lazarusholic

Everyday is lazarus.dayβ

비상계엄 테마 APT 공격과 Kimsuky 그룹 연관성 분석

2025-03-04, Genians
https://www.genians.co.kr/blog/threat_intelligence/apt-attacks-martial-law
#Kimsuky #Phishing

Contents

◈ 주요 요약 (Executive Summary)
- 한국내 비상계엄과 정치·사회적 이슈를 악용한 APT 공격 심층 분석
- 스피어 피싱 공격 이메일을 통해 악성파일 다운로드 주소 전달
- macOS, Windows 운영체제에 따라 정상/악성파일 다르게 유포
- 제어판 항목(.cpl) 파일과 구글 업데이터 위장 초기탐지 회피 시도
- 날로 교묘해지는 APT 공격 증가 추세에 따라 EDR 도입 필요성 증대
1. 개요 (Overview)
○ 2024년 12월 11일 수요일 오후 1시 45분, 「FW: 방첩사 작성한 "계엄 문건" 공개」 제목의 스피어 피싱(Spear Phishing) 공격 이메일이 대북분야 종사자 대상으로 무작위 유포됐습니다. 한편, 한국인터넷진흥원(KISA) 위협분석단 종합분석팀은 '비상계엄 이슈를 악용한 사이버 공격에 대한 주의 권고' 보안공지를 게시했습니다. 해당 권고문의 주요 내용은 다음과 같습니다.
○ 이번 건은 비상계엄 이슈의 사회공학적 기법과 확장자가 CPL인 제어판(Windows Control Panel) 파일이 활용됐습니다. 이런 전술은 호기심 유발로 위협요소 접근도를 높이고, 단말에 설치된 Anti-Virus 제품의 알려진 패턴 탐지 회피에 있습니다.
○ 만약 국가배후 APT 공격용 모듈이 단 하나라도 내부 단말에 유입될 경우 잠재적 위험도는 점차 커지게 됩니다. 따라서, 알려지지 않은 신규 위협을 보다 능동적으로 식별하기 위해선 …

