Thailand Seizes Server Linked To North Korea Cobra APT Group

ThaiCERT has seized a server hidden in the Thai University which was allegedly used as part of North Korean hacking operation, It was announced last Wednesday by Thailand Infosec Organization that the box was operated by Norks Hidden Cobra APT Group which was part of the Command & Control Server for a Campaign called GhostSecret.

McAfee reported IP addresses associated with GhostSecret last Tuesday, as part of malware targeting infrastructure. The report from McAfee warned that GhostSecret was part of a global reconnaissance campaign scanning servers in various industries to find targets for an attack as well as identifying Command And Control Server.

McAfee said it discovered a new Destover malware implant variant and another one which is called Proxysvc that has operated undetected since mid 2017. And the new variant resembles parts of the Destover malware which was used in 2014 Sony Picture attack.

McAfee said the IP Address associated with Thai Activity  were,, and belonging to Thammasat University.

And that last IP Address hosted the Control Server for the Sony Pictures implant and hosted the SSL Certificate used in Hidden Cobra operations since they Sony Pictures attack.

Now the server is with ThaiCERT and said it's working with authorities and McAfee to analyze its contents and see what remediation it can offer to Thai Victims of the Campaign.

[icon name="camera-retro" class="" unprefixed_class=""] Image Credits: Bill Hinton via Getty Images/

No comments

Powered by Blogger.