The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
North Korea targets SMEs with H0lyGh0st ransomware. Microsoft cybersecurity experts: The group, aka DEV-0530, has connections with PLUTONIUM (aka DarkSeoul or Andariel)
H0lyGh0st (aka DEV-0530) is a North Korea’s ransomware operation active since June 2021. This has been discovered by Microsoft cybersecurity experts. The group behind it uses a malware with the same name for its campaigns and has successfully compromised small businesses (SMEs) in multiple countries as early as September 2021. DEV-0530 maintains an .onion site that the group uses to interact with their victims. It’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. Furthermore, DEV-0530 has connections with another North Korean-based group: PLUTONIUM (aka DarkSeoul or Andariel).