Kimsuky is targeting an arms manufacturer in Europe
Contents
Date of the report (05/24/2024)
Summary
On May 16, 2024, we discovered attempted intrusions targeting organizations that produce weapons components in western Europe. We assess with high confidence that the state-sponsored group known as Kimsuky is behind these attacks. This report details the attacker's methods and tools and provides indicators to detect future activity.
Key Findings:
1)The threat actor used new espionage tools.
2)The primary target appears to be an western European weapons manufacturer.
3)The threat actor used the "General Dynamics" brand, a prominent military contractor, as a visual lure.
Context
North Korean state-sponsored threat actors have long targeted weapons-producing organizations. At various times, Different threat clusters have targeted defense industry professionals and companies that develop weapons components or are military contractors. This campaign is a new round of escalation during which arms manufacturers are being targeted.
Attack Vector
The attack vector is a spear-phishing email sent to the organization's employees. The email contains a malicious JavaScript file attachment …
Summary
On May 16, 2024, we discovered attempted intrusions targeting organizations that produce weapons components in western Europe. We assess with high confidence that the state-sponsored group known as Kimsuky is behind these attacks. This report details the attacker's methods and tools and provides indicators to detect future activity.
Key Findings:
1)The threat actor used new espionage tools.
2)The primary target appears to be an western European weapons manufacturer.
3)The threat actor used the "General Dynamics" brand, a prominent military contractor, as a visual lure.
Context
North Korean state-sponsored threat actors have long targeted weapons-producing organizations. At various times, Different threat clusters have targeted defense industry professionals and companies that develop weapons components or are military contractors. This campaign is a new round of escalation during which arms manufacturers are being targeted.
Attack Vector
The attack vector is a spear-phishing email sent to the organization's employees. The email contains a malicious JavaScript file attachment …
IoC
103.113.70.148
24A42A912C6AD98AB3910CB1E031EDBDF9ED6F452371D5696006C9CF24319147
3314B6EA393E180C20DB52448AB6980343BC3ED623F7AF91DF60189FEC637744
3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744
537806C02659A12C5B21EFA51B2322C1
6E5D5A8D06452852F1CCBC9B6DBAB3EB
8346D90508B5D41D151B7098C7A3E868
94.131.120.80
94.131.9.51
95.164.62.157
F58A9905AAD4D82A89A787017F1A357309CAA01E2DA081D76671F3319C66AA74
http://103.113.70.148
http://94.131.120.80
http://de.uberlingen.com
http://download.uberlingen.com/index.php
rule Kimsuky_Spy_Tool {
meta:
description ="Kimsuky Spy tool"
author ="The BlackBerry Research and Intelligence Team"
date = "2024-05-23"
hash ="3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
version = "1.0"
strings:
$a1 = {42 4B 62 68 54 62 7E 58 42 4B 21 3B BA 28 C3 14}
$a2 = {31 40 4E 57 67 79 78 65 48 5C 5F 62 70 64 67 63}
$a3 = {44 24 50 53 71 80 60 0F 11 45 E8 C7 44 24 54 71}
$a4 = {44 24 64 54 57 55 57 49 8B CE C7 44 24 68 47 57}
$b1 = {AE 1B C8 96 70 3F B1 5C 40 32 E2 95 32 48 7C C9
65 07 71 A3 B9 98 FC 3F 71 28 3F 1A 24 63 BD C5
6B C2 70 17 29 1D 06 1A B9 74 B2 12 CE 06 28 6A
5C 36 CB 2B 98 68 0D 1A 50 D6 F1 67 51 B8 BC 24
AE 2B}
condition:
uint16(0) == 0x5a4d and ((filesize < 2000KB) and all of ($a*) or any of ($b*))
}
24A42A912C6AD98AB3910CB1E031EDBDF9ED6F452371D5696006C9CF24319147
3314B6EA393E180C20DB52448AB6980343BC3ED623F7AF91DF60189FEC637744
3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744
537806C02659A12C5B21EFA51B2322C1
6E5D5A8D06452852F1CCBC9B6DBAB3EB
8346D90508B5D41D151B7098C7A3E868
94.131.120.80
94.131.9.51
95.164.62.157
F58A9905AAD4D82A89A787017F1A357309CAA01E2DA081D76671F3319C66AA74
http://103.113.70.148
http://94.131.120.80
http://de.uberlingen.com
http://download.uberlingen.com/index.php
rule Kimsuky_Spy_Tool {
meta:
description ="Kimsuky Spy tool"
author ="The BlackBerry Research and Intelligence Team"
date = "2024-05-23"
hash ="3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
version = "1.0"
strings:
$a1 = {42 4B 62 68 54 62 7E 58 42 4B 21 3B BA 28 C3 14}
$a2 = {31 40 4E 57 67 79 78 65 48 5C 5F 62 70 64 67 63}
$a3 = {44 24 50 53 71 80 60 0F 11 45 E8 C7 44 24 54 71}
$a4 = {44 24 64 54 57 55 57 49 8B CE C7 44 24 68 47 57}
$b1 = {AE 1B C8 96 70 3F B1 5C 40 32 E2 95 32 48 7C C9
65 07 71 A3 B9 98 FC 3F 71 28 3F 1A 24 63 BD C5
6B C2 70 17 29 1D 06 1A B9 74 B2 12 CE 06 28 6A
5C 36 CB 2B 98 68 0D 1A 50 D6 F1 67 51 B8 BC 24
AE 2B}
condition:
uint16(0) == 0x5a4d and ((filesize < 2000KB) and all of ($a*) or any of ($b*))
}