Threat Research

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA

Securonix

The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire infrastructure, obfuscate identity, use VPNs/VPSs, exploit CVEs (such as Log4Shell), deploy Maui and H0lyGh0st variants, and attempt to conceal DPRK affiliation. #MauiRansomware #H0lyGh0st #DPRK #NorthKorea #X-Popup #Log4Shell

Keypoints

  • The advisory targets ongoing ransomware activity affecting Healthcare and Public Health (HPH) and other critical infrastructure sectors.
  • Attack chains include acquiring infrastructure, obfuscating DPRK involvement, and using VPNs/VPSs to appear from benign locations.
  • Exploited CVEs (e.g., Log4j CVE-2021-44228 and SonicWall SMA CVE-2021-20038) to gain access and escalate privileges.
  • Malware ecosystem includes Maui and H0lyGh0st ransomware, plus Trojanized X-Popup loaders distributed via malicious domains.
  • Ransom demands are requested in cryptocurrency; communications often occur via Proton Mail, with multiple Bitcoin wallets listed.
  • Mitigations emphasize backups, patching, least privilege, MFA, segmentation, vendor risk management, and incident planning.

MITRE Techniques

  • [T1583] Acquire Infrastructure – DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. “DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations.”
  • [T1583.003] Acquire Infrastructure – Purchase VPNs and VPSs – “DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.”
  • [T1036] Masquerading – Obfuscate Identity – “obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.”
  • [T1190] Exploit Public-Facing Application – “gain access to and escalate privileges on networks” via CVEs such as Log4j and SonicWall; “observed CVEs … [T1190 and T1133].”
  • [T1133] External Remote Services – “gain access … [T1190 and T1133].”
  • [T1195] Supply Chain Compromise – Trojanized files for “X-Popup,” an open source messenger used by hospital staff. “Trojanized files for “X-Popup,” …”
  • [T1021] Remote Services – Move Lateral and Discovery after initial access, performing reconnaissance and file transfers. “Move Laterally and Discovery [TA0007, TA0008].”
  • [T1083] File and Directory Discovery – Reconnaissance, uploading/downloading additional files, and executing shell commands. “staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021].”
  • [T1486] Data Encrypted for Impact – Employ various ransomware tools (Maui, H0lyGh0st) and public encryption tools. “Employ Various Ransomware Tools [TA0040].”
  • [T1486] Data Encrypted for Impact – Ransom demands in cryptocurrency. “Demand Ransom in Cryptocurrency.”

Indicators of Compromise

  • [Domain] – xpopup.pe[.]kr, xpopup[.]com – domains used to spread malware
  • [IP Address] – 115.68.95[.]128, 119.205.197[.]111 – IPs associated with the domains
  • [MD5 Hash] – 1f239db751ce9a374eb9f908c74a31c9, 6fb13b1b4b42bac05a2ba629f04e3d03
  • [SHA256 Hash] – f67ee77d6129bd1bcd5d856c0fc5314169b946d32b8abaa4e680bb98130b38e7, 672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7
  • [File Name] – xpopup.rar, X-PopUp.exe – files used in initial payloads
  • [File Name] – xpopup.exe, X-PopUp.exe – additional variants observed in campaigns

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa23-040a