{
  "name": "Array of malware used to gather intelligence for North Korea",
  "slug": "array-of-malware-used-to-gather-intelligence-for-north-korea",
  "description": "Microsoft Threat Intelligence analyzes the activities of the North Korean threat actor Onyx Sleet, which conducts cyber espionage operations primarily targeting military, defense, and technology industries. The report covers Onyx Sleet's affiliations with other North Korean threat groups, its targets, attack techniques like exploiting vulnerabilities and custom malware, and recent malware campaigns such as TigerRAT, SmallTiger, LightHand, and ValidAlpha. The report also provides recommendations, detections, and indicators to help organizations protect themselves against Onyx Sleet's operations.",
  "published": "2024-07-29T08:21:52+00:00",
  "created_at": "2024-07-29T08:21:52+00:00",
  "modified_at": "2024-07-29T09:04:45+00:00",
  "created_at_opencti": "2024-07-29T08:21:52+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-07-29",
    "CVE-2021-44228",
    "CVE-2023-27350",
    "CVE-2023-42793",
    "dtrack",
    "espionage",
    "lighthand",
    "north korea",
    "sliver",
    "smalltiger",
    "tigerrat",
    "validalpha"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "84.38.134.56"
      },
      {
        "id": "",
        "name": "45.155.37.101"
      },
      {
        "id": "",
        "name": "213.139.205.151"
      },
      {
        "id": "",
        "name": "162.19.71.175"
      },
      {
        "id": "",
        "name": "147.78.149.201"
      },
      {
        "id": "",
        "name": "109.248.150.147"
      },
      {
        "id": "",
        "name": "http://84.38.134.56/procdump.gif"
      },
      {
        "id": "",
        "name": "ww3c.bounceme.net"
      },
      {
        "id": "",
        "name": "advice.uphearth.com"
      },
      {
        "id": "",
        "name": "americajobmail.site"
      },
      {
        "id": "",
        "name": "privatemake.bounceme.net"
      },
      {
        "id": "",
        "name": "fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32"
      },
      {
        "id": "",
        "name": "f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5"
      },
      {
        "id": "",
        "name": "96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3"
      },
      {
        "id": "",
        "name": "868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf"
      },
      {
        "id": "",
        "name": "29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3"
      },
      {
        "id": "",
        "name": "1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1"
      },
      {
        "id": "",
        "name": "c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1"
      },
      {
        "id": "",
        "name": "c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c"
      },
      {
        "id": "",
        "name": "8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f"
      },
      {
        "id": "",
        "name": "7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"
      },
      {
        "id": "",
        "name": "3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061"
      },
      {
        "id": "",
        "name": "0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207"
      },
      {
        "id": "",
        "name": "f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:1f9d8eb13be485fa",
        "name": "Dtrack - S0567",
        "slug": "dtrack-s0567"
      },
      {
        "id": "legacy:malware:fe1c4b00a15189f5",
        "name": "LightHand",
        "slug": "lighthand"
      },
      {
        "id": "legacy:malware:c1643810ac3c72fc",
        "name": "ValidAlpha",
        "slug": "validalpha"
      },
      {
        "id": "69a13d11-fb9e-4f6c-a3b7-6e08f25dba37",
        "name": "SmallTiger",
        "slug": "smalltiger"
      },
      {
        "id": "legacy:malware:a96f0a55a5b425e8",
        "name": "TigerRAT",
        "slug": "tigerrat"
      },
      {
        "id": "c70c9980-18de-4208-93f5-0bd2dddeb40c",
        "name": "Sliver",
        "slug": "sliver"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:039e82fac5dfd5ff",
        "name": "Onyx Sleet",
        "slug": "onyx-sleet"
      }
    ],
    "attack_patterns": [
      {
        "id": "cc9a1424-474f-468a-bdbe-21802217f1ff",
        "name": "T1139"
      },
      {
        "id": "9c80a8a8-8832-4ab1-9611-41f8acd20393",
        "name": "T1565"
      },
      {
        "id": "5e7cb3d2-6a97-48b2-bdd2-f11eee10f6dc",
        "name": "T1137"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "19ce62bb-3faf-4d09-90b1-d82fce1ba8b0",
        "name": "T1136"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "747c7b95-79ff-4132-8ea5-397cb6665ebd",
        "name": "T1498"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2023-42793"
      },
      {
        "id": "",
        "name": "CVE-2023-27350"
      },
      {
        "id": "",
        "name": "CVE-2023-46604"
      },
      {
        "id": "",
        "name": "CVE-2023-22515"
      },
      {
        "id": "",
        "name": "CVE-2021-44228"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "Korea, Republic of"
      },
      {
        "id": "",
        "name": "United States of America"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Defense"
      }
    ]
  },
  "external_refs": [
    "https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/",
    "https://otx.alienvault.com/pulse/66a76d40be5a62aab8cf8c56"
  ]
}