Operation Covert Stalker
Contents
AhnLab Cyber Threat Intelligence Report
TLP: WHITE
Operation Covert Stalker
부제: Kimsuky 조직의 피싱, 악성코드 유포 등 해킹 활동에 대한 17개월의 추적과 분석
안랩 대응팀
2023. 11. 01
Operation Covert Stalker 보고서
문서 등급에 대한 안내
발간물이나 제공되는 컨텐츠는 아래와 같이 문서 등급 별 허가된 범위 내에서만 사용이 가능합니다.
문서 등급
TLP: RED
TLP: AMBER
배포 대상
주의 사항
특정 고객(사)에
보고서 수신자 혹은 수신 부서 만 접근이 허가된 문서.
한정하여 제공되는 보고서
수신자 외 복제 및 배포 불가
제한된 고객(사)에
한정하여 제공되는 보고서
보고서 수신 조직(회사) 내부에서는 복제 및 배포 가능.
다만, 조직 외 교육 목적 등을 위해 사용될 경우에는
안랩의 허락 필수
해당 업종 등에서는 자유로운 사용이 가능하며 출처만
TLP: GREEN
해당 서비스 내 누구나
밝히면 내부 교육, 동종 업계, 보안 담당자 교육 자료로
이용 가능 보고서
활용 가능
다만, 일반인 대상 발표자료에는 엄격히 제한
출처표시
TLP: WHITE
자유 이용 가능 보고서
상업적, 비상업적 이용 가능
변형 등 2 차적 저작물 작성 가능
[중요] 참고사항
본 보고서에는 현재까지 확인한 내용을 기반으로 분석가 의견이 다수 포함되어 있습니다.
분석가들마다 의견이 다를 수 있으며 새로운 근거가 확인되면, 본 보고서 내용도 사전 고지 없이
변경될 수 있습니다.
보고서에 통계와 지표가 …
TLP: WHITE
Operation Covert Stalker
부제: Kimsuky 조직의 피싱, 악성코드 유포 등 해킹 활동에 대한 17개월의 추적과 분석
안랩 대응팀
2023. 11. 01
Operation Covert Stalker 보고서
문서 등급에 대한 안내
발간물이나 제공되는 컨텐츠는 아래와 같이 문서 등급 별 허가된 범위 내에서만 사용이 가능합니다.
문서 등급
TLP: RED
TLP: AMBER
배포 대상
주의 사항
특정 고객(사)에
보고서 수신자 혹은 수신 부서 만 접근이 허가된 문서.
한정하여 제공되는 보고서
수신자 외 복제 및 배포 불가
제한된 고객(사)에
한정하여 제공되는 보고서
보고서 수신 조직(회사) 내부에서는 복제 및 배포 가능.
다만, 조직 외 교육 목적 등을 위해 사용될 경우에는
안랩의 허락 필수
해당 업종 등에서는 자유로운 사용이 가능하며 출처만
TLP: GREEN
해당 서비스 내 누구나
밝히면 내부 교육, 동종 업계, 보안 담당자 교육 자료로
이용 가능 보고서
활용 가능
다만, 일반인 대상 발표자료에는 엄격히 제한
출처표시
TLP: WHITE
자유 이용 가능 보고서
상업적, 비상업적 이용 가능
변형 등 2 차적 저작물 작성 가능
[중요] 참고사항
본 보고서에는 현재까지 확인한 내용을 기반으로 분석가 의견이 다수 포함되어 있습니다.
분석가들마다 의견이 다를 수 있으며 새로운 근거가 확인되면, 본 보고서 내용도 사전 고지 없이
변경될 수 있습니다.
