Skip to content

TeamWork

  • Difficulty: Easy
  • Status: Active

Scenario

It is Friday afternoon and the SOC at Edny Consulting Ltd has received alerts from the workstation of Jason Longfield, a software engineer on the development team, regarding the execution of some discovery commands. Jason has just gone on holiday and is not available by phone. The workstation appears to have been switched off, so the only evidence we have at the moment is an export of his mailbox containing today's messages. As the company was recently the victim of a supply chain attack, this case is being taken seriously and the Cyber Threat Intelligence team is being called in to determine the severity of the threat.

The sherlock archive contains a single directory, jasonlongfield@edny.net with 13 emails backed up as .eml.

Tasks

Identify the sender of the suspicious email.

The .eml files can be opened in Chromium to properly render any HTML content. Looking through the emails, most of them appear to be marketing or mass-emails, though there is one that stands out:

Dear Jason,

I hope this message finds you well. I am following up on our quick chat on X to discuss an exciting investment opportunity in an NFT game project that is nearing completion. As an investor in the project, I have been impressed by the progress and potential of this venture. However, we are seeking additional investment to take the project to the next level. The DevelopingDreams is currently in the process of developing a new play-to-earn (P2E) game. We finished beta version of this game but need expert game developers because of issues and new version. Would you be interested in learning more about this opportunity? I would be happy to provide you with more details and discuss how you can become a part of this innovative project.

Here you can find the beta version of the game for testing (use password DTWBETA2025).

Best regards,

Theodore Todtenhaupt\ DevelopingDreams, CEO\ Craven Road 7\ London, W2 3BP\ https://developingdreams.site

The sender address can be found in the email header:

1
2
3
4
5
...
From: Theodore Todtenhaupt <theodore.todtenhaupt@developingdreams.site>
To: "jasonlongfield@edny.net" <jasonlongfield@edny.net>
Subject: Opportunity to Invest in NFT Game Project
...

The suspicious email came from a custom domain, identify its creation date.

The DNS record has expired, but there are historical DNS records available online, like here.

According to the records, the domain was registered on 2025-01-31.

The domain was registered shortly before the suspicious email was received, which likely corresponds to the time when the threat actor was planning this campaign. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

This corresponds to T1583.001, Acquire Infrastructure: Domains.

The previously identified domain appears to belong to a company, what is the full URL of the company's page on X (formerly Twitter)?

The domain is no longer active, but a snapshot has been preserved on the Web Archive. On the bottom of the page is a link to their X profile: https://x.com/Develop_Dreams.

Reading the suspicious email carefully, it appears that the threat actor first contacted the victim using the previously identified social media profile. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

This corresponds to T1585.001, Establish Accounts: Social Media Accounts

What is the name of the game the threat actor would like us to collaborate on?

The suspicous email only mentions "a new play-to-earn (P2E) game" with no hints about the name.

The preserved website on the Web Archive does mention a game matching the description named DeTankWar.

What is the SHA-256 hash of the executable shared by the threat actor?

The beta was available on the developingdreams.site and has been archived along with the rest of the site.

Extracting the .zip archive with the password from the email produces an .exe file:

1
2
$ sha256sum beta_release_v.1.32.exe 
56554117d96d12bd3504ebef2a8f28e790dd1fe583c33ad58ccbf614313ead8c  beta_release_v.1.32.exe

As part of the preparation of the tools for the attack, the threat actor hosted this file, presumably malware, on its infrastructure. Which MITRE ATT&CK sub-technique of the Resource Development tactic corresponds to this activity?

This corresponds to T1608.001, Stage Capabilities: Upload Malware

Based on the information you have gathered so far, do some research to identify the name of the threat actor who may have carried out this attack.

Searching for the file hash above links it to a specific North Korean threat actor known as Moonstone Sleet.

The malware has already been thoroughly investigated: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/

What nation is the threat actor believed to be associated with?

North Korea

Another campaign from this threat actor used a trojanized version of a well-known software to infect victims. What is the name of this tool?

The Microsoft blog post above details the use of trojanized version of PuTTY.

Which MITRE ATT&CK technique corresponds to the activity of deploying trojanized/manipulated software?

This corresponds to T1195.002, Supply Chain Compromise: Compromise Software Supply Chain.

Our company wants to protect itself from other supply chain attacks, so in documenting more about this threat actor, the CTI team found that other security researchers were also tracking a group whose techniques closely match Moonstone Sleet, and discovered a new supply chain campaign around the end of July 2024. What technology is this campaign targeting?

According to this post, there was a supply chain attack on npm in July 2024 where a trojanized version of jQuery was used in as many as 68 packages were published and distributed from the npm registry.

We now need some indicators to be able to rule out that other systems have been compromised. What is the name and version of the lastest malicious package published? (Format: package-name vX.X.X)

By narrowring the search for "infected npm packages list" to July–August 2024, a relevant blog post on the topic by Datatog Security Labs can be found.

The blog post attributes the malicious npm packages to the North Korean threat actor Stressed Pungsan. The blog post mentions two packages published on npm on July 7th 2024, one of which is named harthat-hash v1.3.3.

The malicious packages downloaded an additional payload from a C2 server, what is its IP address?

Also mentioned in the blog post above, the IP address in question is 142.111.77.196.

The payload, after being renamed, is finally executed by a legitimate Windows binary to evade defenses. Which MITRE ATT&CK technique corresponds to this activity?

The technique is mentioned in the blog post above: T1218.011, System Binary Proxy Execution: Rundll32.