Campaigns
New DPRK Malware Variants Uncovered: A Campaign of Emerging Cyber Threats

New DPRK Malware Variants Uncovered: A Campaign of Emerging Cyber Threats

droppergithubfriendlyferret_secdmacoscontagious interviewflexibleferretfrostyferret_uichromeupdatedprkpersistence
A new cyber espionage campaign linked to DPRK has been uncovered, targeting macOS systems with advanced malware variants like FlexibleFerret. This campaign highlights evolving tactics in global cyber threats, posing significant risks to individuals and organizations worldwide. Stay informed to protect your digital assets from these emerging threats.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1036.005 Masquerading: Match Legitimate Name or Location


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

DS0007

Image

Image Metadata

In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.[207] Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users.

DS0009

Process

Process Creation

Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.

Note: With process monitoring, hunt for processes matching these criteria:

  • process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.

  • process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive):C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe

Analytic 1 - Common Windows Process Masquerading

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")



Process Metadata

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.


T1204.002 - Malicious File


ID

Data Source

Data Component

Detects

DS0022

File

File Creation

Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments.

While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.

For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.

Analytic 1 - Batch File Write to System32

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") file_path="system32" AND file_extension=".bat"

Analytic 2 - New file creation in unusual directories.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11| search file_path IN ("/Downloads/", "/Temp/", "/Desktop/")| stats count by file_name file_extension file_path user| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip")

DS0009

Process

Process Creation

Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities.

Analytic 1 - Processes created from malicious files.

(sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")



T1566.001 - Spearphishing Attachment


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[269][270] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[271]

DS0022

File

File Creation

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[269][270]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1553.002 - Code Signing


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.


T1059.002 - AppleScript


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual execution of AppleScript.

sourcetype=macOS:Process| search process_name="osascript"| eval suspicious_cmd=if(like(command_line, "%-e%") OR like(command_line, "%path/to/script%"), "Yes", "No")| where suspicious_cmd="Yes"

DS0009

Process

OS API Execution

Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system.

Analytic 1 - Look for unusual OS API execution related to AppleScript.

sourcetype=macOS:Syslog OR sourcetype=macOS:Process| search (process_name="NSAppleScript" OR process_name="OSAScript")



Process Creation

Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual AppleScript process creation.

sourcetype=macOS:Process| search (parent_process_name="osascript" OR parent_process_name="NSAppleScript" OR parent_process_name="OSAScript")

Analytic 2 - Untrusted Locations

source="Osquery:" EventCode="process_added" AND Path LIKE "/Users//Downloads/" OR Path LIKE "/tmp/*"

Analytic 3 - Parent/Child Process Relationship

source="Osquery:" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "osascript"


T1547.001 - Registry Run Keys / Startup Folder


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

DS0022

File

File Modification

Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [302]

DS0009

Process

Process Creation

Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.

Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe

Analytic 1 - Reg.exe called from Command Shell

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.



Windows Registry Key Modification

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [302]

Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.

Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’

(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")


T1059.004 - Unix Shell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation.

Analytic 1 - Unusual command execution

sourcetype="linux_logs" CommandLine="sh -c" AND (CommandLine="wget" OR CommandLine="curl" OR CommandLine="nc" OR CommandLine="perl")

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

Analytic 1 - Look for unusual Unix shell process creation.

sourcetype=linux_secure OR sourcetype=macos_secure| search (command="sh" OR command="bash" OR command="zsh")| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")| where suspicious_process="Yes"


 T1027 - Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[187][188][189]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[188]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[187]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.


T1543.001 - Launch Agent


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

DS0022

File

File Creation

Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.



File Modification

Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

DS0019

Service

Service Creation

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application.



Service Modification

Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence.


T1071.001 - Web Protocols


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1105 - Ingress Tool Transfer


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.



Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.



Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


Observed Countries250

AD (748)
AE (986)
AF (273)
AG (939)
AI (530)
AL (695)
AM (717)
AO (306)
AQ (457)
AR (375)
AS (492)
AT (790)
AU (902)
AW (635)
AX (948)
AZ (714)
BA (32)
BB (339)
BD (976)
BE (131)
BF (765)
BG (751)
BH (385)
BI (976)
BJ (94)
BL (778)
BM (857)
BN (534)
BO (982)
BQ (649)
BR (313)
BS (840)
BT (240)
BV (375)
BW (898)
BY (43)
BZ (870)
CA (261)
CC (537)
CD (779)
CF (916)
CG (408)
CH (413)
CI (64)
CK (263)
CL (865)
CM (610)
CN (604)
CO (6)
CR (502)
CU (892)
CV (749)
CW (12)
CX (320)
CY (890)
CZ (66)
DE (926)
DJ (797)
DK (740)
DM (381)
DO (431)
DZ (898)
EC (653)
EE (83)
EG (528)
EH (731)
ER (952)
ES (284)
ET (981)
FI (757)
FJ (265)
FK (191)
FM (221)
FO (294)
FR (88)
GA (946)
GB (975)
GD (29)
GE (123)
GF (384)
GG (636)
GH (564)
GI (673)
GL (211)
GM (64)
GN (735)
GP (773)
GQ (369)
GR (927)
GS (345)
GT (158)
GU (846)
GW (921)
GY (283)
HK (718)
HM (873)
HN (843)
HR (625)
HT (241)
HU (72)
ID (581)
IE (485)
IL (447)
IM (926)
IN (108)
IO (695)
IQ (194)
IR (376)
IS (115)
IT (745)
JE (389)
JM (882)
JO (273)
JP (35)
KE (856)
KG (257)
KH (469)
KI (22)
KM (306)
KN (723)
KP (472)
KR (46)
KW (318)
KY (618)
KZ (941)
LA (489)
LB (399)
LC (113)
LI (406)
LK (376)
LR (637)
LS (714)
LT (405)
LU (60)
LV (514)
LY (983)
MA (377)
MC (566)
MD (917)
ME (49)
MF (904)
MG (152)
MH (552)
MK (57)
ML (902)
MM (303)
MN (39)
MO (7)
MP (199)
MQ (113)
MR (410)
MS (449)
MT (237)
MU (759)
MV (163)
MW (6)
MX (457)
MY (622)
MZ (803)
NA (366)
NC (445)
NE (753)
NF (780)
NG (607)
NI (12)
NL (606)
NO (812)
NP (528)
NR (484)
NU (308)
NZ (89)
OM (3)
PA (672)
PE (751)
PF (954)
PG (884)
PH (727)
PK (678)
PL (286)
PM (226)
PN (633)
PR (248)
PS (347)
PT (945)
PW (444)
PY (921)
QA (40)
RE (123)
RO (102)
RS (332)
RU (577)
RW (489)
SA (103)
SB (278)
SC (305)
SD (212)
SE (461)
SG (727)
SH (135)
SI (33)
SJ (286)
SK (305)
SL (640)
SM (822)
SN (752)
SO (32)
SR (568)
SS (902)
ST (178)
SV (453)
SX (843)
SY (919)
SZ (345)
TC (986)
TD (57)
TF (596)
TG (11)
TH (797)
TJ (851)
TK (760)
TL (719)
TM (747)
TN (560)
TO (553)
TR (809)
TT (516)
TV (30)
TW (74)
TZ (654)
UA (883)
UG (641)
UM (707)
US (39)
UY (372)
UZ (315)
VA (217)
VC (49)
VE (542)
VG (320)
VI (108)
VN (708)
VU (304)
WF (389)
WS (592)
XK (639)
YE (575)
YT (181)
ZA (141)
ZM (567)
ZW (120)