IoC

http://104.21.48.88
http://accounts.kakao-login.com
http://172.67.182.18
http://accounts.intorpark.com
http://googlauth.com
http://104.21.59.136
http://112.175.185.59
http://accountsmt.certuser.info
http://172.67.219.166
http://medicert.com-silver.site
http://124.5.163.170
http://104.21.86.123
http://172.67.128.127
http://com-info.store
http://104.21.62.150
http://172.67.179.222
http://104.21.43.94
http://104.21.34.210
http://yecchong.com
http://172.67.193.25
http://104.21.68.29
http://accounts-google.com-info.store
http://accounts.kakao-check.com
http://certuser.info
http://119.204.168.143
http://172.67.173.157
http://209.99.40.222
http://104.21.13.241
http://172.67.137.64
http://104.21.32.94
http://172.67.136.182
http://104.21.96.63
http://samsunghospitol.com
http://accounts.kakao-auth.com
http://goodemail.info
http://104.21.13.127
http://124.5.163.111
http://event.stibee.navers.store
http://172.67.132.211
http://104.21.43.135
http://172.67.200.125
http://nid.auth-require.com
http://206.206.123.55
http://172.67.177.152
http://kyf-dream.com
http://104.21.54.128
http://172.67.181.81
http://lotto-rich.com
http://medis.navers.store
http://104.21.36.135
http://navers.com-active.store
http://104.21.61.63
http://yes24.vip
http://accounts.kakao-verify.com
http://104.21.36.117
http://172.67.208.102
http://nid.naverify.com
http://104.21.56.41
http://112.214.237.131
http://navers.store
http://172.67.133.130
http://104.21.69.121
http://172.67.185.123
http://27.102.130.92
http://112.175.185.19
http://104.21.51.149
http://nid.naver-check.com
http://accounts.login-require.com
http://210.92.18.185
http://161.97.100.171
http://172.67.187.104
http://puac.net
http://172.67.162.231
http://review.accountprotection.info
http://172.67.205.159
http://172.67.176.240
http://104.21.77.81
http://accountprotection.info
http://104.21.2.11
http://jongnno.com
http://49.1.238.247
http://mid.naveos.website
http://104.21.60.195
http://unniedu.com
http://172.67.183.9
http://216.74.123.97
http://navauth.com
http://nid.naver-auth.com
http://104.21.14.107
http://112.214.236.86
http://104.21.42.163
http://ads.mailattachmentimageurlxyz.site
http://104.21.65.82
http://172.67.139.63
http://stibee.navers.store
http://172.67.168.65
http://unusual.navers.store
http://104.21.51.95
http://104.21.86.221
http://panmuntour.com
http://accounts.goodemail.info
http://118.36.192.211
http://104.21.62.206
http://github.com/adrhpbrn29
http://172.67.138.180
http://104.21.74.209
http://kcar-service.com
http://vida.ns.cloudflare.com
http://100000recipe.com
http://172.67.189.105
http://sarkcc.com
http://104.21.26.97
http://222.122.195.67
http://seouul.com
http://104.21.48.172
http://campaign2-nid.com
http://172.67.177.237
https://github.com/
http://knovvhow.com
http://navers.com-silver.site
http://172.67.208.4
http://glaed-hotel.com
http://104.21.75.198
http://118.33.224.29
http://172.67.178.31
http://troy.ns.cloudflare.com
http://172.67.163.138
http://172.67.185.83
http://172.67.158.166
http://172.67.194.212
http://210.92.18.161
http://172.67.206.189
http://77.247.126.189
http://merryear.com
http://ms-work.com-info.store
http://49.1.234.75
http://kakauth.com
https://review.accountprotection.info/upload
172.67.205.159
172.67.185.123
77.247.126.189
104.21.48.88
209.99.40.222
172.67.189.105
104.21.14.107
104.21.34.210
104.21.36.117
104.21.2.11
104.21.65.82
104.21.69.121
172.67.133.130
172.67.162.231
172.67.183.9
49.1.234.75
172.67.137.64
172.67.178.31
216.74.123.97
172.67.173.157
172.67.177.237
172.67.208.102
104.21.62.150
172.67.177.152
112.214.237.131
104.21.42.163
172.67.138.180
172.67.194.212
172.67.219.166
172.67.185.83
222.122.195.67
119.204.168.143
172.67.181.81
104.21.77.81
118.33.224.29
104.21.54.128
104.21.51.149
104.21.60.195
104.21.96.63
104.21.13.127
104.21.61.63
161.97.100.171
172.67.128.127
172.67.136.182
112.175.185.59
104.21.51.95
104.21.48.172
172.67.206.189
104.21.43.94
104.21.13.241
27.102.130.92
172.67.163.138
172.67.179.222
124.5.163.111
210.92.18.161
104.21.59.136
124.5.163.170
104.21.32.94
104.21.75.198
104.21.26.97
172.67.139.63
104.21.86.123
49.1.238.247
104.21.56.41
172.67.176.240
172.67.193.25
206.206.123.55
104.21.68.29
104.21.36.135
104.21.86.221
172.67.132.211
118.36.192.211
172.67.200.125
172.67.158.166
104.21.74.209
104.21.62.206
172.67.182.18
112.214.236.86
172.67.168.65
210.92.18.185
172.67.187.104
104.21.43.135
112.175.185.19
172.67.208.4
8fb97b701da7e49e6a78717f0179dd68
71d5270d1a165bb6dec144e16089450d
F8DDE3DE3410D7A444FCFEABFBB963E4
fc7315b6b74aa43ab24965f3648f01a6
c3bbdd7142b1b86e638e8585a4b16c7b
9e94126e8a26efd10b2a5b179d64be90
35b4f28dd2d50dbf48e5c63c3ef5efb7
66e8096b9b061550314a82654ce0fabd
5108C225B68C5D229B83BF62E0E357B0
929a87be39ed3ad28e7285340f64414f
72fc2de8e9339969b9be2bb4363e2741
456d05566fc3391e195a5f9cb346c92c
ca93591a9441a2ade70821f67292d982
25156a29ad636eb708104ec69b05e54b