Pulse Detail — Threat Intelligence

PULSE NAME

Dalbit (m00nlight): Chinese Hacker Group APT Attack Campaign

WHITE Dalbit AlienVault 2023-02-15 Modified: 2023-02-15

211

IOCs

HIGH VOLUME

Researchers identified the Dalbit (m00nlight) hacking group that has been targeting Korean companies since 2022 and is known as the “Dalbit” (Moonlight).

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1550 T1056 T1003 T1005 T1018 T1021 T1046 T1047 T1053 T1059 T1068 T1070 T1090 T1098 T1105 T1113 T1114 T1134 T1136 T1486 T1505 T1562 T1567 T1569 T1570 T1608

MALWARE FAMILIES

WebShell Moonlight’ Dalbit

Indicators of Compromise (10 / 211 total)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://103.118.42.208:8080/frpc.exe	—	2023-02-15
URL	http://175.24.32.228:8888/readme	—	2023-02-15
URL	http://91.217.139.117:8001/log.ini	—	2023-02-15
URL	http://91.217.139.117:8001/log.xn--ini-9o0a	—	2023-02-15
URL	http://91.217.139.117:8080/1.bat	—	2023-02-15
URL	http://91.217.139.117:8080/calc32.exe	—	2023-02-15
URL	http://91.217.139.117:8080/calc32.xn--exe-9o0a	—	2023-02-15
URL	http://91.217.139.117:8443/log.ini	—	2023-02-15
URL	https://aa.zxcss.com:443	—	2023-02-15
URL	https://fk.m00nlight.top:443	—	2023-02-15

References (1)

↗ https://asec.ahnlab.com/en/47455/