Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
March 21, 2022Rewterz Threat Alert – B1txor20 – Active IOCs
March 21, 2022Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
March 21, 2022Rewterz Threat Alert – B1txor20 – Active IOCs
March 21, 2022Severity
High
Analysis Summary
Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped.
This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).
Impact
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
Domain Name
- you[.]ilove[.]n-e[.]kr
- www[.]onedriver[.]kro[.]kr
- washer[.]cleaninter[.]online
- vpn[.]atooi[.]ga
- upload[.]myfilestore[.]cf
- upload[.]mydrives[.]ml
MD5
- 0a2c4f2a862b20ed99eeed2321080645
SHA-256
- 0b2db410c50d9e4eb7e88177c463be3da5fff5527d9dc2ae10fa26ebe2721ef1
SHA-1
- 979f8fca2aa055a19b71e01bc0f16e80889bc220
URL
- http[:]//update[.]nhuyj[.]r-e[.]kr/
- http[:]//update[.]netsvc[.]n-e[.]kr/
- http[:]//update[.]hdac-tech[.]com/
- http[:]//texts[.]letterpaper[.]press/
- http[:]//term[.]invertion[.]press/
- http[:]//smile[.]happysunday[.]space/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.