보고서에 통계와 지표가 …
IoC
01E971C39E6F9E199D5E9D5A595DD2CF
01a88355b5f7797c58cff7b886d44daa
03ef869a81599a57a450394aababb396
072e7ff8a61b9462a321a2109d154937
08a3e160fd44794347c3d7c01845efad
0DF3B8F1CC6ACEB0D90B08D3AA4FF0C4
1.243.200.130
112.175.85.198
112d330d907b61bba6d8b6d871ab428b
118.128.149.119
121.78.88.79
136.0.16.80
162.0.209.27
165.154.240.72
17daf3ea7b80ee95792d4b3332a3390d
183.111.100.193
185.176.43.106
185.185.40.112
188.42.129.148
19a0bd7c3e041a4b05df9e04cb6cfa64
1a5124d69544b994a53a2713989a3ee2
1cdb3f1da5c45ac94257dbf306b53157
210.92.18.180
211.168.252.55
211.249.220.24
211.53.197.220
216.189.149.71
216.189.157.76
222.102.7.13
222.122.210.7
22a82437c4c5c18019ac16136e03091f
23.106.122.16
23447a412c08aa05d41fb321bb2a085a
25ab56c2b832eb6205d980acbd0f24ed
27.102.106.48
27.102.107.63
27.102.112.49
27.102.114.89
27.102.128.23
27.255.75.137
27.255.75.146
27.255.80.170
27.255.81.80
2cbb7ab859d3528fba7444ed2b92c0e9
2d8c16c1b00e565f3b99ff808287983e
2ec54216e79120ba9d6ed2640948ce43
388efc272e17d7c3fdcc8feca74fa471
3f1a8b2d2dd84a857e8014af0c54b6ef
438bc603af952dfa6a9bed666e795ff1
45.58.52.49
45.58.52.82
4590554fbe440a17cf9cd0e9788f55cb
49ab5e1905a34122a8e3727b72f080d0
4b334475d340ac631e25ddf7d86e921d
4c93a4669abce6ca9d56848607cf5686
51e82d13b4557ac7656917837327407c
526ed4e59c3931374f59b326e8ec2a25
52bf7726210bbd787457e74b709173af
55ed79ac10838135d59d4d9eed549e75
568864b4f32c27b7bd934500aa1b107c
59.7.91.171
5b32288e93c344ad5509e76967ce2b18
5d56371944dec9da57db95d0199dd920
61.82.110.60
64c97f485939ed66b13df5d7880d0757
68e0a1956aa96427cb9192676ced054e
6b3235a4c55aba4f6ffbf6f86f9c31e6
6b90aa99acc489a1c9c822defee81d5b
6ba1838f1025dad5030c92df826f73ee
6bc126b86d7720dc146c4b710885f347
6dd2425d50a71b3d967b4488ea94ae9b
7175e046767725b2f8d93f8a69a9999f
71f8ac92adf5af2357594446e85db30a
720D527F359BD8515F5CF46648EBFAB4
74.119.239.234
74f1f1ba400ab3a0882927f81e3ea62e
75dd30fd0c5cf23d4275576b43bbab2c
7a0c0a4c550a95809e93ab7e6bdcc290
7bed2eef6e50d04771d743c2f849f416
7e2667daa3680f78b3c257add8ad6284
7f0f4c12000836f90ab1dfccf8ec4bde
8895bc1637530e06e179e02b00a1e294
8bb21b6bd3fc0b5913da94da6b0826b7
8dee170fbbb2b4a311e1c73b2ec9c803
90a56bc6a66bb4e02265389529757460
95026101ff4308ec42576094f3bbc4d7
9DAAF0C89C03FE499265C3642C4A52FA
9b5add63dc12bc6c7028c6abf08c6ffd
9b60ea2ea5b43f8fe17832867de7587f
9cdda333432f403b408b9fe717163861
a1d462bda91906577c0fc06a9ff4d397
a3f0099315ebfb7edef043b0885c1b6e
a602b4320bf412e100640a712a924545
a6428d63479198c36e12e0f3e59ded3d
a72ceeaf7a963891cae01ff76b7760d9
a810373cb3f85e9844cff0933af47dab
a92e757205f090f85f92cf60d989dfc0
aa6256e77efffee2a8bc89c7e45679a3
ace6ca3fbc585c4ebb67dadccb79980e
adcdc64be39551856c806e1c962350ff
af84eb2462e0b47d9595c21cf0e623a5
b01be50d585015af412bffcd3612de9c
