Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
Contents
|Overview|
Initial Access
…. 2.1. Spear Phishing Attack
…. 2.2. LNK Malware
Remote Control Malware
…. 3.1. XRat (Loader)
…. 3.2. Amadey
…. 3.3. Latest Attack Cases
…….. 3.3.1. AutoIt Amadey
…….. 3.3.2. RftRAT
Post-infection
…. 4.1. Keylogger
…. 4.2. Infostealer
…. 4.3. Other Types
Conclusion
1. Overview
The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. [1] The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. [2] (This link is only available in Korean.)
Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases …
Initial Access
…. 2.1. Spear Phishing Attack
…. 2.2. LNK Malware
Remote Control Malware
…. 3.1. XRat (Loader)
…. 3.2. Amadey
…. 3.3. Latest Attack Cases
…….. 3.3.1. AutoIt Amadey
…….. 3.3.2. RftRAT
Post-infection
…. 4.1. Keylogger
…. 4.2. Infostealer
…. 4.3. Other Types
Conclusion
1. Overview
The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. [1] The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. [2] (This link is only available in Korean.)
Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases …
IoC
068d395c60e32f01b5424e2a8591ba73
0786984ab46482637c2d483ffbaf66dc
093608a2d6eb098eb7ea917cc22e9998
0bf558adde774215bb221465a4edd2fe
0f5762be09db44b2f0ccf05822c8531a
0fc1c99fd0d6f5488ab77e296216c7c6
1003a440c710ddf7faa1a54919dd01d8
119063c82373598d00d17734dd280016
14a7f83d6215a4d4c426ad371e0810a2
152.89.247.57
172.93.201.248
187aa9b12c05cd1ff030044786903e7e
192.236.154.125
1ac0b0da11e413a21bec08713e1e7c59
1f63ce3677253636a273a88c5b26418d
209.127.37.40
23.236.181.108
272c29bf65680b1ac8ec7f518780ba92
32696d9e1e72affaf8bc707ab271200d
355817015c8510564c6ac89c976f2416
38182f1f0a1cf598295cfbbabd9c5bf4
39e755c08156123e4cabac6bf8d1fd3a
45.76.93.204
4b667f7ea5bdc9d872774f733fdf4d6a
4d4d485d3bfd3cbc97ed4b9a671f740f
4eddf54757ae168450882176243d2bd2
4fc726ab835ce559bada42e695b3d341
5c2809177bb95edc68f9a08a96420bb7
6f7cd8c0d9bfb0f97083e4431e4944c1
74d5dac64c0740d3ff5a9e3aca51ccdf
7b6471f4430c2d6907ce4d349f59e69f
7f582f0c5c9a14c736927d4dbb47c5fa
862a855557cc274ab86e226e45338cff
91.202.5.80
94aef716b23e8fa96808f1096724f77f
a7c9b4d70e4fad86598de37d7bf1fe96
aa2cf925bae24c5cad2b1e1ad745b881
aaa42b1209ed54bfcbd2493fe073d59b
b1337eb53b21594ac5dbd76138054ffb
b67e6e4c16e0309cfc2511414915df15
baa058003bf79ba82ac1b744ed8d58cb
bac7f5eefe6a67e9555e93b0d950db59
c52410ed6787c39db87c4158e73089d4
c55da826e50e2615903607e61968778f
c5a1305aba22c8fedd6624753849905b
c87094e261860e3a1f70b0681e1bc8c5
cf3440fa165e3f78d2a2252a6924f702
d070cf19b66da341f64c01f8195afaed
d541aa6bae0f8c9bd7e7b6193b52e8f2
d820ddb3026a5960b2c6f39780480d28
e22336eaf1980d2be5feed61b2dbc839
e665a985f71567f24a293ea430aad67d
e860dac57933f63be9a374fb78bca209
