Cybereason Nocturnus has reported on this campaign. Previously we noted strange communications going to the IP address 173[.]205.125.124 so we were aware that this host is a problem. This attack is targeting the Korean peninsula, South Korean think tanks, UN Security Council and US-CERT. We highly recommend blocking the IP address as multiple domains are also hosted on this infrastructure.
IOCS: 3e621ef83f474ee62a840f10d4a3f5877d9ee09e e890504a4903cf8e8731bbda32b41843 f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9 fa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b bcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9 e9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c 65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f e4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e 66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7 7ee9857bac313ee0c14fa76464367be36616fa71 a7461e60ae7297c20e1af5f83c42e34da2602b91 a661468990be7d660b775b499afb2bf850c41766 c3bbdd7142b1b86e638e8585a4b16c7b 1b0ed0e20af94b6d930124f520bac212 9f5edb6d8a230c06512464fe84db0056 d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c 173[.]205.125.124 7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43 7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0 97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323
Comments