b393929b8b9c13083a015fb135887600
b47d295ba8fac929e5428a4bb9bbe9d2
bcb95b956007b883e169ea1b7e03e5f1
beb07a3614a5eb0a55f49a85f6fc7d6d
bf523c36e61627d79b715a4da2dd97ed
c0a8af17a2912a08a20d65fe85191c28
c0cfe70346bd04ce83424a17b0abf82d
c98b4f95241f389d9a30b99577daa7be
ceda3fe64e97c9c66e4934bcd619925d
d55fb1cb2c99e27aeff040a11503f26a
d7765969c796c760a86039596a1249df
d7af4d1ce4b15100cd01fe4e0bee2ebd
d8cc9855cd4efc1067cdb053de538130
daf665832ef08fefa5db0b9e53dd7f52
dd32a316238dbd9f6a80c54adf7d8725
dd6b31c3a9881eb64b719568a53cb2fb
dfe2f5fc4579f5cb56a76702a61e692a
e16cef4e0755480176ce3547ff37989d
e1946194cba9cf2fbd9ab127ee3a6bf2
e2426366a1e1c20282588fa142c57a40
e45b31eab62f6a5d4f268d60532f9b6c
e840bf3477150392720fe8a9b1f8a4d6
ebbd5553d23a8412b58d6a4f2781d63a
ecda8838823680a0dfc9295bdc2e31fa
ecfc2baa10c8de2132a501853b4286ba
f082f689394ac71764bca90558b52c4e
f19ff4e7caae993ec02dcd6dc6522bfc
f2bf557f8e90522d67b773d56a8984bc
f841445c3e90c17653c88dc09ce2a693
fce92ce954bf0400be5c4e2abf923000
ffe567c87e28fb6a123b057a73d635ed
fff43c6690eb87eb194aae01d6d77f1e
http://bipaf.org
http://bipaf.org/bbs/zi
http://cctva001.kr/gnuboard4/bbs/view_tail.php?fpath=/home/hosting_
http://dstent04.co.kr/wp-includes/SimplePie/Cache/
http://dstent04.co.kr/wpincludes/SimplePie/Items.php
http://goodsjobs.eu/ajou/
http://goodsjobs.eu/ajou/kn/login.html
http://goodsjobs.eu/ajou/kn/login1.html
http://goodsjobs.eu/ajou/self.html
http://goodsjobs.eu/se.html
http://koreaglobal.atwebpages.com/file/notouch.php
http://mailms.goodsjobs.eu/mail/login?rtnurl=
http://mc.pzs.kr/themes/mobile/images/about/fjwhe
http://munjungday.net/gnuboard4/bbs/kn/logon.html
http://nave.goqqle.eu/sources/Util/temp/test.php?otp=
http://naver.me/xM8yk6m2
http://www.ammyy.com/files
http://www.bluemotion.co.kr/cheditor
http://www.bluemotion.co.kr/cheditor4/insert_link.php?fpath=/home/bl
http://www.namastte.kr
http://www.namastte.kr/sources/Util/AJAX.php?fpath=/home/nam
http://www.namastte.kr/yahoo/index.php?menu=Y2ltb*****==&q=hxxps://login.yahoo.com/?.src=ym&pspi
http://www.ssktool.co.kr/ssktool/20090401skin/chine
https://a1ive.info/tygygvftsfx8g68Gu8
https://accdaum.login.mail.pl/accounts/signinform.do?url=http%3A
https://accounts.googlernails.com/signin/v2/identifier?hl=ko&passiv
https://accountskakao.login.mail.pl/login?continue=hxxps%3A%2F
https://afgvillage.eu/tygygvftsfx8g68G
https://anydesk.com/ko
https://attach.mail.daum.net/bigfile/v1/urls/d/JClVvbVCUf8Hfp
https://attach.mail.daum.net/bigfile/v1/urls/d/bHFhY43YZ7XxPGgeTjaH5
https://docs.google.com/document/d/1ev92w1nsOlPjmH9imyk
https://docs.google.com/document/d/1xMUMIhx0sPmxJJqwln
https://drive.google.com/file/d/1AQaH7y05bGBNvAbSnYB0y_S
https://drive.google.com/file/d/1AQaH7y05bGBNvAbSnYB0y_SeDmTVF3
