The attackers constructed a layered infrastructure
Based mostly on information collected by SecurityScorecard obtained by analyzing the attackers’ command-and-control infrastructure, the marketing campaign had three waves. In November, attackers focused 181 builders, primarily from European expertise sectors. In December, the marketing campaign expanded globally focusing on a whole lot of builders, with sure hotspots like India (284 victims). In January, a brand new wave added 233 extra victims, together with 110 methods in India’s expertise sector alone.
“The attackers exfiltrated vital information, together with improvement credentials, authentication tokens, browser-stored passwords, and system info,” the researchers mentioned. “As soon as collected by the C2 servers, the information was transferred to Dropbox, the place it was organized and saved. Persistent connections to Dropbox highlighted the attackers’ systematic method, with some servers sustaining energetic classes for over 5 hours.”
Regardless of utilizing a number of VPN tunnels for obfuscation, the attacker exercise was tracked again to a number of IP addresses in North Korea. The attackers linked by means of Astrill VPN endpoints, then by means of the Oculus Proxy community IPs in Russia and at last to the C&C servers hosted by an organization known as Stark Industries.