KadeMorton
commented
6 years ago 
Flow of PowerRatankba activity from victims to the Lazarus Group operators
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
Open KadeMorton opened 6 years ago
KadeMorton
commented
6 years ago
Flow of PowerRatankba activity from victims to the Lazarus Group operators
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Timeline of campaigns ultimately related to PowerRatankba
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago KadeMorton
commented
6 years ago 
Script output showing PowerSpritz PowerShell encoded and decoded command
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
PowerSpritz retrieving Base64-encoded PowerRatankba
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Malicious LNK AppLocker bypass to retrieve payload
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
CHM lures utilized in attempts to deliver PowerRatankba
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Malicious code embedded in CHM to download a VBScript PowerRatankba downloader
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
BITSAdmin retrieving malicious payload over HTTP
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
PowerShell utilized in CHM to retrieve PowerRatankba downloader VBS
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Leftover code in 5_6283065828631904327.chm
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Obfuscated falconcoin.js
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Deobfuscated falconcoin.js revealing PowerRatankba and decoy PDF URLs
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Decoys downloaded or sent along with PowerRatankba JavaScript downloaders
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Spearphishing email spoofed sender and subject
IRS themed Word document PowerRatankba downloader
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
IRS-themed malicious document macro
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Malicious Bithumb Excel spreadsheet with English option shown, with stolen branding
“About Bithumb.pdf decoy” document inside Bithumb.zip archive, with stolen branding
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
KadeMorton
commented
6 years ago 
Base64 encoded PowerRatankba downloader embedded in bithumb.xls
