Kimberly Profile picture
Security Researcher | Cyber Threat / Malware Analyst | Ex Sr. Threat Analyst @ Proofpoint | Founder of Stop Malvertising
Apr 4, 2023 8 tweets 4 min read
#APT37 - Most likely #GOLDBACKDOOR

ISO: 2cd04d9e11c6e458ec16db1ab810d625
LNK: be32725e676d49eaa11ff51c61f18907

The ISO file contains 2 LNK files, both inflated filesize.
The LNK drops a decoy file named 230401.hwp and 230401.bat ImageImageImageImage Stage 1:
https://api.onedrive[.]com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBdTJteTF4aDZ0OFhnUjJNem1zOG5oUndvLTZCP2U9akhIQzZ5/root/content

dragon32[.zip - XOR encoded using the first-byte as a key.
c76fe6b56b4373138d5d3539c0c49587