Espionage Operation Disguised as Software Installers by Kimsuky (APT-Q-2)
Contents
Group Background
Kimsuky, also known as Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., internally tracked as APT-Q-2 by QiAnXin. This APT organization was publicly disclosed in 2013, with its earliest attack activities dating back to 2012, suspected to have originated from Northeast Asia. Kimsuky primarily targets South Korea, involving sectors such as defense, education, energy, government, healthcare, and think tanks, focusing on stealing confidential information. The group typically employs social engineering, spear-phishing emails, watering hole attacks, and other methods to deliver malicious software, with a variety of attack techniques and weapons targeting both Windows and Android platforms.
Incident Overview
Recently, the QiAnXin Threat Intelligence Center discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in …
Kimsuky, also known as Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., internally tracked as APT-Q-2 by QiAnXin. This APT organization was publicly disclosed in 2013, with its earliest attack activities dating back to 2012, suspected to have originated from Northeast Asia. Kimsuky primarily targets South Korea, involving sectors such as defense, education, energy, government, healthcare, and think tanks, focusing on stealing confidential information. The group typically employs social engineering, spear-phishing emails, watering hole attacks, and other methods to deliver malicious software, with a variety of attack techniques and weapons targeting both Windows and Android platforms.
Incident Overview
Recently, the QiAnXin Threat Intelligence Center discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in …
IoC
17ccb0832c3382b5f9e86236e035d899a351c98f3871080c138d4494218cbbc2b6f9dc43705ed97e8b0b09f25752302094e0d297151f67b22328af95610f72f1
19c2decfa7271fa30e48d4750c1d18c1
27ef6917fe32685fdf9b755eb8e97565
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
87429e9223d45e0359cd1c41c0301836
88f183304b99c897aacfa321d58e1840
c8e7b0d3b6afa22e801cacaf16b37355
d259ef7500e7e667afc42e9570f9707a
d6abeeb469e2417bbcd3c122c06ba099
eb8d073840e95cf24c9c3f5a2b6470e0
http://ai.kostin.p-e.kr/index.php
http://ai.limsjo.p-e.kr/index.php
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr/index.php
http://coolsystem.co.kr
http://coolsystem.co.kr/admin/mail/index.php
http://ol.negapa.p-e.kr/index.php
http://qi.limsjo.p-e.kr/index.php
19c2decfa7271fa30e48d4750c1d18c1
27ef6917fe32685fdf9b755eb8e97565
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
87429e9223d45e0359cd1c41c0301836
88f183304b99c897aacfa321d58e1840
c8e7b0d3b6afa22e801cacaf16b37355
d259ef7500e7e667afc42e9570f9707a
d6abeeb469e2417bbcd3c122c06ba099
eb8d073840e95cf24c9c3f5a2b6470e0
http://ai.kostin.p-e.kr/index.php
http://ai.limsjo.p-e.kr/index.php
http://ai.negapa.p-e.kr/index.php
http://ar.kostin.p-e.kr/index.php
http://coolsystem.co.kr
http://coolsystem.co.kr/admin/mail/index.php
http://ol.negapa.p-e.kr/index.php
http://qi.limsjo.p-e.kr/index.php