Rewterz Threat Alert – Kimsuky APT Group – Active IOCs

Severity

High

Analysis Summary

Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped. 

This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).

Impact

• Information theft and espionage
• Exposure of sensitive data

Indicators of Compromise

Domain Name

• asenal[.]medianewsonline[.]com

Filename

• [Klip 고객센터]오전송토큰해결안내[.]doc

MD5

• 52f79913a72c1afe1cd6b22445aab3e5

SHA-256

• 3ca7067d60ee47be7448da74be7dab23699cda64cac7ed0cd7a2d219875cb902

SHA-1

• 88cd07d242a82ed9e5c99b40efdd5bf8b60694ed

URL

• http[:]//asenal[.]medianewsonline[.]com/good/luck/flavor/list[.]php?query=1

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.