gui/i
p-
address/67.43.23
9.146/detection
184.168.22
1.48
RegDat
e: 2010-
09-21
Update
d: 2014-
02-25
C&C,
Malicious
Lazarus
Group
(Confidence:
High)
Using Bayrob
(TA), Zusy,
Occamy
https://www.viru
stotal.com/gui/i
p-
address/184.168.
221.48/detectio
n
166.62.112
.193
2020-01-
05
2020-06-
17
C&C,
Malicious
Lazarus
Group
Using
Sodinokibi
https://www.viru
stotal.com/gui/i
15 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
IP Address First
Seen
Last
Seen
Purpose
(Malware/Tr
ojan/C&C)
Association
with Threat
Actor
CYFIRMA’s
Assessment
Public reference
(Confidence:
High)
ransomware
(TA)
p-
address/166.62.1
12.193/detectio
n
154.73.92.
52
2019-12-
11
2020-06-
17
C&C Lazarus
Group
(Confidence:
Medium),
Using
AgentTesla
malware (TA)
https://www.viru
stotal.com/gui/i
p-
address/154.73.9
2.52/detection
175.41.26.
134
2020-01-
05
2020-06-
16
Unknown Unknown Multiple
associations
suspected to
be used for
distributing
spam.
Correlation:
Multiple
hashes
(phishing)
https://www.viru
stotal.com/gui/i
p-
address/175.41.2
6.134/detection
104.27.129
.157
2019-12-
12
2020-06-
17
C&C Unknown Can be used
for malicious
activity.
Correlation:
Guildma
Banking
Trojan, Ulise
https://www.viru
stotal.com/gui/i
p-
address/104.27.1
29.157/detectio
n
103.8.196.
98
2019-12-
11
2020-05-
24
Unknown Unknown Suspected to
be used for
distributing
spam.
https://www.viru
stotal.com/gui/i
p-
address/103.8.19
6.98/detection
English translated email templates using public translation tools per country:
Translation could be weak.
USA: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 1.4M
curated email IDs. The Plan is to send the email below via a spoofed USDA email account
luring them with fake Direct Payment of USD 1000 and inciting them to provide personal
detail. Pls see email evidence below.
16 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
UK: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 180,000
business contacts. The plan is to send email below via a spoofed Bank of England email
account and luring them to provide business details, pressing them to provide before 26 June
2020. Pls see email evidence below.
Japan: [English translation from emm.rtf file] Hackers claimed to have 1.1M individual email
IDs and planning to send phishing email from a spoofed Ministry of Finance, Japan email
account offering additional payment of JPY 80,000 for all citizens and residents of Japan. Pls
see email evidence below.
17 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
Residents
The Japanese Ministry of Finance today announced an additional support fund of JPY 80,000
for all residents of Japan.
To ease the process from the previous time, you can apply online this time using the link [].
Apply today
By July 15, 2020, you will receive payment directly into your bank account or a check will be
sent to the communication address provided by you.
Government of Japan is committed to well-being of all citizens and residents.
Thank You,
The Ministry of Finance, Japan
100100-8940 3-1-1 Kasumigaseki, Chiyoda-ku, Tokyo Tel: 03-3581-4111
India: [email template was in English, emm.rtf file screenshot] Hackers claimed to have 2M
individual email IDs. The plan is to send emails free COVID-19 testing for all residence of Delhi,
Mumbai, Hyderabad, Chennai and Ahmedabad inciting them to provide personal
information. Pls see email evidence below.
Singapore: [English translation from emm.rtf file] Hackers claimed to have 8,000 business
contact details and planning to send phishing email from a spoofed Ministry of Manpower
email account offering additional payment of SGD 750 for all employees these companies
have employed. Pls see email evidence below.
Member of Singapore Business Federation,
Thank you for your long-term support during the COVID19 circuit breaker. We understand the
pain and torture you have suffered in the past two months, which has prevented you from
conducting business.
In the past few months, we have announced many business friendly programs supported by
the Singapore government. In addition, the Ministry of Manpower (MOM) of Singapore today
announced a new financial plan that provides a one-time subsidy of S$750 per employee
under the Work Support Plan (JSS).
18 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
Please register your company and don't forget to provide your company bank information so
that we can transfer funds automatically.
Claim your financial support immediately: []
Thank you,
Ministry of Manpower [MOM] Singapore
MOM Service Center
1500 Bendemeer Road, Singapore 339946
Employment Pass Service Center
Binhe Road, 20 Upper Ring Road, #04-01/02, Singapore 058416
South Korea: [English translation from emm.rtf file] Hackers claimed they have 700,000
individual email IDs and will send phishing email to all citizens announcing an additional 1M
Won payment in cash and shopping vouchers. The fake email will be spoofed to
impersonate the South Korean Government. Pls see email evidence below.
Residents
In addition to ministry of economic and finance announcement in March 2020.
Today Ministry of health and welfare (MOHW) is announcing 2nd relief fund for citizens and
residents.
Under this relief fund all citizens and residents will be eligible to receive up to 1 million won in
cash and shopping vouchers.
In order to receive the cash payout, all citizens must register today.
You can apply here ()
Thank You,
Ministry of Health and Welfare
13, Doum 4-ro, Sejong, (30113) Korea
HELP CENTER 82-129
19 CONFIDENTIAL RESEARCH – PERMISSION REQUIRED BEFORE USE
CYFIRMA Holdings Pte Ltd. 150 Beach Road
Level 35, The Gateway West Singapore 189720
ABOUT CYFIRMA
Headquartered in Singapore and Tokyo, CYFIRMA is a leading threat discovery and
cybersecurity platform company. Its cloud-based AI and ML-powered cyber intelligence
analytics platform helps organizations proactively identify potential threats at the planning
stage of cyberattacks, offers deep insights into their cyber landscape, and amplifies
preparedness by keeping the organization’s cybersecurity posture up-to-date, resilient, and
ready against upcoming attacks.
CYFIRMA works with many Fortune 500 companies. The company has offices and teams
located in Singapore, Japan and India.
Official websites:
www.cyfirma.com
www.cyfirma.jp