A NukeSped verdict usually corresponds to the #Lazarus cluster.
After validating it with the master , it is safe to say it is a North Korean Op.
Threat Actor: North Korean Cluster 
Context: infosec.exchange/@spark/1116213
Malicious file name: test_interview.zip 
Malicious module: admin.model.js, hash: 67cee5b180370eb03d9606f481e48f36
Extracted obfuscated JS size: 7181 bytes, hash: 1822bea1d0ec9ae1db9c265386699102 *script.js 
C2C: 147[.]124[.]214[.]237:1244 
Victims: Freelancer developers 
Initial infection vector: social engineering
Network infrastructure: GitHub, IPs 
Capabilities:
- Infected host system information gathering via _getifaddrs, _getuid, and _gethostname
- Data collection on Windows (~/AppData/), macOS (~/Library/Application Support/), and Linux (~/.config/) and stealing sensitive data like certificates, passwords and keys using _SecKeychainSearchCreateFromAttributes and _SecKeychainItemCopyAttributesAndData
- Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.
- Solana wallet /config/solana/id.json collection.
Important details:
- The intended victim clones the #GitHub repo on April 19
- GitHub repo is set up with four days before on April 14
- Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.
Context: infosec.exchange/@spark/1116213
Malicious file name: test_interview.zip
Malicious module: admin.model.js, hash: 67cee5b180370eb03d9606f481e48f36
Extracted obfuscated JS size: 7181 bytes, hash: 1822bea1d0ec9ae1db9c265386699102 *script.js
C2C: 147[.]124[.]214[.]237:1244
Victims: Freelancer developers
Initial infection vector: social engineering
Network infrastructure: GitHub, IPs
Capabilities:
- Infected host system information gathering via _getifaddrs, _getuid, and _gethostname
- Data collection on Windows (~/AppData/), macOS (~/Library/Application Support/), and Linux (~/.config/) and stealing sensitive data like certificates, passwords and keys using _SecKeychainSearchCreateFromAttributes and _SecKeychainItemCopyAttributesAndData
- Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.
- Solana wallet /config/solana/id.json collection.
Important details:
- The intended victim clones the #GitHub repo on April 19
- GitHub repo is set up with four days before on April 14
- Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.ポストを翻訳
画像の説明を読む
ALT
画像の説明を読む
ALT
画像の説明を読む
ALT
引用
MalwareHunterTeam
@malwrhunterteam
"test_interview.zip": 39785213364b84c1442d133c778bf5472d76d8ef13b58b32b8dd8ac0201c82ca
Maybe @ESET caught something interesting here...
@ShadowChasing1 @h2jazi @cyb3rops @1ZRR4H
@ShadowChasing1 @h2jazi @cyb3rops @1ZRR4H
2.6万
件の表示31