On February 10, intelligence agencies from South Korea and the United States announced a cybersecurity advisory in regard to ransomware attacks from North Korea. It is the first joint report between the South Korean National Intelligence Service and the United States’ National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) to raise awareness of cyberattacks from North Korea and protect both countries from ransomware.
- Title: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- Security Advisory:
- South Korea’s National Cyber Security Center (NCSC) Go to site
- United States’ Cybersecurity and Infrastructure Security Agency (CISA) Go to site
Agencies from South Korea and the United States determined that the ransomware cases of Maui and H0lyGh0st, which attacked institutions in charge of the United State’s medical and public health sectors as well as other crucial infrastructure, originated from North Korea. They then published relevant TTP (tactics, techniques, and procedures) data and indicators of compromise.
| MD5 | Detection |
| 079b4588eaa99a1e802adf5e0b26d8aa | Backdoor/Win.NukeSped.R486619 (2022.04.21.00) |
| 0e9e256d8173854a7bc26982b1dde783 | Backdoor/Win.NukeSped.R443314 (2021.09.29.03) |
| 12c15a477e1a96120c09a860c9d479b3 | Trojan/Win.Andardoor.R450256 (2021.11.15.03) |
| 131fc4375971af391b459de33f81c253 | Backdoor/Win.NukeSped.R486619 (2022.04.21.00) |
| 17c46ed7b80c2e4dbea6d0e88ea0827c | Trojan/Win.Agent.C4979106 (2022.02.23.03) |
| 1875f6a68f70bee316c8a6eda9ebf8de | Backdoor/Win.NukeSped.R486595 (2022.04.20.03) |
| 1a74c8d8b74ca2411c1d3d22373a6769 | Trojan/Win32.Injector.C4107561(2020.05.25.04) |
| 1f1f33d84c42fa6f74aa6b809ac0d536 | Downloader/DOC.Generic (2023.02.10.00) |
| 1f239db751ce9a374eb9f908c74a31c9 | HackTool/Win.Xpopup.C5379737 (2023.02.11.00) |
| 1f6d9f8fbdbbd4e6ed8cd73b9e95a928 | Keylogger/Win.Agent.R557573 (2023.02.11.00) |
| 25ee4001eb4e91f7ea0bc5d07f2a9744 | WebShell/JSP.Generic.S1866 (2022.07.13.03) |
| 2d02f5499d35a8dffb4c8bc0b7fec5c2 | Ransomware/Win.MAUICRYPT.C5197495 (2022.07.07.03) |
| 2e18350194e59bc6a2a3f6d59da11bd8 | Dropper/Win.Agent.C4950284 (2022.02.04.00) |
| 39598b710e44a5d27684dfa463ce5148 | Dropper/DOC.Agent (2022.03.08.00) |
| 3bd22e0ac965ebb6a18bb71ba39e96dc | Dropper/Win.Agent.C4950284 (2022.02.04.00) |
| 40f21743f9cb927b2c84ecdb7dfb14a6 | Backdoor/Win.NukeSped.R487407 (2022.04.23.02) |
| 4118d9adce7350c3eedeb056a3335346 | Ransomware/Win.MAUICRYPT.C5050930 (2022.04.04.01) |
| 43d4994635f72852f719abb604c4a8a1 | HackTool/Win.Xpopup.C5379731 (2023.02.11.00) |
| 43e756d80225bdf1200bc34eef5adca8 | Backdoor/Win.NukeSped.R487413 (2022.04.23.03) |
| 47791bf9e017e3001ddc68a7351ca2d6 | Backdoor/Win.NukeSped.C4631988 (2021.09.15.01) |
| 4df757390adf71abdd084d3e9718c153 | Trojan/Win.Akdoor.C4510678 (2021.10.09.03) |
| 4e71d52fc39f89204a734b19db1330d3 | HackTool/Win.Xpopup.C5379732 (2023.02.11.00) |
| 505262547f8879249794fc31eea41fc6 | Backdoor/Win.NukeSped.R487414 (2022.04.23.03) |
| 50d3623d67c9284e3b2a10a7e10c9c45 | Trojan/Win.Agent.R557572(2023.02.11.00) |
| 5130888a0ad3d64ad33c65de696d3fa2 | Dropper/Win.Agent.C4950294 (2022.02.04.00) |
| 54ca404d16db18d233c606b48c73d66f | Trojan/Win.SiennaPurple.C5207112(2022.07.15.02) |
| 58ad3103295afcc22bde8d81e77c282f | Backdoor/Win.NukeSped.R487407 (2022.04.23.02) |
| 5ae71e8440bf33b46554ce7a7f3de666 | HackTool/Win.Xpopup.C5379736 (2023.02.11.00) |
| 5be1e382cd9730fbe386b69bd8045ee7 | Trojan/Win.Agent.C5098032 (2022.04.23.00) |
