Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

North Korean Software Supply Chain Attack Targets Stock Investors

North Korean Software Supply Chain Attack Targets Stock Investors

North Korean hacking group Thallium aka APT37 has targeted users of a private stock investment messenger service in a software supply chain attack, according to a report published this week.

Up until now, the group mainly relied on phishing attacks, such as via Microsoft Office documents, to target its victims.

Thallium is now leveraging multiple ways, such as shipping tainted Windows installers and macro-laden Office documents to prey on investors.

Attackers alter the installer of a stock investment app

This week, ESTsecurity Security Response Center (ESRC) reported on North Korean hacking group altering a private stock investment messaging application to ship malicious code.

The group known as Thallium produced a Windows executable using Nullsoft Scriptable Install System (NSIS), a popular script-driven installer authoring tool for Microsoft Windows.

The executable contained malicious code in addition to the legitimate files from a legitimate stock investment application program.

ESTsecurity researchers have demonstrated at least two ways in which the attackers leverage the “XSL Script Processing” technique.

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

Within the legitimate installer of the stock investment platform, attackers injected specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility.

Commands pull malicious XSL script over FTP
Source: ESTsecurity

The resultant installer, repackaged with Nullsoft’s NSIS, would give off the impression as if the user was installing the real stock investment application while silently spinning up the malicious scripts in the background.

The next stage of attack executes a VBScript to create files and folders titled ‘OracleCache’, ‘PackageUninstall’, and ‘USODrive’ among others in the %ProgramData% directory.

The payload then connects to the command-and-control (C2) server hosted on frog.smtper[.]co to receive additional commands.

VBScript that retrieves commands from C2 server
Source: ESTsecurity

By creating a rogue scheduled task called activate under a misleading directory ‘Office 365__\Windows\Office’, the malware achieves persistence by instructing Windows Scheduler to run the dropped code every 15 minutes.

The threat actors perform reconnaissance of the infected system and after an initial screening, deploy a Remote Access Trojan (RAT) on the machine to further conduct their sinister activities.

Excel macros also used to deliver the payload

ESTsecurity researchers also observed Microsoft Office documents, such as Excel spreadsheets which contained macros were distributing the aforementioned XSL script payload.

“ESRC is paying attention to the fact that the Thallium organization is using the ‘XSL Script Processing’ technique not only in spear phishing attacks based on malicious documents, but also for niche attacks including supply chain attacks,” stated ESTsecurity researchers in their translated report.

According to the researchers, the threat actors’ reasons for targeting users investing in stock remain unclear.

Whether the goal behind this attack was monetary gain or espionage on traders, supply chain attacks have become a common nuisance of these times.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

The recent large-scale SolarWinds attack impacted over 18,000 entities including reputable government and private organizations.

Last month, attackers targeted the open-source ecosystem RubyGems in a software supply chain attack to mine cryptocurrency on infected machines.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us