Discover and read the best of Twitter Threads about #goldbackdoor
Most recents (2)
#APT37 - Most likely #GOLDBACKDOOR
ISO: 2cd04d9e11c6e458ec16db1ab810d625
LNK: be32725e676d49eaa11ff51c61f18907
The ISO file contains 2 LNK files, both inflated filesize.
The LNK drops a decoy file named 230401.hwp and 230401.bat
ISO: 2cd04d9e11c6e458ec16db1ab810d625
LNK: be32725e676d49eaa11ff51c61f18907
The ISO file contains 2 LNK files, both inflated filesize.
The LNK drops a decoy file named 230401.hwp and 230401.bat
Stage 1:
https://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
dragon32[.zip - XOR encoded using the first-byte as a key.
c76fe6b56b4373138d5d3539c0c49587
https://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content
dragon32[.zip - XOR encoded using the first-byte as a key.
c76fe6b56b4373138d5d3539c0c49587
Possible next stage or just the ability to download additional files. Payload might be gone already ....
https://api.pcloud[.]com/getfilelink?path=/Program/41ED0C850E56A52E&forcedownload=1&skipfilename=1
https://api.pcloud[.]com/getfilelink?path=/Program/41ED0C850E56A52E&forcedownload=1&skipfilename=1
#apt37 #goldbackdoor #loader active #C2
- SHA256: bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
- C2: hxxps://dallynk.com/wp-sup3
- Encoded Child SHA256: a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
- SHA256: bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258
- C2: hxxps://dallynk.com/wp-sup3
- Encoded Child SHA256: a81b38cda1ad1a1ed2cfc9647e678831fe77500da8ce095667ca5a7d93f8e732
- Child Endpoints (possibly google api key): hxxps://dallynk.com/4332.hwp, hxxp://asplinc.com/xe/modules/page/queries/query_read.dsql, hxxp://www.bsef.or.kr/board/upfile/bbsB/166737125620120323174332.hwp
- Endpoints appear to be compromised.
- Endpoints appear to be compromised.
- All 3 endpoints download same SHA256: 5b1536c4ca22bc202543afea51279c78fa6033b393e86f2b97750ddfd4d8b263
- Decoded Child contains embedded 3 encoded (simple xor) modules, #shellcode loader/#infostealer/#keylogger
- Decoded Child contains embedded 3 encoded (simple xor) modules, #shellcode loader/#infostealer/#keylogger
