Rectifyq📃Title: FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
📅Date: 2020-10-24
🔗References:
- https://us-cert.cisa.gov/ncas/alerts/aa20-239a
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239c
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a
Description
This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Argentina”
- target-information=“Brazil”
- target-information=“Bangladesh”
- target-information=“Bosnia and Herzegovina”
- target-information=“Bulgaria”
- target-information=“Chile”
- target-information=“Costa Rica”
- target-information=“Ecuador”
- target-information=“Ghana”
- target-information=“India”
- target-information=“Indonesia”
- target-information=“Japan”
- target-information=“Jordan”
- target-information=“Kenya”
- target-information=“Kuwait”
- target-information=“Malaysia”
- target-information=“Malta”
- target-information=“Mexico”
- target-information=“Mozambique”
- target-information=“Nepal”
- target-information=“Nicaragua”
- target-information=“Nigeria”
- target-information=“Pakistan”
- target-information=“Panama”
- target-information=“Peru”
- target-information=“Philippines”
- target-information=“Singapore”
- target-information=“South Africa”
- target-information=“South Korea”
- target-information=“Spain”
- target-information=“Taiwan”
- target-information=“Togo”
- target-information=“Turkey”
- target-information=“Uganda”
- target-information=“Uruguay”
- target-information=“Vietnam”
- target-information=“Zambia”
- producer CISA
- malpedia=“CHEESETRAY”
- malpedia=“ELECTRICFISH”
- malpedia=“FastCash”
- malpedia=“HOPLIGHT”
- malpedia=“NACHOCHEESE”
- malpedia=“PSLogger”
- threat-actor Lazarus-Group
- mitre-attack-pattern=[‘T1001’, ‘T1005’, ‘T1010’, ‘T1012’, ‘T1014’, ‘T1016’, ‘T1020’, ‘T1021’, ‘T1027’, ‘T1033’, ‘T1036’, ‘T1041’, ‘T1049’, ‘T1053’, ‘T1055’, ‘T1056’, ‘T1057’, ‘T1059’, ‘T1070’, ‘T1071’, ‘T1078’, ‘T1082’, ‘T1083’, ‘T1087’, ‘T1090’, ‘T1095’, ‘T1098’, ‘T1102’, ‘T1105’, ‘T1106’, ‘T1110’, ‘T1113’, ‘T1115’, ‘T1119’, ‘T1129’, ‘T1132’, ‘T1133’, ‘T1140’, ‘T1189’, ‘T1190’, ‘T1199’, ‘T1202’, ‘T1203’, ‘T1204’, ‘T1217’, ‘T1218’, ‘T1219’, ‘T1485’, ‘T1486’, ‘T1489’, ‘T1505’, ‘T1518’, ‘T1543’, ‘T1547’, ‘T1548’, ‘T1552’, ‘T1553’, ‘T1561’, ‘T1562’, ‘T1565’, ‘T1566’, ‘T1569’, ‘T1573’, ‘T1574’]
MISP event uuid: e82626b8-e22b-43af-bb55-69b06800cc4a
Indicator of Compromise (IoCs)
type,value,comment
ip-dst, 112.175.92.57, 'HOPLIGHT C2'
ip-dst, 113.114.117.122, 'HOPLIGHT C2'
ip-dst, 117.239.241.2, 'HOPLIGHT C2'
ip-dst, 119.18.230.253, 'HOPLIGHT C2'
ip-dst, 128.200.115.228, 'HOPLIGHT C2'
ip-dst, 137.139.135.151, 'HOPLIGHT C2'
ip-dst, 14.140.116.172, 'HOPLIGHT C2'
ip-dst, 181.39.135.126, 'HOPLIGHT C2'
ip-dst, 186.169.2.237, 'HOPLIGHT C2'
ip-dst, 195.158.234.60, 'HOPLIGHT C2'
ip-dst, 197.211.212.59, 'HOPLIGHT C2'
ip-dst, 21.252.107.198, 'HOPLIGHT C2'
ip-dst, 210.137.6.37, 'HOPLIGHT C2'
ip-dst, 217.117.4.110, 'HOPLIGHT C2'
ip-dst, 218.255.24.226, 'HOPLIGHT C2'
ip-dst, 221.138.17.152, 'HOPLIGHT C2'
ip-dst, 26.165.218.44, 'HOPLIGHT C2'
ip-dst, 47.206.4.145, 'HOPLIGHT C2'
ip-dst, 70.224.36.194, 'HOPLIGHT C2'
ip-dst, 81.94.192.10, 'HOPLIGHT C2'
ip-dst, 81.94.192.147, 'HOPLIGHT C2'
ip-dst, 84.49.242.125, 'HOPLIGHT C2'
ip-dst, 97.90.44.200, 'HOPLIGHT C2'
Full IOCs available in Rectifyq's MISP```