Kimsuky APT continues to target South Korean government using AppleSeed backdoor
Contents
This blog post was authored by Hossein Jazi.
The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.
The Malwarebytes Threat Intelligence team is actively monitoring this actor and has been able to spot phishing websites, malicious documents, and scripts that have been used to target high profile people within the government of South Korea. The structure and TTPs used in these recent activities align with what has been reported in KISA's report.
Targets
One of the lures used by Kimsuky named "외교부 가판 2021-05-07" in Korean language translates to "Ministry of Foreign Affairs Edition 2021-05-07" which indicates that it has been …
The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. On December 2020, KISA (Korean Internet & Security Agency) provided a detailed analysis about the phishing infrastructure and TTPs used by Kimsuky to target South Korea.
The Malwarebytes Threat Intelligence team is actively monitoring this actor and has been able to spot phishing websites, malicious documents, and scripts that have been used to target high profile people within the government of South Korea. The structure and TTPs used in these recent activities align with what has been reported in KISA's report.
Targets
One of the lures used by Kimsuky named "외교부 가판 2021-05-07" in Korean language translates to "Ministry of Foreign Affairs Edition 2021-05-07" which indicates that it has been …
IoC
210.16.120.34
210.16.121.137
216.189.157.89
27.102.107.63
27.102.114.89
45.13.135.103
45.58.55.73
58.229.208.146
http://210.16.120.34
http://210.16.121.137
http://216.189.157.89
http://27.102.107.63
http://27.102.114.89
http://45.13.135.103
http://45.58.55.73
http://58.229.208.146
http://accounts.goggle.hol.es/MyAccount
http://alps.travelmountain.ml
http://download.riseknite.life
http://gmail.com
http://myaccount.cgmail.pe.hu/signin
http://myaccount.google.newkda.com/signin
http://myaccount.google.nkaac.net/signin
http://myaccounts-gmail.kr-infos.com/signin
http://ns1.microsoft-office.us
http://ns2.microsoft-office.us
http://onedrive-upload.ikpoo.cf
http://texts.letterpaper.press
https://account.googgle.kro.kr
https://account.grnail-signin.ga/v2
https://accounts.google-manager.ga/signin
https://accounts.google-signin.ga/v2
https://accounts.grnail-signin.ga/v2
https://accounts.grnail-signing.work/v2
https://login.gmail-account.gq
https://login.gmeil.kro.kr
https://myaccount.google-signin.ga/signin
https://myaccount.google.newkda.com/signin
https://myaccount.grnail-security.work/v2
https://myaccount.grnail-signin.ga/v2
https://myaccount.grnail-signing.work/v2
https://myaccounts-gmail.autho.co/signin
https://myaccounts.grnail-signin.ga/v2
https://protect.grnail-signin.ga/v2
https://signin.gmrail.ml
https://signin.grnail-login.ml
[email protected]
210.16.121.137
216.189.157.89
27.102.107.63
27.102.114.89
45.13.135.103
45.58.55.73
58.229.208.146
http://210.16.120.34
http://210.16.121.137
http://216.189.157.89
http://27.102.107.63
http://27.102.114.89
http://45.13.135.103
http://45.58.55.73
http://58.229.208.146
http://accounts.goggle.hol.es/MyAccount
http://alps.travelmountain.ml
http://download.riseknite.life
http://gmail.com
http://myaccount.cgmail.pe.hu/signin
http://myaccount.google.newkda.com/signin
http://myaccount.google.nkaac.net/signin
http://myaccounts-gmail.kr-infos.com/signin
http://ns1.microsoft-office.us
http://ns2.microsoft-office.us
http://onedrive-upload.ikpoo.cf
http://texts.letterpaper.press
https://account.googgle.kro.kr
https://account.grnail-signin.ga/v2
https://accounts.google-manager.ga/signin
https://accounts.google-signin.ga/v2
https://accounts.grnail-signin.ga/v2
https://accounts.grnail-signing.work/v2
https://login.gmail-account.gq
https://login.gmeil.kro.kr
https://myaccount.google-signin.ga/signin
https://myaccount.google.newkda.com/signin
https://myaccount.grnail-security.work/v2
https://myaccount.grnail-signin.ga/v2
https://myaccount.grnail-signing.work/v2
https://myaccounts-gmail.autho.co/signin
https://myaccounts.grnail-signin.ga/v2
https://protect.grnail-signin.ga/v2
https://signin.gmrail.ml
https://signin.grnail-login.ml
[email protected]