A NukeSped verdict usually corresponds to the #Lazarus cluster. After validating it with the master, it is safe to say it is a North Korean Op. Threat Actor: North Korean Cluster 
Context: infosec.exchange/@spark/1116213 Malicious file name: test_interview.zip 
Malicious module: admin.model.js, hash: 67cee5b180370eb03d9606f481e48f36 Extracted obfuscated JS size: 7181 bytes, hash: 1822bea1d0ec9ae1db9c265386699102 *script.js 
C2C: 147[.]124[.]214[.]237:1244 
Victims: Freelancer developers 
Initial infection vector: social engineering Network infrastructure: GitHub, IPs 
Capabilities: - Infected host system information gathering via _getifaddrs, _getuid, and _gethostname - Data collection on Windows (~/AppData/), macOS (~/Library/Application Support/), and Linux (~/.config/) and stealing sensitive data like certificates, passwords and keys using _SecKeychainSearchCreateFromAttributes and _SecKeychainItemCopyAttributesAndData - Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions. - Solana wallet /config/solana/id.json collection. Important details: - The intended victim clones the #GitHub repo on April 19 - GitHub repo is set up with four days before on April 14 - Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.
Context: infosec.exchange/@spark/1116213 Malicious file name: test_interview.zip Malicious module: admin.model.js, hash: 67cee5b180370eb03d9606f481e48f36 Extracted obfuscated JS size: 7181 bytes, hash: 1822bea1d0ec9ae1db9c265386699102 *script.js C2C: 147[.]124[.]214[.]237:1244 Victims: Freelancer developers Initial infection vector: social engineering Network infrastructure: GitHub, IPs Capabilities: - Infected host system information gathering via _getifaddrs, _getuid, and _gethostname - Data collection on Windows (~/AppData/), macOS (~/Library/Application Support/), and Linux (~/.config/) and stealing sensitive data like certificates, passwords and keys using _SecKeychainSearchCreateFromAttributes and _SecKeychainItemCopyAttributesAndData - Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions. - Solana wallet /config/solana/id.json collection. Important details: - The intended victim clones the #GitHub repo on April 19 - GitHub repo is set up with four days before on April 14 - Login data from Chrome, Brave, Opera browsers, and cryptocurrency wallets via browser extensions.
read image description
read image description
read image description
Quote
MalwareHunterTeam
@malwrhunterteam
"test_interview.zip": 39785213364b84c1442d133c778bf5472d76d8ef13b58b32b8dd8ac0201c82ca Maybe @ESET caught something interesting here... 
@ShadowChasing1 @h2jazi @cyb3rops @1ZRR4H
@ShadowChasing1 @h2jazi @cyb3rops @1ZRR4HShow more
27.4K
Views