https://drive.google.com/file/d/1um69v6yD
https://elated-blackburn.5-252-21-33.plesk.page/fededmd/fdx.php
https://extparts.info/tygygvftsfx8g68G
https://floridas.000webhostapp.com/set.hta
https://generalparts.info/tygygvftsfx8g
https://github.com/ch0sys/DUBrute
https://github.com/chenjj/espoofer
https://github.com/quasar/Quasar
https://github.com/robertdavidgraham/rdpscan
https://github.com/stascorp/rdpwrap
https://goodsjobs.eu/tygygvftsfx8g68Gu8x7s78gsx6.php
https://healope.info/ki.html
https://healope.info/nav.html
https://healope.info/tygygvftsfx8g68Gu8x7s78gsx6.php
https://huitadfsharvard.certuser.info/adfs/ls/?client-request-id=320fdf07-f203-4b04-a73b2f43b929d4ec&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&username=joseph_nye%40hks.h
https://invoice.naver.com/main?from=mail
https://kakaocore.eu/tygygvftsfx8g68
https://kakaoreug.info/tygygvftsfx8g6
https://listmember.info/tygygvftsfx8g6
https://mailms.healope.info/account/login.do?rtnurl=
https://nidlogin.navernnail.com/nidlogin.login?mode=form&url=hx
https://nidus.healope.info/nidlogin.login?mode=form&url=hxx
https://nkinfo.unikorea.go.kr/nkp/term/skNkItTerm.do?pageIndex=32
https://outlook.live.com
https://partner24.kr/
https://usesignal.info/tygygvftsfx8g68
https://walock.info/tygygvftsfx8g68Gu
https://walock.info/tygygvftsfx8g68Gu8x7s78gsx6.php
https://www.ammyy.com/en/
[email protected]
01a88355b5f7797c58cff7b886d44daa
03ef869a81599a57a450394aababb396
072e7ff8a61b9462a321a2109d154937
08a3e160fd44794347c3d7c01845efad
0DF3B8F1CC6ACEB0D90B08D3AA4FF0C4
1.243.200.130
112.175.85.198
112d330d907b61bba6d8b6d871ab428b
118.128.149.119
121.78.88.79
136.0.16.80
162.0.209.27
165.154.240.72
17daf3ea7b80ee95792d4b3332a3390d
183.111.100.193
185.176.43.106
185.185.40.112
188.42.129.148
19a0bd7c3e041a4b05df9e04cb6cfa64
1a5124d69544b994a53a2713989a3ee2
1cdb3f1da5c45ac94257dbf306b53157
210.92.18.180
211.168.252.55
211.249.220.24
211.53.197.220
216.189.149.71
216.189.157.76
222.102.7.13
222.122.210.7
22a82437c4c5c18019ac16136e03091f
23.106.122.16
23447a412c08aa05d41fb321bb2a085a
25ab56c2b832eb6205d980acbd0f24ed
27.102.106.48
27.102.107.63
27.102.112.49
27.102.114.89
27.102.128.23
27.255.75.137
27.255.75.146
27.255.80.170
27.255.81.80
2cbb7ab859d3528fba7444ed2b92c0e9
2d8c16c1b00e565f3b99ff808287983e
2ec54216e79120ba9d6ed2640948ce43
388efc272e17d7c3fdcc8feca74fa471
3f1a8b2d2dd84a857e8014af0c54b6ef
438bc603af952dfa6a9bed666e795ff1
45.58.52.49
45.58.52.82
4590554fbe440a17cf9cd0e9788f55cb
49ab5e1905a34122a8e3727b72f080d0
4b334475d340ac631e25ddf7d86e921d
4c93a4669abce6ca9d56848607cf5686
51e82d13b4557ac7656917837327407c
526ed4e59c3931374f59b326e8ec2a25
52bf7726210bbd787457e74b709173af
55ed79ac10838135d59d4d9eed549e75
