Focus Mode
Threat Research

JustJoin Landing Page Linked to Suspected DPRK Activity Resurfaces

admin
JustJoin Landing Page Linked to Suspected DPRK Activity Resurfaces
This report discusses the identification of a server linked to TA444/BlueNoroff, which employs deceptive domains related to virtual meeting platforms like Zoom for phishing and malware delivery. The analysis reveals a network of domains and shared SSH keys, indicating coordinated infrastructure. Affected: IP address, domain

Keypoints :

  • Hunt researchers identified a server with HTTP response headers linked to DPRK-related activity.
  • The server hosts a landing page for ‘JustJoin,’ a macOS app for monitoring Zoom meetings.
  • TA444/BlueNoroff is known for registering domains that mimic legitimate businesses, particularly in cryptocurrency and fintech.
  • The group often uses virtual private servers (VPS) for hosting, with Hostwinds being the most observed provider.
  • Operational security lapses have revealed infrastructure reuse and shared domains across multiple IPs.
  • Four domains were found resolving to a specific IP address, with two confidently linked to previous reports.
  • The structure of one domain obfuscates its IP address, potentially reducing visibility during inspection.
  • Further analysis revealed two additional servers sharing the same SSH fingerprint as the initial server.
  • Defenders should monitor for suspicious domains that mimic legitimate services to mitigate risks.

MITRE Techniques :

  • Phishing (T1566) – TA444/BlueNoroff uses deceptive domains to support phishing campaigns.
  • Domain Generation Algorithms (T1483) – The group registers domains that mimic legitimate businesses.
  • Infrastructure Discovery (T1016) – The analysis of shared SSH keys indicates coordination within their infrastructure.
  • Obfuscated Files or Information (T1027) – The domain structure uses hexadecimal sequences to obfuscate the IP address.

Indicator of Compromise :

  • [IP Address] 23.254.167[.]216
  • [Domain] make-hex-32332e3235342e3136372e323136-rr.1u.ms
  • [Domain] a0info.v6[.]army
  • [Domain] cryptorgram[.]com
  • [Domain] www.cryptorgram[.]com
  • Check the article for all found IoCs.

Full Research: https://hunt.io/blog/justjoin-landing-page-linked-to-suspected-dprk-activity-resurfaces

Tags: MONITOR, EMAIL, PHISHING, HUNT, MACOS, DISCOVERY