APT38 DarkSeoul
Vložit
- čas přidán 6. 09. 2024
- For this week’s TTP Tuesday we are releasing a new APT38 themed chain based on Castov malware used by DarkSeoul (APT 38) to target South Korean financial industry and government targets.
Castov was used extensively by DarkSeoul as a downloader for second stage malware. The initial infection vector, in the case of the 2013 DDoS against the South Korean government, was a trojanized file downloaded from a compromised server.
When executed, Castov downloads and unpacks a second stage Castov payload hidden in a JPG file. Once unpacked, the second stage malware downloads a second packed JPG over the TOR network that contains the final payload - a DDoS malware.
In this week’s chain, we’re simulating the downloader and compression packer functionality seen in Castov.
