Overview:
- Aliases: No known aliases
- Country of Origin: Likely from East Asia (speculated), with no firm attribution yet.
- Motivation: Primarily espionage and financially motivated attacks, potentially involving data theft, ransomware, and phishing campaigns.
- First Observed: Emerging actor with sightings in 2023.
- Tactics, Techniques, and Procedures (TTPs):
- Tactics: Espionage and data exfiltration, targeted attacks against critical infrastructure and financial institutions.
- Techniques: Spear-phishing, exploitation of public vulnerabilities, and the use of malware payloads for financial gain.
- Tools Used: A range of custom malware and known publicly available exploitation frameworks, specifics not fully detailed yet.
Associated Sectors Targeted:
- Financial Services
- Government (Critical Infrastructure)
- Aerospace & Defense
Operations:
- Primary Campaigns: Spear-phishing campaigns using advanced malware loaders and ransomware, targeting sensitive industries like finance and government sectors.
- Recent Activities: Engagements have been focused on leveraging zero-day vulnerabilities and financial extortion through ransomware deployment.
- TA-RedAnt, a North Korean threat actor, has been observed by ASEC researchers and South Korea’s National Cyber Security Center (NCSC) exploiting a previously unknown zero-day vulnerability in Microsoft Internet Explorer, tracked as CVE-2024-38178. This memory corruption vulnerability was part of a broader cyber-espionage campaign dubbed Operation Code on Toast.
- The campaign targets a specific toast ad program that comes bundled with various free software. By exploiting this program, the attackers can ultimately deliver RokRAT, a remote access trojan known to be used by North Korean actors in cyber espionage efforts. RokRAT enables the actor to remotely control compromised systems, steal sensitive data, and potentially deploy additional payloads for further malicious activity.
- The exploitation of this Internet Explorer vulnerability showcases the continued use of legacy software vulnerabilities by state-sponsored actors like TA-RedAnt, aiming to target less-protected systems still using outdated technologies.
- Key Details:
- Vulnerability: CVE-2024-38178 (Memory corruption in Internet Explorer)
- Malware Delivered: RokRAT
- Campaign Name: Operation Code on Toast
- Target Method: A toast ad program bundled with free software
- Implications: Data exfiltration, remote system control, further payload delivery.
- This campaign highlights the importance of keeping software up-to-date and patching vulnerabilities promptly, even in legacy systems that may no longer be in widespread use.
Attribution:
- Speculated Geopolitical Ties: Likely to be from East Asia; however, no definitive attribution to North Korea (DPRK) or any other specific state has been made.
Indicators of Compromise (IOCs):
File Hashes (MD5 / SHA-256):
- MD5:
b2fc9d89166f6a36a8657cfbbc05c767 - SHA-256:
48d6e7d18f16c57d61844c71d92e4a25d697d4f23c6277517ff1f00221d3d5f2
Domains & URLs:
cloud.ourwebserver.comdropboxusercontent.com(RokRAT is known to use cloud services like Dropbox, Google Drive for C2 communication)
Command-and-Control (C2) IP Addresses:
103.243.17.152104.28.0.102
Malicious Filenames:
Document.rtfList.docxupdate.exe
Known Malware Artifacts:
- RokRAT is typically delivered via malicious Microsoft Office attachments (like
.doc,.xls,.rtffiles) that exploit vulnerabilities to download the malware. - The malware also uses legitimate cloud storage services for its command-and-control communication, making detection more difficult.
These IOCs represent common markers of RokRAT infections and should be added to security detection tools (SIEM, EDR, etc.) to monitor for possible compromises. For continuous monitoring, ensure your threat feeds are updated regularly.
Sources:
- Abuse.ch ThreatFoxThreatFox
- SecurelistSecurelist
Email Addresses Used in Campaigns:
- Unknown; phishing campaigns are typical of this group, so spear-phishing emails likely play a role.
MITRE ATT&CK Techniques:
| Tactic | Technique | ID |
| Initial Access | Spear-phishing via malicious links | T1566.001 |
| Execution | Command-line interface | T1059 |
| Persistence | Scheduled Task/Job | T1053.005 |
| Privilege Escalation | Exploitation of Vulnerabilities | T1068 |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Credential Access | Credential Dumping | T1003 |
| Discovery | System Information Discovery | T1082 |
| Lateral Movement | Remote Services | T1021 |
| Collection | Data from Local System | T1005 |
| Exfiltration | Exfiltration Over Command and Control | T1041 |
| Impact | Data Encrypted for Impact (Ransomware) | T1486 |
Mitigation & Recommendations:
- Patch Management: Ensure that all systems are patched regularly, especially against known vulnerabilities exploited in the wild.
- Advanced Phishing Defense: Strengthen email gateway defenses to identify and block spear-phishing attempts.
- Endpoint Detection and Response (EDR): Deploy and regularly monitor EDR solutions to detect lateral movements and command execution.
- Network Segmentation: Segregate critical infrastructure from less secure areas of the network to minimize potential damage from successful intrusions.
- Regular Backups: Ensure regular backups of sensitive and critical data to mitigate the impact of ransomware attacks.
This threat actor remains under continuous observation by various cybersecurity organizations, and new intelligence will provide clearer attribution and IOCs as their campaigns evolve.
Sources:
- MITRE ATT&CK ETDA
MITRE ATT&CK - Proofpoint Proofpoint
文章来源: https://krypt3ia.wordpress.com/2024/10/16/threat-actor-profile-ta-redant/
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh