Disclosing new PebbleDash-based tools by Kimsuky
Contents
Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky (aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail), a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout multiple phases of the group’s latest campaigns.
Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group’s ongoing adaptation and evolution.
Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities. These activities affected various sectors in South Korea, impacting both public and …
Kimsuky has continuously introduced new malware variants based on the PebbleDash platform, a tool historically leveraged by the Lazarus Group but appropriated by Kimsuky since at least 2021. Our monitoring indicates various strategic updates to the group’s arsenal, including the use of VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, large language models (LLMs), and the Rust programming language. This expanding set of tools underscores the group’s ongoing adaptation and evolution.
Specifically, Kimsuky leveraged legitimate VSCode tunneling mechanisms to establish persistence and distributed the open-source DWAgent remote monitoring and management tool for post-exploitation activities. These activities affected various sectors in South Korea, impacting both public and …
IoC
http://naedomain.hankook
http://load.supershop.o-r.kr
http://load.erasecloud.n-e.kr
https://vscode.dev/tunnel
http://erp.spaceme.p-e.kr
https://www.dwservice.net/
http://load.ssangyongcne.o-r.kr
https://www.yespp.co.kr/common/include/code/out.php
http://node896147.dwservice.net
http://node484265.dwservice.net
https://www.pyrotech.co.kr/common/include/tech/default.php
http://newjo-imd.com/common/include/library/default.php
https://vscode.download.prss.microsoft.com/dbazure/download/stable/1e3c50d64110be466c0b4a45222e81d2c9352888/vscode_cli_win32_x64_cli.zip
http://file.bigcloud.n-e.kr
http://female-disorder-beta-metropolitan.trycloudflare.com
http://female-disorder-beta-metropolitan.trycloudflare.com/index.php
http://attach.docucloud.o-r.kr
http://load.yju.o-r.kr
https://file.bigcloud.n-e.kr/index.php
http://morames.r-e.kr
https://vscode.download.prss.microsoft.com/dbazure/download/stable/bf9252a2fb45be6893dd8870c0bf37e2e1766d61/vscode_cli_win32_x64_cli.zip
https://github.com/login/device
http://node828765.dwservice.net
http://내도메인.
http://opedromos1.r-e.kr
http://cms.spaceyou.o-r.kr
https://vscode.dev/tunnel/
http://load.auraria.org
c42ae004badddd3017adadbdd1421e00
8e15c4d4f71bdd9dbc48cd2cabc87806
f73ba062116ea9f37d072aa41c7f5108
08160acf08fccecde7b34090db18b321
8983ffa6da23e0b99ccc58c17b9788c7
9fe43e08c8f446554340f972dac8a68c
bf9252a2fb45be6893dd8870c0bf37e2e1766d61
65fc9f06de5603e2c1af9b4f288bb22c
7e0825019d0de0c1c4a1673f94043ddb
5c373c2116ab4a615e622f577e22e9be
f4465403f9693939fe9c439f0ab33610
94faed9af49c98a89c8acc55e97276c9
678fb1a87af525c33ba2492552d5c0e2
58ac2f65e335922be3f60e57099dc8a3
1e3c50d64110be466c0b4a45222e81d2c9352888
a7f0a18ac87e982d6f32f7a715e12532
995a0a49ae4b244928b3f67e2bfd7a6e
c19aeaedbbfc4e029f7e9bdface495b9
d1ec20144c83bba921243e72c517da5e
52f1ff082e981cbdfd1f045c6021c63f
9ca5f93a732f404bbb2cee848f5bbda0
http://load.supershop.o-r.kr
http://load.erasecloud.n-e.kr
https://vscode.dev/tunnel
http://erp.spaceme.p-e.kr
https://www.dwservice.net/
http://load.ssangyongcne.o-r.kr
https://www.yespp.co.kr/common/include/code/out.php
http://node896147.dwservice.net
http://node484265.dwservice.net
https://www.pyrotech.co.kr/common/include/tech/default.php
http://newjo-imd.com/common/include/library/default.php
https://vscode.download.prss.microsoft.com/dbazure/download/stable/1e3c50d64110be466c0b4a45222e81d2c9352888/vscode_cli_win32_x64_cli.zip
http://file.bigcloud.n-e.kr
http://female-disorder-beta-metropolitan.trycloudflare.com
http://female-disorder-beta-metropolitan.trycloudflare.com/index.php
http://attach.docucloud.o-r.kr
http://load.yju.o-r.kr
https://file.bigcloud.n-e.kr/index.php
http://morames.r-e.kr
https://vscode.download.prss.microsoft.com/dbazure/download/stable/bf9252a2fb45be6893dd8870c0bf37e2e1766d61/vscode_cli_win32_x64_cli.zip
https://github.com/login/device
http://node828765.dwservice.net
http://내도메인.
http://opedromos1.r-e.kr
http://cms.spaceyou.o-r.kr
https://vscode.dev/tunnel/
http://load.auraria.org
c42ae004badddd3017adadbdd1421e00
8e15c4d4f71bdd9dbc48cd2cabc87806
f73ba062116ea9f37d072aa41c7f5108
08160acf08fccecde7b34090db18b321
8983ffa6da23e0b99ccc58c17b9788c7
9fe43e08c8f446554340f972dac8a68c
bf9252a2fb45be6893dd8870c0bf37e2e1766d61
65fc9f06de5603e2c1af9b4f288bb22c
7e0825019d0de0c1c4a1673f94043ddb
5c373c2116ab4a615e622f577e22e9be
f4465403f9693939fe9c439f0ab33610
94faed9af49c98a89c8acc55e97276c9
678fb1a87af525c33ba2492552d5c0e2
58ac2f65e335922be3f60e57099dc8a3
1e3c50d64110be466c0b4a45222e81d2c9352888
a7f0a18ac87e982d6f32f7a715e12532
995a0a49ae4b244928b3f67e2bfd7a6e
c19aeaedbbfc4e029f7e9bdface495b9
d1ec20144c83bba921243e72c517da5e
52f1ff082e981cbdfd1f045c6021c63f
9ca5f93a732f404bbb2cee848f5bbda0