Trusted Design

FortiGuard Lion: A Peek into BlackMoon’s Sustained Attacks against South Korea

概要

by Roland Dela Paz | Jul 21, 2016 | A few months ago, we talked about a malicious campaign that targets South Korean users in the form of malware known as BlackMoon. BlackMoon is a banking Trojan that installs a proxy auto-config file (PAC) on an infected system in order to redirect users’ browsers to phishing pages related to South Korean banks. Back then, we noticed an open directory in the C&C that revealed over 100,000 victims. Given this impact, we decided to dig further in order to understand better the scale of this attack. Mainly, we wanted to know if the statistics displayed by the C2 were real. If so, then we are looking at a not well talked about but highly active attack against South Korean users. This post shares our findings from ten weeks of monitoring this threat.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Mustard Tempest

Score: 8.28
Matched TTPs:
  • T1682 - Query Public AI Services
  • T1091 - Replication Through Removable Media
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Sidewinder

Score: 3.95
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.010 - Regsvr32
MITREへのリンク →

Scattered Spider

Score: 22.72
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1491 - Defacement
  • T1552.003 - Shell History
  • T1619 - Cloud Storage Object Discovery
  • T1197 - BITS Jobs
  • T1027.002 - Software Packing
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Mustang Panda

Score: 18.35
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1102.003 - One-Way Communication
  • T1218.010 - Regsvr32
  • T1055.005 - Thread Local Storage
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Sandworm Team

Score: 24.33
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1193 - Spearphishing Attachment
  • T1049 - System Network Connections Discovery
  • T1102.003 - One-Way Communication
  • T1187 - Forced Authentication
  • T1218.010 - Regsvr32
  • T1548.006 - TCC Manipulation
MITREへのリンク →

ZIRCONIUM

Score: 5.90
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1197 - BITS Jobs
MITREへのリンク →

APT32

Score: 10.36
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

Kimsuky

Score: 18.30
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
  • T1102.003 - One-Way Communication
  • T1001 - Data Obfuscation
  • T1197 - BITS Jobs
MITREへのリンク →

Magic Hound

Score: 12.06
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1187 - Forced Authentication
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

APT28

Score: 24.30
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.010 - Regsvr32
  • T1197 - BITS Jobs
  • T1059.012 - Hypervisor CLI
  • T1146 - Clear Command History
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

Star Blizzard

Score: 7.72
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1102.003 - One-Way Communication
MITREへのリンク →

Moonstone Sleet

Score: 13.68
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1091 - Replication Through Removable Media
  • T1491 - Defacement
  • T1197 - BITS Jobs
  • T1547.008 - LSASS Driver
MITREへのリンク →

CURIUM

Score: 10.37
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

Dragonfly

Score: 13.37
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1140 - Deobfuscate/Decode Files or Information
  • T1193 - Spearphishing Attachment
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Patchwork

Score: 8.87
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1001 - Data Obfuscation
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

TA2541

Score: 11.02
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1001 - Data Obfuscation
  • T1128 - Netsh Helper DLL
  • T1546.017 - Udev Rules
MITREへのリンク →

Earth Lusca

Score: 8.83
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

LuminousMoth

Score: 4.64
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

OilRig

Score: 13.27
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1592.002 - Software
  • T1128 - Netsh Helper DLL
  • T1547.008 - LSASS Driver
MITREへのリンク →

Gamaredon Group

Score: 5.12
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1546.017 - Udev Rules
MITREへのリンク →

Threat Group-3390

Score: 13.01
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1001 - Data Obfuscation
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1546.017 - Udev Rules
MITREへのリンク →

BlackByte

Score: 6.59
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1001 - Data Obfuscation
MITREへのリンク →

BITTER

Score: 3.47
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
MITREへのリンク →

Saint Bear

Score: 3.47
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
MITREへのリンク →

Contagious Interview

Score: 14.44
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1021.006 - Windows Remote Management
  • T1552.003 - Shell History
  • T1102.003 - One-Way Communication
  • T1547.008 - LSASS Driver
MITREへのリンク →

