Request a Demo
Rewterz
Rewterz Threat Alert – Lokibot Malware – Active IOCs
March 22, 2022
Rewterz
Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
March 22, 2022

Rewterz Threat Alert – Kimsuky APT Group – Active IOCs

Severity

High

Analysis Summary

Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped. 

This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).

Impact

  • Information theft and espionage
  • Exposure of sensitive data

Indicators of Compromise

Filename

  • contract[.]chm
  • wages[.]chm
  • Nodejs for Game Server Development[.]chm
  • User Guide[.]chm

MD5

  • 997165ed836b8a2a6af5cf2d43af5803
  • 5f1091df4c74412ef59426c1bb65f4d0
  • ae43f4d4c6123294b2f3ede294032944
  • acc6263bd54de778c1e22373d73887ab

SHA-256

  • 3f2c43b3d4a00d20dfbc0d29b5e2348028e95be6cc0bef1e7f6823cdd6667280
  • a72a9ce14d2f914a86aeaf7d963164413be158dfdd339182146a522eceb4552e
  • 7f14b789453a0e94b5afa63f8e5319e80cef78d81d60471caa0805ddfe01c6a6
  • e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1

SHA-1

  • 08502f51d1913a9ea56898d29be52916d4b6ec7c
  • 97f41634e2be787c822bc19da100ed7698b5dc88
  • 88305a923c85cd33ca5b052305de1cea9a39fcd0
  • bf7922ef1627ce916683f84f741c84b9935eebf4

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.