Microsoft has announced that it has taken control of 50 domains previously owned by the North Korean Thallium group (APT37) and used for its operations. Microsoft says that for the sake of this team, Digital Crimes Unit (DCU) and Microsoft Threat Intelligence Center (MSTIC) have been monitoring Thallium for several months and understanding its infrastructure.
Having collected enough data, Microsoft filed a lawsuit against Thallium in a Virginia court on December 18 this year. Last week, US authorities officially allowed Microsoft to seize control of more than 50 domains of the North Korean hack group. It’s known that these domains were used to send phishing emails and host phishing pages (which Microsoft brands and trademarks used fraudulently). Hackers lured victims to these sites, stole credentials, and then gained access to their internal networks, continuing to develop attacks.
Microsoft also reports that in addition to tracking Thallium attacks, company experts monitor and examine infected hosts. So, most of the attackers’ targets were located in the USA, Japan and South Korea.
“Judging by the data of the victims, they included government officials, think tanks, university staff, members of human rights organizations, as well as people involved in the proliferation of nuclear weapons,” experts said.
According to Microsoft, often the ultimate goal of grouping attacks was to infect victims with such malware as RAT KimJongRAT and BabyShark . After installing the victim on a computer, the malware stole information, secured themselves in the system, and then awaited further instructions from their operators.
It is worth noting that this is not the first time that Microsoft fights with hackers through the courts. For example, in 2018, Microsoft experts resorted to this tactic to take control of 84 domains of the hacker group APT28, also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.