Rewterz Threat Alert – Emotet – Active IOCs
August 24, 2022Rewterz Threat Alert – Ramnit Malware – Active IOCs
August 24, 2022Rewterz Threat Alert – Emotet – Active IOCs
August 24, 2022Rewterz Threat Alert – Ramnit Malware – Active IOCs
August 24, 2022Severity
High
Analysis Summary
Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped.
This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).
In its recent campaign, a macro-doc sample was used with the filename: 미국의 외교정책과 우리의 대응방향.doc translated as “US foreign policy and our response”
Impact
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
MD5
- 4de19e2c39b1d193e171dc8d804005a4
SHA-256
- 6a435e2aab6dce39d626eacb39fc964967e35e94abf513da0f6511ab7b1f826e
SHA-1
- c0ee5199cc15ed05fc6edf62a193deb819572cee
URL
- http[:]//uppgrede[.]scienceontheweb[.]net/file/upload/list[.]php?query=1
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.