FIN7

Score: 6.11
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

EXOTIC LILY

Score: 5.99
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

APT42

Score: 4.72
Matched TTPs:
  • T1091 - Replication Through Removable Media
  • T1128 - Netsh Helper DLL
MITREへのリンク →

Rocke

Score: 4.14
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

Volt Typhoon

Score: 14.00
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1491 - Defacement
  • T1049 - System Network Connections Discovery
  • T1102.003 - One-Way Communication
  • T1548.006 - TCC Manipulation
MITREへのリンク →

FIN13

Score: 13.54
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
  • T1053.006 - Systemd Timers
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Medusa Group

Score: 17.24
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
  • T1128 - Netsh Helper DLL
  • T1548.006 - TCC Manipulation
  • T1216 - System Script Proxy Execution
  • T1094 - Custom Command and Control Protocol
MITREへのリンク →

Storm-0501

Score: 3.99
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

Fox Kitten

Score: 7.10
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1491 - Defacement
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Cinnamon Tempest

Score: 3.99
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

Ke3chang

Score: 3.81
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1548.006 - TCC Manipulation
MITREへのリンク →

menuPass

Score: 6.96
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1001 - Data Obfuscation
  • T1548.006 - TCC Manipulation
MITREへのリンク →

ToddyCat

Score: 3.99
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.008 - LSASS Driver
MITREへのリンク →

Winter Vivern

Score: 6.86
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

APT29

Score: 5.49
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

Leviathan

Score: 7.88
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1546.017 - Udev Rules
MITREへのリンク →

INC Ransom

Score: 3.99
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

UNC3886

Score: 11.23
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1021.006 - Windows Remote Management
  • T1547.015 - Login Items
  • T1218.010 - Regsvr32
MITREへのリンク →

Axiom

Score: 8.35
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1049 - System Network Connections Discovery
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

APT41

Score: 5.30
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1218.010 - Regsvr32
  • T1548.006 - TCC Manipulation
MITREへのリンク →

Play

Score: 3.99
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

HAFNIUM

Score: 18.77
Matched TTPs:
  • T1140 - Deobfuscate/Decode Files or Information
  • T1059 - Command and Scripting Interpreter
  • T1049 - System Network Connections Discovery
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
  • T1055.008 - Ptrace System Calls
MITREへのリンク →

APT38

Score: 8.67
Matched TTPs:
  • T1491 - Defacement
  • T1059.012 - Hypervisor CLI
  • T1216 - System Script Proxy Execution
MITREへのリンク →

Chimera

Score: 5.63
Matched TTPs:
  • T1491 - Defacement
  • T1548.006 - TCC Manipulation
MITREへのリンク →

LAPSUS$

Score: 10.32
Matched TTPs:
  • T1193 - Spearphishing Attachment
  • T1619 - Cloud Storage Object Discovery
  • T1548.006 - TCC Manipulation
MITREへのリンク →

PROMETHIUM

Score: 5.90
Matched TTPs:
  • T1547.015 - Login Items
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Turla

Score: 5.39
Matched TTPs:
  • T1218.001 - Compiled HTML File
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Gorgon Group

Score: 3.15
Matched TTPs:
  • T1001 - Data Obfuscation
MITREへのリンク →

Andariel

Score: 7.10
Matched TTPs:
  • T1187 - Forced Authentication
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Lazarus Group

Score: 16.20
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1055.005 - Thread Local Storage
  • T1105 - Ingress Tool Transfer
  • T1547.008 - LSASS Driver
  • T1216 - System Script Proxy Execution
MITREへのリンク →

Higaisa

Score: 4.65
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1546.017 - Udev Rules
MITREへのリンク →

Cobalt Group

Score: 4.24
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1128 - Netsh Helper DLL
MITREへのリンク →

APT37

Score: 6.88
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1216 - System Script Proxy Execution
MITREへのリンク →