e96ca2aa7c6951802e4b17649cc5b581
f3caa0f922600b4423ebcb16d7ea2dc6
f5ea621f482f9ac127e8f7b784733514
f76cde928a6eda27793ade673bcd6620
f9c4d236b893c0d72321a9210359f530
http://152.89.247.57:52390
http://172.93.201.248:52390
http://172.93.201.248:8083
http://192.236.154.125:50108
http://209.127.37.40:52390
http://23.236.181.108:52390
http://45.76.93.204:56001
http://91.202.5.80:52030
http://brhosting.net/index.php
https://prohomepage.net/index.php
https://splitbusiness.com/index.php
https://techgolfs.com/index.php
https://theservicellc.com/index.php
https://topspace.org/index.php
0786984ab46482637c2d483ffbaf66dc
093608a2d6eb098eb7ea917cc22e9998
0bf558adde774215bb221465a4edd2fe
0f5762be09db44b2f0ccf05822c8531a
0fc1c99fd0d6f5488ab77e296216c7c6
1003a440c710ddf7faa1a54919dd01d8
119063c82373598d00d17734dd280016
14a7f83d6215a4d4c426ad371e0810a2
152.89.247.57
172.93.201.248
187aa9b12c05cd1ff030044786903e7e
192.236.154.125
1ac0b0da11e413a21bec08713e1e7c59
1f63ce3677253636a273a88c5b26418d
209.127.37.40
23.236.181.108
272c29bf65680b1ac8ec7f518780ba92
32696d9e1e72affaf8bc707ab271200d
355817015c8510564c6ac89c976f2416
38182f1f0a1cf598295cfbbabd9c5bf4
39e755c08156123e4cabac6bf8d1fd3a
45.76.93.204
4b667f7ea5bdc9d872774f733fdf4d6a
4d4d485d3bfd3cbc97ed4b9a671f740f
4eddf54757ae168450882176243d2bd2
4fc726ab835ce559bada42e695b3d341
5c2809177bb95edc68f9a08a96420bb7
6f7cd8c0d9bfb0f97083e4431e4944c1
74d5dac64c0740d3ff5a9e3aca51ccdf
7b6471f4430c2d6907ce4d349f59e69f
7f582f0c5c9a14c736927d4dbb47c5fa
862a855557cc274ab86e226e45338cff
91.202.5.80
94aef716b23e8fa96808f1096724f77f
a7c9b4d70e4fad86598de37d7bf1fe96
aa2cf925bae24c5cad2b1e1ad745b881
aaa42b1209ed54bfcbd2493fe073d59b
b1337eb53b21594ac5dbd76138054ffb
b67e6e4c16e0309cfc2511414915df15
baa058003bf79ba82ac1b744ed8d58cb
bac7f5eefe6a67e9555e93b0d950db59
c52410ed6787c39db87c4158e73089d4
c55da826e50e2615903607e61968778f
c5a1305aba22c8fedd6624753849905b
c87094e261860e3a1f70b0681e1bc8c5
cf3440fa165e3f78d2a2252a6924f702
d070cf19b66da341f64c01f8195afaed
d541aa6bae0f8c9bd7e7b6193b52e8f2
d820ddb3026a5960b2c6f39780480d28
e22336eaf1980d2be5feed61b2dbc839
e665a985f71567f24a293ea430aad67d
e860dac57933f63be9a374fb78bca209
e96ca2aa7c6951802e4b17649cc5b581
f3caa0f922600b4423ebcb16d7ea2dc6
f5ea621f482f9ac127e8f7b784733514
f76cde928a6eda27793ade673bcd6620
f9c4d236b893c0d72321a9210359f530
http://152.89.247.57:52390
http://172.93.201.248:52390
http://172.93.201.248:8083
http://192.236.154.125:50108
http://209.127.37.40:52390
http://23.236.181.108:52390
http://45.76.93.204:56001
http://91.202.5.80:52030
http://brhosting.net/index.php
https://prohomepage.net/index.php
https://splitbusiness.com/index.php
https://techgolfs.com/index.php
https://theservicellc.com/index.php
https://topspace.org/index.php