In part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and tooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970 utilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.
During our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by UNC2970, contained the files
%temp%\<random>_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time on disk. At the time Mandiant initially identified these files, we were unable to determine how they were dropped or the exact use for these files. It wasn't until later in the investigation, during analysis of a forensic image, where the pieces started falling into place. A consultant noticed multiple keyword references to the file
def6f91614cb47888f03658b28a1bda6). Upon initial glance at the Forensic Image, this file was no longer on disk. However, Mandiant was able to recover the original file, and the initial analysis of the sample found that
Share.DAT was a XORed data blob, which was encoded with the XOR key
0x59. ...read more!
+43 664 42 20 555
Am Europlatz 2
+48 501 295 580