BRONZE BUTLER

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Transparent Tribe

Score: 5.92
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

Tropic Trooper

Score: 6.91
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1128 - Netsh Helper DLL
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

Elderwood

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

Darkhotel

Score: 3.26
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1059.012 - Hypervisor CLI
MITREへのリンク →

RedCurl

Score: 5.41
Matched TTPs:
  • T1128 - Netsh Helper DLL
  • T1105 - Ingress Tool Transfer
MITREへのリンク →

FIN6

Score: 7.61
Matched TTPs:
  • T1128 - Netsh Helper DLL
  • T1548.006 - TCC Manipulation
  • T1547.008 - LSASS Driver
MITREへのリンク →

PLATINUM

Score: 6.30
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1686 - Disable or Modify System Firewall
MITREへのリンク →

Windshift

Score: 4.29
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

Dark Caracal

Score: 4.29
Matched TTPs:
  • T1059.012 - Hypervisor CLI
  • T1547.008 - LSASS Driver
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1130 - Install Root Certificate
MITREへのリンク →

Molerats

Score: 3.15
Matched TTPs:
  • T1546.017 - Udev Rules
MITREへのリンク →

Mofang

Score: 3.15
Matched TTPs:
  • T1546.017 - Udev Rules
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT28

Score: 0.85
Matched TTPs:
  • T1055.008 - Ptrace System Calls
  • T1218.010 - Regsvr32
  • T1566.002 - Spearphishing Link
  • T1197 - BITS Jobs
  • T1105 - Ingress Tool Transfer
  • T1146 - Clear Command History
  • T1059.012 - Hypervisor CLI
  • T1548.006 - TCC Manipulation
  • T1140 - Deobfuscate/Decode Files or Information
MITREへのリンク →

Sandworm Team

Score: 0.85
Matched TTPs:
  • T1187 - Forced Authentication
  • T1218.010 - Regsvr32
  • T1566.002 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1102.003 - One-Way Communication
  • T1548.006 - TCC Manipulation
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1049 - System Network Connections Discovery
MITREへのリンク →

Scattered Spider

Score: 0.78
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1491 - Defacement
  • T1197 - BITS Jobs
  • T1619 - Cloud Storage Object Discovery
  • T1548.006 - TCC Manipulation
  • T1552.003 - Shell History
  • T1027.002 - Software Packing
MITREへのリンク →

Kimsuky

Score: 0.68
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1102.003 - One-Way Communication
  • T1197 - BITS Jobs
  • T1001 - Data Obfuscation
  • T1091 - Replication Through Removable Media
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

Mustang Panda

Score: 0.68
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1566.002 - Spearphishing Link
  • T1102.003 - One-Way Communication
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
  • T1055.005 - Thread Local Storage
  • T1091 - Replication Through Removable Media
MITREへのリンク →

HAFNIUM

Score: 0.66
Matched TTPs:
  • T1059 - Command and Scripting Interpreter
  • T1055.008 - Ptrace System Calls
  • T1105 - Ingress Tool Transfer
  • T1548.006 - TCC Manipulation
  • T1140 - Deobfuscate/Decode Files or Information
  • T1049 - System Network Connections Discovery
MITREへのリンク →

Medusa Group

Score: 0.63
Matched TTPs:
  • T1128 - Netsh Helper DLL
  • T1216 - System Script Proxy Execution
  • T1094 - Custom Command and Control Protocol
  • T1548.006 - TCC Manipulation
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.003 - Shell History
MITREへのリンク →

Lazarus Group

Score: 0.62
Matched TTPs:
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
  • T1105 - Ingress Tool Transfer
  • T1216 - System Script Proxy Execution
  • T1059.012 - Hypervisor CLI
  • T1055.005 - Thread Local Storage
MITREへのリンク →

Contagious Interview

Score: 0.55
Matched TTPs:
  • T1021.006 - Windows Remote Management
  • T1102.003 - One-Way Communication
  • T1547.008 - LSASS Driver
  • T1091 - Replication Through Removable Media
  • T1552.003 - Shell History
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る