Preface: It is impossible to rely on small group of expert to track malicious activities on the Internet. In fact, it needs strong financial support. This is reality, maybe this is a long-running game.

Background: US Homeland Security issue an evaluation article on hostile country malware and phishing attacks motion. Perhaps you may ask? Can it be relies on SIEM do this monitoring. My opinion is that we should say thanks to DNS Sinkhole.A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. But it require DNS lookup service. By using the DNS sinkhole technique it is also possible to deny access to any of malicious C&C websites. Besides, the queries will be written down to DNS Sinkhole record.

Security focus of specifics malware:
COPPERHEDGE, is described as a Remote Access Tool (RAT).
TAINTEDSCRIBE is a trojan that acts as a full-featured beaconing implant with command modules and designed to disguise as Microsoft’s Narrator.
PEBBLEDASH is yet another trojan acting like a full-featured beaconing implant and used by hacking groups “to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.”

For more information about the report, please click this link – https://www.us-cert.gov/northkorea