568864b4f32c27b7bd934500aa1b107c
59.7.91.171
5b32288e93c344ad5509e76967ce2b18
5d56371944dec9da57db95d0199dd920
61.82.110.60
64c97f485939ed66b13df5d7880d0757
68e0a1956aa96427cb9192676ced054e
6b3235a4c55aba4f6ffbf6f86f9c31e6
6b90aa99acc489a1c9c822defee81d5b
6ba1838f1025dad5030c92df826f73ee
6bc126b86d7720dc146c4b710885f347
6dd2425d50a71b3d967b4488ea94ae9b
7175e046767725b2f8d93f8a69a9999f
71f8ac92adf5af2357594446e85db30a
720D527F359BD8515F5CF46648EBFAB4
74.119.239.234
74f1f1ba400ab3a0882927f81e3ea62e
75dd30fd0c5cf23d4275576b43bbab2c
7a0c0a4c550a95809e93ab7e6bdcc290
7bed2eef6e50d04771d743c2f849f416
7e2667daa3680f78b3c257add8ad6284
7f0f4c12000836f90ab1dfccf8ec4bde
8895bc1637530e06e179e02b00a1e294
8bb21b6bd3fc0b5913da94da6b0826b7
8dee170fbbb2b4a311e1c73b2ec9c803
90a56bc6a66bb4e02265389529757460
95026101ff4308ec42576094f3bbc4d7
9DAAF0C89C03FE499265C3642C4A52FA
9b5add63dc12bc6c7028c6abf08c6ffd
9b60ea2ea5b43f8fe17832867de7587f
9cdda333432f403b408b9fe717163861
a1d462bda91906577c0fc06a9ff4d397
a3f0099315ebfb7edef043b0885c1b6e
a602b4320bf412e100640a712a924545
a6428d63479198c36e12e0f3e59ded3d
a72ceeaf7a963891cae01ff76b7760d9
a810373cb3f85e9844cff0933af47dab
a92e757205f090f85f92cf60d989dfc0
aa6256e77efffee2a8bc89c7e45679a3
ace6ca3fbc585c4ebb67dadccb79980e
adcdc64be39551856c806e1c962350ff
af84eb2462e0b47d9595c21cf0e623a5
b01be50d585015af412bffcd3612de9c
b393929b8b9c13083a015fb135887600
b47d295ba8fac929e5428a4bb9bbe9d2
bcb95b956007b883e169ea1b7e03e5f1
beb07a3614a5eb0a55f49a85f6fc7d6d
bf523c36e61627d79b715a4da2dd97ed
c0a8af17a2912a08a20d65fe85191c28
c0cfe70346bd04ce83424a17b0abf82d
c98b4f95241f389d9a30b99577daa7be
ceda3fe64e97c9c66e4934bcd619925d
d55fb1cb2c99e27aeff040a11503f26a
d7765969c796c760a86039596a1249df
d7af4d1ce4b15100cd01fe4e0bee2ebd
d8cc9855cd4efc1067cdb053de538130
daf665832ef08fefa5db0b9e53dd7f52
dd32a316238dbd9f6a80c54adf7d8725
dd6b31c3a9881eb64b719568a53cb2fb
dfe2f5fc4579f5cb56a76702a61e692a
e16cef4e0755480176ce3547ff37989d
e1946194cba9cf2fbd9ab127ee3a6bf2
e2426366a1e1c20282588fa142c57a40
e45b31eab62f6a5d4f268d60532f9b6c
e840bf3477150392720fe8a9b1f8a4d6
ebbd5553d23a8412b58d6a4f2781d63a
ecda8838823680a0dfc9295bdc2e31fa
ecfc2baa10c8de2132a501853b4286ba
f082f689394ac71764bca90558b52c4e
f19ff4e7caae993ec02dcd6dc6522bfc
f2bf557f8e90522d67b773d56a8984bc
f841445c3e90c17653c88dc09ce2a693
fce92ce954bf0400be5c4e2abf923000
ffe567c87e28fb6a123b057a73d635ed
fff43c6690eb87eb194aae01d6d77f1e
http://bipaf.org
http://bipaf.org/bbs/zi
http://cctva001.kr/gnuboard4/bbs/view_tail.php?fpath=/home/hosting_
http://dstent04.co.kr/wp-includes/SimplePie/Cache/
http://dstent04.co.kr/wpincludes/SimplePie/Items.php
http://goodsjobs.eu/ajou/
http://goodsjobs.eu/ajou/kn/login.html
http://goodsjobs.eu/ajou/kn/login1.html
