Back to the Future: Inside the Kimsuky KGH Spyware Suite
Contents
Research by: Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman
The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. Some of their observed targets include:
• Pharmaceutical/Research companies working on COVID-19 vaccines and therapies
• UN Security Council
• South Korean Ministry of Unification
• Various Human Rights Groups
• South Korean Institute for Defense Analysis
• Various Education and Academic Organizations
• Various Think Tanks
• Government Research Institutes
• Journalists covering Korean …
The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. Some of their observed targets include:
• Pharmaceutical/Research companies working on COVID-19 vaccines and therapies
• UN Security Council
• South Korean Ministry of Unification
• Various Human Rights Groups
• South Korean Institute for Defense Analysis
• Various Education and Academic Organizations
• Various Think Tanks
• Government Research Institutes
• Journalists covering Korean …
IoC
173.205.125.124
252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c
65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c
66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7
7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43
87b35e1998bf00a8b7e32ed391c217deaec408ad
90d00ecb1e903959a3853e8ee1c8af89fb82a179
97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323
Bcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9
E4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e
F846981567760d40b5a90c8923ca8c2e7c881c5f
Fa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b
af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f
d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c
e9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c
f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9
http://attachchosun.atwebpages.com/leess1982/leess1982.ps1
http://csv.posadadesantiago.com
http://csv.posadadesantiago.com/home/up.php?id=[Machine_name
http://csv.posadadesantiago.com/home?id=
http://dongkuiri.atwebpages.com/venus02/venus03/venus03.ps1
http://eastsea.or.kr/?m=a&p1=00000009&p2=Win6.1.7601x64-Spy-v2370390
http://foxonline123.atwebpages.com/home/jpg/download.php?filename=flower03
http://hao.aini.pe.hu/init/image?i=ping&u=8dc1078f1639d34c&p=wait
http://jmable.mireene.com/shop/kcp/js/com/expres.php?op=2
http://mernberinfo.tech/wp-data/?m=dunan&p=de3f6e263724&v=win6.1.0-sp1-x64
http://myaccounts.posadadesantiago.com
http://myaccounts.posadadesantiago.com/test/Update
http://myaccounts.posadadesantiago.com/test/Update.php?wShell=201
http://nhpurumy.mireene.com/theme/basic/skin/member/basic/
http://portable.epizy.com/img/png/download.php?filename=images01
http://wave.posadadesantiago.com
http://wave.posadadesantiago.com/home/dwn.php?van=101
http://wave.posadadesantiago.com/home/dwn.php?van=102
http://wave.posadadesantiago.com/home/dwn.php?van=10860
http://www.eventosatitlan.com
252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c
65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c
66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7
7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43
87b35e1998bf00a8b7e32ed391c217deaec408ad
90d00ecb1e903959a3853e8ee1c8af89fb82a179
97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323
Bcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9
E4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e
F846981567760d40b5a90c8923ca8c2e7c881c5f
Fa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b
af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f
d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c
e9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c
f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9
http://attachchosun.atwebpages.com/leess1982/leess1982.ps1
http://csv.posadadesantiago.com
http://csv.posadadesantiago.com/home/up.php?id=[Machine_name
http://csv.posadadesantiago.com/home?id=
http://dongkuiri.atwebpages.com/venus02/venus03/venus03.ps1
http://eastsea.or.kr/?m=a&p1=00000009&p2=Win6.1.7601x64-Spy-v2370390
http://foxonline123.atwebpages.com/home/jpg/download.php?filename=flower03
http://hao.aini.pe.hu/init/image?i=ping&u=8dc1078f1639d34c&p=wait
http://jmable.mireene.com/shop/kcp/js/com/expres.php?op=2
http://mernberinfo.tech/wp-data/?m=dunan&p=de3f6e263724&v=win6.1.0-sp1-x64
http://myaccounts.posadadesantiago.com
http://myaccounts.posadadesantiago.com/test/Update
http://myaccounts.posadadesantiago.com/test/Update.php?wShell=201
http://nhpurumy.mireene.com/theme/basic/skin/member/basic/
http://portable.epizy.com/img/png/download.php?filename=images01
http://wave.posadadesantiago.com
http://wave.posadadesantiago.com/home/dwn.php?van=101
http://wave.posadadesantiago.com/home/dwn.php?van=102
http://wave.posadadesantiago.com/home/dwn.php?van=10860
http://www.eventosatitlan.com