| 5c6f9c83426c6d33ff2d4e72c039b747 | Dropper/Win.Agent.C4950294 (2022.02.04.00) |
| 640e70b0230dc026eff922fb1e44c2ea | Keylogger/Win.Agent.C5162575(2022.06.08.00) |
| 643c2ad6067051e3daf7d08b4adeaed4 | Backdoor/Win.NukeSped.C4629673 (2021.09.11.00) |
| 67f4dad1a94ed8a47283c2c0c05a7594 | Trojan/Win.Generic.C5161421(2022.06.07.01) |
| 6b8c777ab88d350de74d4daf5626114c | Backdoor/Win.Preft.C5104667 (2022.04.28.03) |
| 6c2b947921e7c77d9af62ce9a3ed7621 | Trojan/Win.Agent.C4928860 (2022.01.24.03) |
| 6fb13b1b4b42bac05a2ba629f04e3d03 | HackTool/Win.Xpopup.C5379733 (2023.02.11.00) |
| 70652edadedbacfd30d33a826853467d | Backdoor/Win.NukeSped.R487407 (2022.04.23.02) |
| 76c3d2092737d964dfd627f1ced0af80 | Backdoor/Win.NukeSped.R487407 (2022.04.23.02) |
| 792370eb01e16ac3dc511143932d0e1d | Malware/Win.Generic.C5272184(2022.10.05.00) |
| 827103a6b6185191fd5618b7e82da292 | Backdoor/Win.NukeSped.R486595 (2022.04.20.03) |
| 830bc975a04ab0f62bfedf27f7aca673 | Trojan/Win.Andardoor.C5094639 (2022.04.21.01) |
| 85995257ac07ae5a6b4a86758a2283d7 | Infostealer/Win.Pwstealer.C4510631 (2021.06.04.03) |
| 85f6e3e3f0bdd0c1b3084fc86ee59d19 | Trojan/Win.Agent.C4979106 (2022.02.23.03) |
| 87a6bda486554ab16c82bdfb12452e8b | Backdoor/Win.NukeSped.R487407 (2022.04.23.02) |
| 891db50188a90ddacfaf7567d2d0355d | Backdoor/Win.NukeSped.R487413 (2022.04.23.03) |
| 894de380a249e677be2acb8fbdfba2ef | Backdoor/Win.NukeSped.R487413 (2022.04.23.03) |
| 8b395cc6ecdec0900facf6e93ec48fbb | Infostealer/Win.Agent.C5094347 (2022.04.20.03) |
| 92a6c017830cda80133bf97eb77d3292 | Backdoor/Win.NukeSped.R443314 (2021.09.29.03) |
| 9a481bc83fea1dea3e3bdfff5e154d44 | Backdoor/Win.Agent.C4635580 (2021.09.18.01) |
| 9b0e7c460a80f740d455a7521f0eada1 | Ransomware/Win.MAUICRYPT.C5050930 (2022.04.04.01) |
| 9b9d4cb1f681f19417e541178d8c75d7 | Unwanted/Win.PassView.C5243250(2022.09.23.03) |
| a1f9e9f5061313325a275d448d4ddd59 | Keylogger/Win.Agent.C5162578 (2022.06.08.00) |
| a2b371eea0aee7cf57e23b5f0f4668c7 | Malware/Win.Generic.C5207114(2022.07.15.02) |
| a2c2099d503fcc29478205f5aef0283b | Infostealer/Win.Agent.C4997514 (2022.03.08.00) |
| aa4e99b717bcb7e916148a469e69788a | Ransomware/Win.Generic.C5207111 (2022.07.15.02) |
| b1c1d28dc7da1d58abab73fa98f60a83 | Dropper/Win.Agent.C5082187 (2022.04.15.00) |
| b4c9b903dfd18bd67a3824b0109f955b | Backdoor/Win.Agent.C5067856(2022.04.12.00) |
| bdece9758bf34fcad9cba1394519019b | Dropper/Win.Agent.C5379005(2023.02.11.00) |
| c3850f4cc12717c2b54753f8ca5d5e0e | Trojan/Win.NukeSped.C5379003 (2023.02.11.00) |
| cb9e18e21226a89ce2c26c695a989e0d | Malware/Win64.Generic.C4293634(2021.01.11.01) |
| cf236bf5b41d26967b1ce04ebbdb4041 | Trojan/Win32.Agent.C4250642 (2020.12.05.00) |
| cf8ba073db7f4023af2b13dd75565f3d | HackTool/Win.Xpopup.C5257403(2023.02.11.00) |
| d0e203e8845bf282475a8f816340f2e8 | Dropper/Win.Agent.C4950294 (2022.02.04.00) |
| d6a7b5db62bf7815a10a17cdf7ddbd4b | WebShell/PHP.Agent.SC186284 (2023.02.10.02) |
| ddb1f970371fa32faae61fc5b8423d4b | Backdoor/Win.Agent.C4635580 (2021.09.18.01) |
| eec15f3648f8bc8684e67ac7cf9813ea | Malware/Win.Generic.C5207113(2022.07.15.02) |
| ff3194d3d5810a42858f3e22c91500b1 | Trojan/Win.Agent.C4928860 (2022.01.24.03) |
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Overview of AhnLab’s Response to Joint Cybersecurity Advisory Between South Korea and the United States on North Korean Ransomware appeared first on ASEC BLOG.