http://goodsjobs.eu/ajou/self.html
http://goodsjobs.eu/se.html
http://koreaglobal.atwebpages.com/file/notouch.php
http://mailms.goodsjobs.eu/mail/login?rtnurl=
http://mc.pzs.kr/themes/mobile/images/about/fjwhe
http://munjungday.net/gnuboard4/bbs/kn/logon.html
http://nave.goqqle.eu/sources/Util/temp/test.php?otp=
http://naver.me/xM8yk6m2
http://www.ammyy.com/files
http://www.bluemotion.co.kr/cheditor
http://www.bluemotion.co.kr/cheditor4/insert_link.php?fpath=/home/bl
http://www.namastte.kr
http://www.namastte.kr/sources/Util/AJAX.php?fpath=/home/nam
http://www.namastte.kr/yahoo/index.php?menu=Y2ltb*****==&q=hxxps://login.yahoo.com/?.src=ym&pspi
http://www.ssktool.co.kr/ssktool/20090401skin/chine
https://a1ive.info/tygygvftsfx8g68Gu8
https://accdaum.login.mail.pl/accounts/signinform.do?url=http%3A
https://accounts.googlernails.com/signin/v2/identifier?hl=ko&passiv
https://accountskakao.login.mail.pl/login?continue=hxxps%3A%2F
https://afgvillage.eu/tygygvftsfx8g68G
https://anydesk.com/ko
https://attach.mail.daum.net/bigfile/v1/urls/d/JClVvbVCUf8Hfp
https://attach.mail.daum.net/bigfile/v1/urls/d/bHFhY43YZ7XxPGgeTjaH5
https://docs.google.com/document/d/1ev92w1nsOlPjmH9imyk
https://docs.google.com/document/d/1xMUMIhx0sPmxJJqwln
https://drive.google.com/file/d/1AQaH7y05bGBNvAbSnYB0y_S
https://drive.google.com/file/d/1AQaH7y05bGBNvAbSnYB0y_SeDmTVF3
https://drive.google.com/file/d/1um69v6yD
https://elated-blackburn.5-252-21-33.plesk.page/fededmd/fdx.php
https://extparts.info/tygygvftsfx8g68G
https://floridas.000webhostapp.com/set.hta
https://generalparts.info/tygygvftsfx8g
https://github.com/ch0sys/DUBrute
https://github.com/chenjj/espoofer
https://github.com/quasar/Quasar
https://github.com/robertdavidgraham/rdpscan
https://github.com/stascorp/rdpwrap
https://goodsjobs.eu/tygygvftsfx8g68Gu8x7s78gsx6.php
https://healope.info/ki.html
https://healope.info/nav.html
https://healope.info/tygygvftsfx8g68Gu8x7s78gsx6.php
https://huitadfsharvard.certuser.info/adfs/ls/?client-request-id=320fdf07-f203-4b04-a73b2f43b929d4ec&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&username=joseph_nye%40hks.h
https://invoice.naver.com/main?from=mail
https://kakaocore.eu/tygygvftsfx8g68
https://kakaoreug.info/tygygvftsfx8g6
https://listmember.info/tygygvftsfx8g6
https://mailms.healope.info/account/login.do?rtnurl=
https://nidlogin.navernnail.com/nidlogin.login?mode=form&url=hx
https://nidus.healope.info/nidlogin.login?mode=form&url=hxx
https://nkinfo.unikorea.go.kr/nkp/term/skNkItTerm.do?pageIndex=32
https://outlook.live.com
https://partner24.kr/
https://usesignal.info/tygygvftsfx8g68
https://walock.info/tygygvftsfx8g68Gu
https://walock.info/tygygvftsfx8g68Gu8x7s78gsx6.php
https://www.ammyy.com/en/
[email protected]