North Korean State-Sponsored Actor

On January 25, 2021, Google's Threat Analysis Group released information about a North Korean state-sponsored actor who was specifically targeting security researchers for compromise. Additional information can be found in Rapid7's blog post.

Rapid7's Managed Detection & Response team deployed Indicators of Compromise (IOCs) and behavior-based detections in InsightIDR that alert based on:

  • The IOCs identified in the Google report, including domains, URLs, and hashes
  • The PowerShell, Visual Studio Project, and RunDLL32 activity described in the report

Detection Rules

The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor. Expand each section for more details about a detection.

Suspicious DNS Request - DPRK Actor Targeting Security Research - Domain Observed

Description

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes.

Recommendation

Investigate the source of the DNS request. Additional context can be found in Rapid7's blog post: https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
Suspicious Process - DPRK Actor Targeting Security Research - Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes.

Recommendation

Investigate the parent of this process, as well as any other processes spawned by this process or the parent process. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - PowerShell Determining Operating System

Description

This detection identifies PowerShell being used to determine the version and bitness of Windows. Malicious actors and scripts will do this to determine which payload to deploy to a given system. This tactic has been observed in use by North Korean actors discovered to be targeting security researchers in early 2021.

Recommendation

Examine the parent process that spawned the command, and anything else the process or parent process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • System Information Discovery - T1082
Suspicious Process - RunDLL32 Running Visual Studio File

Description

This detection identifies RunDLL32 being used to run a DLL from a Visual Studio file. This tactic has been observed in use by malicious actors, specifically the North Korean actors discovered to be targeting security researchers in early 2021.

Recommendation

Examine any processes spawned by the rundll32 process that loaded the dll, and the parent of that process. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Rundll32 - T1218.011
Suspicious Web Request - DPRK Actor Targeting Security Research - Domain Observed

Description

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes.

Recommendation

Investigate the source of the web request. Additional context can be found in Google's initial report: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

MITRE ATT&CK Techniques

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004