CyberInt Reports: Suspected Russian-speaking Threat Actors Targeting Korea
CyberInt Reports: Suspected Russian-speaking Threat Actors Targeting Korea
  • Posted by Yeon Chul-hyun
  • 승인 2019.04.18 07:44
  • 댓글 0
이 기사를 공유합니다

Latest tactic is using legitimate remote access software delivered via phishing attempts
Hacker-strip(Credit CyberInt)
Hacker-strip(Credit CyberInt)


[Tel Aviv] Investigation from CyberInt’s Research Lab announced on April 17 that has connected a single gang to a range of attacks against retailers and financial institutions around the world using legitimate remote access software. CyberInt’s managed detection and response solutions protect the world’s leading companies.
The group has used the same tactics, techniques and procedures (TTPs) along with the repeated nefarious use of an off-the-shelf commercial remote administration tool, “Remote Manipulator System” (RMS), developed by a Russian-based company, TektonIT.
They were behind attacks against the global financial industry between December 2018 and February 2019, launching campaigns against financial institutions in Chile, India, Italy, Malawi, Pakistan, and South Korea, among others; and December 2018 campaigns against US-based retailers. Campaigns are continuing today.
The financially motivated TA505 has been active since 2014, when they began high-volume malicious email campaigns, including the distribution of the “Dridex” and “Shifu” banking trojans as well as the Neutrino botnet/exploit kit and Locky ransomware.
The members of TA505 are thought to be native Russian speakers, based on analysis of their code.
CyberInt’s Research Lab discovered the attack thanks to its outside-in approach, where it seeks out threats before they enter the organization. CyberInt’s machine learning-based AI detection platform automatically sorts through hundreds of thousands of events across the Internet and darknet and deep web, bringing specific patterns to the attention of cyber-analysts, who further investigate the TTPs and their impact on CyberInt’s customers.
“Although they are using phishing and social engineering to get the software into the organizations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, Senior Strategic Consultant and Head of Research at CyberInt. “They are still very much active. This is only the beginning of our deep-dive investigation.
“Our ‘white hat-hacking approach’ makes it critical that we reveal their TTPs so organizations can better prepare themselves. Signature detection doesn’t work, but if you focus on training your employees to avoid their modus operandi, you have a greater chance of protecting your organization.”
CyberInt recommends adoption of a machine learning technology platform that is tailored to the individual business’ specific requirements, where analysts determine in advance for which types of threats they need to mitigate first.

This article was written by CyberInt

삭제한 댓글은 다시 복구할 수 없습니다.
그래도 삭제하시겠습니까?
댓글 0
계정을 선택하시면 로그인·계정인증을 통해
댓글을 남기실 수 있습니다.

  • #1206, 36-4 Yeouido-dong, Yeongdeungpo-gu, Seoul, Korea(Postal Code 07331)
  • 서울특별시 영등포구 여의도동 36-4 (국제금융로8길 34) / 오륜빌딩 1206호
  • URL: / Editorial Div. 02-578-0434 / 010-2442-9446. Email:
  • Publisher: Monica Younsoo Chung. Chief Editorial Writer: Kim Hyoung-joong. CEO: Lee Kap-soo. Editor: Jung Yeon-jin.
  • Juvenile Protection Manager: Yeon Choul-woong. IT Times Canada: Willow St. Vancouver BC, Canada / 070-7008-0005.
  • Copyright(C) Korea IT Times, Allrights reserved.