
GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception
Indicators of Compromise
APT Groups1
<b>Description of MISP:</b> This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.<br><br><b>Description of Mitre:</b> Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]<br><br><b>Description of Etda:</b> (Kaspersky) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.<br><br>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATIONS
You can put in place a number of detection and prevention strategies to deal with DLL side-loading vulnerabilities:
Application Developer Guidance (M1013): Insist that hash values be included in manifest files for applications. This method prevents efforts to side-load malicious versions of DLLs by ensuring that the application only loads verified, authentic versions.
Software Update (M1051): Update your program to fix any security flaws that could lead to DLL side-loading. This covers routine updates for all software programs as well as the operating system.
To identify potential side-loading of DLLs:
File monitoring: Pay attention to any changes to a file's rights or properties, since these could point to the installation of unauthorized DLLs, as well as any new files that are created in regular directories.
Module Load Monitoring: Keep a close eye on anything pertaining to the generation and usage of DLL or PE files.