The attackers constructed a layered infrastructure
Based mostly on knowledge collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the marketing campaign had three waves. In November, attackers focused 181 builders, primarily from European know-how sectors. In December, the marketing campaign expanded globally focusing on lots of of builders, with sure hotspots like India (284 victims). In January, a brand new wave added 233 extra victims, together with 110 programs in India’s know-how sector alone.
“The attackers exfiltrated essential knowledge, together with growth credentials, authentication tokens, browser-stored passwords, and system info,” the researchers mentioned. “As soon as collected by the C2 servers, the information was transferred to Dropbox, the place it was organized and saved. Persistent connections to Dropbox highlighted the attackers’ systematic strategy, with some servers sustaining lively classes for over 5 hours.”
Regardless of utilizing a number of VPN tunnels for obfuscation, the attacker exercise was tracked again to a number of IP addresses in North Korea. The attackers linked by Astrill VPN endpoints, then by the Oculus Proxy community IPs in Russia and at last to the C&C servers hosted by an organization known as Stark Industries.
