Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
September 16, 2022Rewterz Threat Alert – APT SideWinder Group Targeting Pakistani Telecom – Active IOCs
September 16, 2022Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
September 16, 2022Rewterz Threat Alert – APT SideWinder Group Targeting Pakistani Telecom – Active IOCs
September 16, 2022Severity
High
Analysis Summary
Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped.
This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).
In its recent campaign, new sample was used with the filename:20220915log. zip, 20220915log.tgz.scr, & AutoUpdate.dll
Impact
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
MD5
- 9180925f4e7111a725890b419d021a5f
- b42aee6c6e174f663769ff8a0426b6af
- 158a8fee1a87324edb596e920e7d474e
SHA-256
- 9d60e80180e64df4dc4a74b1190864f443d23928582df42f9de9ee777e7640d6
- 86ec20d4ea22fc50cf80e3fa9998dd0678ed45039c6cd03d79048b2d9b88e6ee
- d3930b2494f45bb2c169124d4a39308303b9e8e87043afc54327c1e2a378e4e0
SHA-1
- d91d80b27b5c2d51d50300e41e6990d3eecdf2de
- a8093c518f59aa952ddecf4bb050b7bd19f75f8f
- d33a41cf65580e0e455871e63b6562572dc15577
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.