Kimsuky 3
Contents
Kimsuky 3
Introduction
In my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a malicious PowerShell script which acted as backdoor for the adversary’s purposes. Let’s revise some key points about Kimsucky :
- Kimsuky was first publicly disclosed and named by Kaspersky in 2013. The attack activities can be traced back to 2012. It is an APT organization suspected to have background in East Asian countries.
- The name Kimsuky is given because the email account to which the Russian security company Kaspersky, first reported the group’s attack sent the stolen information, was Kimsukyang.
- It used numerous malicious codes such as Gold Dragon, Babyshark and Appleseed. It is also called Thallium, Velvet Chollima, Black Banshee .
Looking through my daily bazaar feed I found this sample and it was named “SW보안점검표(개발자 사전점검용)_v2.0_beta.xlsm .vbs” . On translating it was found that it meant “SW security …
Introduction
In my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a malicious PowerShell script which acted as backdoor for the adversary’s purposes. Let’s revise some key points about Kimsucky :
- Kimsuky was first publicly disclosed and named by Kaspersky in 2013. The attack activities can be traced back to 2012. It is an APT organization suspected to have background in East Asian countries.
- The name Kimsuky is given because the email account to which the Russian security company Kaspersky, first reported the group’s attack sent the stolen information, was Kimsukyang.
- It used numerous malicious codes such as Gold Dragon, Babyshark and Appleseed. It is also called Thallium, Velvet Chollima, Black Banshee .
Looking through my daily bazaar feed I found this sample and it was named “SW보안점검표(개발자 사전점검용)_v2.0_beta.xlsm .vbs” . On translating it was found that it meant “SW security …
IoC
12539ac37a81cc2e19338a67d237f833
216.189.154.6
39a61c4d9d25c8ed1b38b1a51a8ef0b5cf51ce10
db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe
http://216.189.154.6:80
http://qwert.mine.bz
http://qwert.mine.bz/index.php
rule kimsuky_VBS_script { meta: author = "somdieyoungZZ" date = "2024-03-13" strings: $header = { 0x45, 0x53 } # VBScript header $programShell_func = "WScript.Shell" wide ascii $createTextFile_func = "CreateTextFile" wide ascii $filename_pattern = wide ascii $certutil_cmd = "certutil -decode" wide ascii $xor_key = { 0x8d } $base64_regex = /[A-Za-z0-9+\/]+={0,2}/ condition: (uint16(0) == 0x4553 or uint16(0) == 0x5345) and ($programShell_func or $createTextFile_func) and ($filename_pattern =~ /(malicious_[\^.]+\.b64)/) and $certutil_cmd and $xor_key and $base64_regex }
216.189.154.6
39a61c4d9d25c8ed1b38b1a51a8ef0b5cf51ce10
db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe
http://216.189.154.6:80
http://qwert.mine.bz
http://qwert.mine.bz/index.php
rule kimsuky_VBS_script { meta: author = "somdieyoungZZ" date = "2024-03-13" strings: $header = { 0x45, 0x53 } # VBScript header $programShell_func = "WScript.Shell" wide ascii $createTextFile_func = "CreateTextFile" wide ascii $filename_pattern = wide ascii $certutil_cmd = "certutil -decode" wide ascii $xor_key = { 0x8d } $base64_regex = /[A-Za-z0-9+\/]+={0,2}/ condition: (uint16(0) == 0x4553 or uint16(0) == 0x5345) and ($programShell_func or $createTextFile_func) and ($filename_pattern =~ /(malicious_[\^.]+\.b64)/) and $certutil_cmd and $xor_key and $base64_regex }