Rewterz Threat Alert – Hive Ransomware – Active IOCs
September 20, 2022Rewterz Threat Advisory – CVE-2022-37972 – Microsoft Endpoint Configuration Manager Vulnerability
September 21, 2022Rewterz Threat Alert – Hive Ransomware – Active IOCs
September 20, 2022Rewterz Threat Advisory – CVE-2022-37972 – Microsoft Endpoint Configuration Manager Vulnerability
September 21, 2022Severity
High
Analysis Summary
Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped.
This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).
In its recent campaign, new sample was used with the filename:20220915log. zip, 20220915log.tgz.scr, & AutoUpdate.dll
Impact
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
MD5
- 77b7856144515bb3905df8b3fb210a2e
- 12539ac37a81cc2e19338a67d237f833
- aed88aac9dafd46c7c33617c77cc808f
SHA-256
- 7903bdf0976d5c6f3c28abf40c41414380f4494a8bf72af9e27ff810599faaf2
- db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe
- f63ff642e7025db96d6ebbd6da26aa9cece4f132891ce2a8385d7c034a7ead25
SHA-1
- c9d4eb66b4a150dc27f881b7a7b935f4253d1cfb
- 39a61c4d9d25c8ed1b38b1a51a8ef0b5cf51ce10
- 07b9c06bef6fb7f2f91c495ba84fdd8d5cd85b22
URL
- http[:]//office[.]pushitlive[.]net/index[.]php
- http[:]//qwert[.]mine[.]bz/index[.]php
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.