The attackers constructed a layered infrastructure
Based mostly on knowledge collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the marketing campaign had three waves. In November, attackers focused 181 builders, primarily from European expertise sectors. In December, the marketing campaign expanded globally focusing on a whole bunch of builders, with sure hotspots like India (284 victims). In January, a brand new wave added 233 extra victims, together with 110 techniques in India’s expertise sector alone.
“The attackers exfiltrated vital knowledge, together with growth credentials, authentication tokens, browser-stored passwords, and system info,” the researchers stated. “As soon as collected by the C2 servers, the info was transferred to Dropbox, the place it was organized and saved. Persistent connections to Dropbox highlighted the attackers’ systematic strategy, with some servers sustaining energetic classes for over 5 hours.”
Regardless of utilizing a number of VPN tunnels for obfuscation, the attacker exercise was tracked again to a number of IP addresses in North Korea. The attackers linked by way of Astrill VPN endpoints, then by way of the Oculus Proxy community IPs in Russia and eventually to the C&C servers hosted by an organization known as Stark Industries.
