Acronis TRU and Hunt.io collaborated to map DPRK-linked infrastructure, uncovering reused certificates, open directories staging credential-theft toolkits, FRP tunneling nodes, and a new Linux variant of the Badcall backdoor tied to Lazarus and Kimsuky activity. The report shows repeatable operational patterns—identical FRP deployments on port 9999, exposed HTTP staging directories, and certificate reuse across RDP/TLS hosts—that enable defenders to pivot on infrastructure indicators to reveal related DPRK campaigns. #Lazarus #Badcall
Keypoints
- Collaborative hunts by Acronis TRU and Hunt.io linked Kimsuky and Lazarus activity by pivoting on IPs, certificates, open directories, and hashes.
- Researchers discovered a new Linux variant of the Badcall backdoor (hash a3876a…) that adds persistent logging to /tmp/sslvpn.log, indicating iterative Lazarus development.
- Multiple open directories exposed comprehensive credential-theft toolkits (MailPassView, WebBrowserPassView) and Quasar RAT operator environments used as quick staging nodes.
- Fast Reverse Proxy (FRP) binaries with identical size/configuration were deployed across eight VPS hosts on port 9999, indicating scripted provisioning of tunneling infrastructure for C2.
- Certificate pivots around subject common_name “hwc-hwp-7779700” revealed 12 IPs (ten linked to Lazarus malware), showing certificate reuse as a reliable clustering signal.
- Recurring hosting providers, port exposures, and repeating directory layouts form stable operational signals defenders can monitor to proactively surface DPRK infrastructure.
MITRE Techniques
- [T1555.003 ] Credentials from Web Browsers – DPRK actors used browser credential-extraction utilities (e.g., WebBrowserPassView, MailPassView) to harvest stored credentials (‘exposed a large credential-theft toolkit, containing … WebBrowserPassView’).
- [T1583 ] Acquire Infrastructure – Operators repeatedly provisioned VPS hosts, certificates, and domains to build and reuse operational clusters (‘the platform surfaced clusters of operational assets … revealing active tool-staging servers, credential theft environments, FRP tunneling nodes, and certificate-linked ecosystems’).
- [T1090 ] Proxy – Fast Reverse Proxy (FRP) binaries were deployed across multiple hosts to tunnel traffic and maintain C2 connectivity through restrictive networks (‘the same FRP binary appeared across eight VPS hosts … all serving the same 10 MB file on the same port’).
- [T1557.001 ] Compromised SSL Certificates – Certificate reuse and pivots tied multiple IPs to the same certificate subject, enabling infrastructure linkage and potential defense evasion (‘pivoted from the certificate associated with the IP using the field subject.common_name == “hwc-hwp-7779700″‘).
Indicators of Compromise
- [File Hashes ] malware and tool samples – a3876a2492f3c069c0c2b2f155b4c420d8722aa7781040b17ca27fdd4f2ce6a9 (Badcall new Linux variant), bc7bd27e94e24a301edb3d3e7fad982225ac59430fc476bda4e1459faa1c1647 (MailPassView), and 6 other hashes.
- [Domains ] pivot domains – secondshop[.]store (Lazarus-linked pivot domain).
- [IP Addresses with ports ] hosting and staging nodes – 23.27.140[.]49:8080 (Badcall host open directory), 207.254.22[.]248:8800 (open directory staging credential toolkit / Mythic C2 history), and 24 additional IPs linked to FRP, certificate pivots, and Lazarus infrastructure.
- [File Names ] exposed tooling and artifacts – WebBrowserPassView.exe, Quasar.exe, and other credential-extractors and RAT binaries (e.g., MailPassView, rclone, pscp.exe) across open directories.
- [Ports ] notable service exposures – port 9999 (FRP nodes), port 8080/8800 (HTTP open directories), port 3389 (RDP exposure tied to certificate pivots) as recurring observable signals.