Delaware, USA – January 2, 2020 – Microsoft got a court order allowing them to take down the domains used by the cyberespionage group Thallium. The group is active since 2012 and linked with the North Korean government, its operations are closely related to the activities of the Lazarus group. Thallium primarily attacks organizations in Asia and the Middle East, but in an interrupted campaign, adversaries targeted “government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues.” Most targets were located in the United States, Japan, and South Korea.
According to Microsoft, 50 of the uncovered domains were used by the group to carry out phishing attacks in order to collect credentials and further infiltrate internal networks. For several months, experts monitored the activities of the group, as well as infected devices. The ultimate goal of hackers was to infect victims’ systems with malware, in particular, KimJongRAT and BabyShark remote access trojans. On December 18, 2019, Microsoft filed a lawsuit against Thallium in the U.S. District Court for the Eastern District of Virginia and a short time later the court allowed the company to take control of the domains used by the group in cyber attacks. In August 2018, the tech giant took control of six domains of the APT28 group (aka Fancy Bear and Strontium), and in March of the last year, the company took down 99 domains belonging to APT35 that were used by the group for phishing attacks on organizations in the United States.
Rules to detect activity that could be related to BabyShark RAT: https://tdm.socprime.com/tdm/info/m304xpLFxpgu/