Staying a Step Ahead: Mitigating the DPRK IT Worker Threat

    Friday, September 27, 2024 In: Threat Research Print

    Date: 09/27/2024

    Severity: High

    Summary

    Since 2022, Mandiant has monitored IT workers acting on behalf of North Korea, posing as non-North Korean nationals to secure jobs in various industries. Their goal is to generate revenue for the regime, evade sanctions, and fund its WMD and ballistic missile programs. A 2022 U.S. government advisory highlighted that these workers exploit their privileged access to facilitate cyber intrusions. This finding has been supported by Mandiant and other organizations.

    Indicators of Compromise (IOC) List

    Domains\URLs

    https://daniel-ayala.netlify.app

    IP Address

    103.244.174.154

    104.129.55.3

    104.206.40.138

    104.223.97.2

    104.223.98.2

    104.243.33.74

    104.250.148.58

    109.82.113.75

    113.227.237.46

    119.155.190.202

    123.190.56.214

    155.94.255.2

    174.128.251.99

    18.144.99.240

    184.12.141.109

    192.119.10.67

    192.119.11.250

    192.74.247.161

    198.135.49.154

    198.2.228.20

    198.23.148.18

    199.115.99.34

    204.188.232.195

    207.126.89.11

    208.68.173.244

    23.105.155.2

    23.237.32.34

    3.15.4.158

    37.19.199.133

    37.19.221.228

    37.43.225.43

    38.140.49.92

    38.42.94.148

    42.84.228.232

    5.244.93.199

    50.39.182.185

    51.39.228.134

    54.200.217.128

    60.20.1.234

    66.115.157.242

    67.129.13.170

    67.82.9.140

    68.197.75.194

    70.39.103.3

    71.112.196.114

    71.112.196.115

    72.193.13.228

    74.222.20.18

    74.63.233.50

    98.179.96.75

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    userdomainname like "https://daniel-ayala.netlify.app" or url like "https://daniel-ayala.netlify.app"

    IP Address :

    dstipaddress IN ("23.105.155.2","71.112.196.115","104.250.148.58","37.19.221.228","72.193.13.228","67.82.9.140","66.115.157.242","104.206.40.138","207.126.89.11","103.244.174.154","104.129.55.3","104.206.40.138","104.223.97.2","104.223.98.2","104.243.33.74","104.250.148.58","109.82.113.75","113.227.237.46","119.155.190.202","123.190.56.214","155.94.255.2","174.128.251.99","18.144.99.240","184.12.141.109","192.119.10.67","192.119.11.250","192.74.247.161","198.135.49.154","198.2.228.20","198.23.148.18","199.115.99.34","204.188.232.195","208.68.173.244","23.237.32.34","3.15.4.158","37.19.199.133","37.19.221.228","37.43.225.43","38.140.49.92","38.42.94.148","42.84.228.232","5.244.93.199","50.39.182.185","51.39.228.134","54.200.217.128","60.20.1.234","67.129.13.170","68.197.75.194","70.39.103.3","71.112.196.114","74.222.20.18","74.63.233.50","98.179.96.75") or ipaddress IN ("23.105.155.2","71.112.196.115","104.250.148.58","37.19.221.228","72.193.13.228","67.82.9.140","66.115.157.242","104.206.40.138","207.126.89.11","103.244.174.154","104.129.55.3","104.206.40.138","104.223.97.2","104.223.98.2","104.243.33.74","104.250.148.58","109.82.113.75","113.227.237.46","119.155.190.202","123.190.56.214","155.94.255.2","174.128.251.99","18.144.99.240","184.12.141.109","192.119.10.67","192.119.11.250","192.74.247.161","198.135.49.154","198.2.228.20","198.23.148.18","199.115.99.34","204.188.232.195","208.68.173.244","23.237.32.34","3.15.4.158","37.19.199.133","37.19.221.228","37.43.225.43","38.140.49.92","38.42.94.148","42.84.228.232","5.244.93.199","50.39.182.185","51.39.228.134","54.200.217.128","60.20.1.234","67.129.13.170","68.197.75.194","70.39.103.3","71.112.196.114","74.222.20.18","74.63.233.50","98.179.96.75") or publicipaddress IN ("23.105.155.2","71.112.196.115","104.250.148.58","37.19.221.228","72.193.13.228","67.82.9.140","66.115.157.242","104.206.40.138","207.126.89.11","103.244.174.154","104.129.55.3","104.206.40.138","104.223.97.2","104.223.98.2","104.243.33.74","104.250.148.58","109.82.113.75","113.227.237.46","119.155.190.202","123.190.56.214","155.94.255.2","174.128.251.99","18.144.99.240","184.12.141.109","192.119.10.67","192.119.11.250","192.74.247.161","198.135.49.154","198.2.228.20","198.23.148.18","199.115.99.34","204.188.232.195","208.68.173.244","23.237.32.34","3.15.4.158","37.19.199.133","37.19.221.228","37.43.225.43","38.140.49.92","38.42.94.148","42.84.228.232","5.244.93.199","50.39.182.185","51.39.228.134","54.200.217.128","60.20.1.234","67.129.13.170","68.197.75.194","70.39.103.3","71.112.196.114","74.222.20.18","74.63.233.50","98.179.96.75") or srcipaddress IN ("23.105.155.2","71.112.196.115","104.250.148.58","37.19.221.228","72.193.13.228","67.82.9.140","66.115.157.242","104.206.40.138","207.126.89.11","103.244.174.154","104.129.55.3","104.206.40.138","104.223.97.2","104.223.98.2","104.243.33.74","104.250.148.58","109.82.113.75","113.227.237.46","119.155.190.202","123.190.56.214","155.94.255.2","174.128.251.99","18.144.99.240","184.12.141.109","192.119.10.67","192.119.11.250","192.74.247.161","198.135.49.154","198.2.228.20","198.23.148.18","199.115.99.34","204.188.232.195","208.68.173.244","23.237.32.34","3.15.4.158","37.19.199.133","37.19.221.228","37.43.225.43","38.140.49.92","38.42.94.148","42.84.228.232","5.244.93.199","50.39.182.185","51.39.228.134","54.200.217.128","60.20.1.234","67.129.13.170","68.197.75.194","70.39.103.3","71.112.196.114","74.222.20.18","74.63.233.50","98.179.96.75")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat 


    Tags

    MalwareNorth Korea

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.