{ "type": "Domain", "indicator": "lnfo-master.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lnfo-master.com", "alexa": "http://www.alexa.com/siteinfo/lnfo-master.com", "indicator": "lnfo-master.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2190819171, "indicator": "lnfo-master.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "61978976fed1a4a1794586e7", "name": "Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies", "description": "Throughout 2021, Proofpoint has tracked ongoing credential theft campaigns from TA406, an actor associated with the Democratic People\u2019s Republic of Korea (DPRK). Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor\u2019s campaigns remained low in volume until the beginning of January 2021. From January through June 2021, Proofpoint observed almost weekly campaigns targeting foreign policy experts, journalists and nongovernmental organizations (NGOs).", "modified": "2022-08-08T06:41:58.851000", "created": "2021-11-19T11:24:37.334000", "tags": [ "TA406", "kimsuky", "thallium", "konni", "fatboy", "yorekey" ], "references": [ "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf" ], "public": 1, "adversary": "TA406", "targeted_countries": [], "malware_families": [ { "id": "FatBoy", "display_name": "FatBoy", "target": null }, { "id": "YoreKey", "display_name": "YoreKey", "target": null } ], "attack_ids": [ { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1137.001", "name": "Office Template Macros", "display_name": "T1137.001 - Office Template Macros" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 413, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 113, "hostname": 10 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 387039, "modified_text": "1395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387039, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf", "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "related": { "alienvault": { "adversary": [ "Thallium", "TA406" ], "malware_families": [ "Fatboy", "Yorekey" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "61978976fed1a4a1794586e7", "name": "Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies", "description": "Throughout 2021, Proofpoint has tracked ongoing credential theft campaigns from TA406, an actor associated with the Democratic People\u2019s Republic of Korea (DPRK). Our analysts have tracked TA406 campaigns targeting customers since 2018, but the threat actor\u2019s campaigns remained low in volume until the beginning of January 2021. From January through June 2021, Proofpoint observed almost weekly campaigns targeting foreign policy experts, journalists and nongovernmental organizations (NGOs).", "modified": "2022-08-08T06:41:58.851000", "created": "2021-11-19T11:24:37.334000", "tags": [ "TA406", "kimsuky", "thallium", "konni", "fatboy", "yorekey" ], "references": [ "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf" ], "public": 1, "adversary": "TA406", "targeted_countries": [], "malware_families": [ { "id": "FatBoy", "display_name": "FatBoy", "target": null }, { "id": "YoreKey", "display_name": "YoreKey", "target": null } ], "attack_ids": [ { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1137.001", "name": "Office Template Macros", "display_name": "T1137.001 - Office Template Macros" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 413, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 113, "hostname": 10 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 387039, "modified_text": "1395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387039, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lnfo-master.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lnfo-master.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780471315.1414518 }