Kimsuky’s GoldDragon cluster and its C2 operations
Contents
Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools very quickly. In early 2022, we observed this group was attacking the media and a think-tank in South Korea and reported technical details to our threat intelligence customer.
Kimsuky’s GoldDragon cluster infection procedure
In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document. Various examples of different Word documents were uncovered, each showing different decoy contents related to geopolitical issues on the Korean Peninsula.
Contents of decoy
The actor took advantage of the HTML Application file format to infect the victim and occasionally used the Hangeul decoy document. After the initial infection, a Visual Basic Script was delivered to the victim. In this process, the actor abused a legitimate blog service to host a …
Kimsuky’s GoldDragon cluster infection procedure
In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document. Various examples of different Word documents were uncovered, each showing different decoy contents related to geopolitical issues on the Korean Peninsula.
Contents of decoy
The actor took advantage of the HTML Application file format to infect the victim and occasionally used the Hangeul decoy document. After the initial infection, a Visual Basic Script was delivered to the victim. In this process, the actor abused a legitimate blog service to host a …
IoC
238e6952a990fd3f6b75569feceb26a2
25eed4e06f9ed309331aaa6418ebd90d
3265b2d5e61971c43a076347fb405c4b
3fa45dcacf2193759086319c0d264341
40de99fb06e52e3364f2cd70f100ff71
490b2496434e6a20dae758d0b6fc6e00
56b5fec59e118ba324ccee8a336f7f12
56df55ef50e9b9c891437c7148a0764a
596251e844abdaa77eeca905f0cb7677
5b5247ee7b43f51092ab07a1d1a31936
5f38c57f83ee5d682ddf692442204fba
75ae786fe89491dc57509801c212fa8b
7a3e966d30fe5d52cfe97d998e8c49cb
7fb868e6baf93a86d7a6a17ac00f4827
809f60589ee8be7daf075446c2180eaa
8289771e7eeffd28fb8a9e1bdeb3e86c
85f24b0f10b77b033e6e66ae8b7d55fc
8735788b2422c7ab910953178af57376
96f5ef3d58a750a6db60f2e0566dc6e6
a871511ef8abae9f103a3dfe77b12b6d
b237b484c5c0fb020952e99b1134a527
b6ba7e07b4867e4bd36dc9713744aedc
b80d15cbb729e6ca86e3b41924407c30
c0097cfa2e05ab1d18cf3dad93d98050
c4a69dab3f8369d2f823c538590de345
c5ad15506ab05f054d547587111d6393
d9f2acfed7ede76f110334e2c572b74e
dfb8d00ce89172bfc7ee7b73b37129a9
edde6a385c86f60342831f24c3651925
http://0knw2300.mypressonline.com/d.php
http://21nari.getenjoyment.net/info.php?ki87ujhy=
http://21nari.mypressonline.com/s.php
http://21nari.scienceontheweb.net/r.php
http://attach.42web.io
http://attachment.a0001.net
http://bigfile.totalh.net
http://chmguide.atwebpages.com/?key=cWFLQ2hCU3ZTaUNha3hVaGdZSXRyQT09
http://chunyg21.sportsontheweb.net/info.php?ki87ujhy=
http://chunyg21.sportsontheweb.net/s.php
http://clouds.rf.gd
http://dmengineer.co.kr/images/s_title16.gif
http://dmengineer.co.kr/images/s_title17.gif
http://dmengineer.co.kr/images/s_title18.gif
http://faust22.mypressonline.com/1.txt
http://faust22.mypressonline.com/info.php
http://glib-warnings.000webhostapp.com/hta.php
http://glib-warnings.000webhostapp.com/info.php?ki87ujhy=
http://glib-warnings.000webhostapp.com/s.php
http://global.onedriver.epizy.com
http://global.web1337.net
http://hochdlincheon.mypressonline.com/f.txt
http://hochuliasdfasfdncheon.mypressonline.com/report.php?filename=
http://hochulidncheon.mypressonline.com/c.txt
http://hochulidncheon.mypressonline.com/k.txt
http://hochulincddheon.mypressonline.com/post.php
http://hochulincheon.mypressonline.com/c.txt
http://hochulincheon.mypressonline.com/down.php
http://hochulincheon.mypressonline.com/f.txt
http://hochulincheon.mypressonline.com/h.php
http://hochulincheon.mypressonline.com/k.txt
http://hochulincheon.mypressonline.com/post.php
http://hochulincheon.mypressonline.com/report.php?filename=
http://hochulincheon.mypressonline.com/w.txt
http://hochulindcheon.mypressonline.com/w.txt
http://hochulindddcheon.mypressonline.com/post.php
http://hochulinsfdgasdfcheon.mypressonline.com/post.php
http://koreajjjjj.atwebpages.com/1.hta
http://koreajjjjj.sportsontheweb.net/k.php
http://kpsa20201.getenjoyment.net/d.php
http://leehr24.mywebcommunity.org/h.php
http://leehr36.mypressonline.com/h.php
http://o61666ch.getenjoyment.net/post.php
http://o61666ch.getenjoyment.net/report.php?filename=
http://weworld59.myartsonline.com/h.php
http://weworld78.atwebpages.com/hta.php
http://weworld78.atwebpages.com/info.php?ki87ujhy=
http://weworld78.atwebpages.com/s.php
http://weworld79.mygamesonline.org/hta.php
http://yulsohnyonsei.atwebpages.com/1.hwp
http://yulsohnyonsei.atwewbpages.com/d.php
http://yulsohnyonsei.medianewsonline.com/1.hwp
http://yulsohnyonsei.medianewsonline.com/1.txt
http://yulsohnyonsei.medianewsonline.com/info.php?ki87ujhy=
http://yulsohnyonsei.medianewsonline.com/ksskdh/d.php
http://yulsohnyonsei.medianewsonline.com/post.php
http://yulsohnyonsei.medianewsonline.com/report.php?filename=
https://225b4d3c305f43e1a590.blogspot.com/2022/01/1.html
https://225b4d3c305f43e1a590.blogspot.com/2022/02/1.html
https://3a8f846675194d779198.blogspot.com/2021/10/1.html
https://c52ac2f8ac0693d8790c.blogspot.com/2021/10/1.html
https://leejong-sejong.blogspot.com/2022/01/blog-post.html
25eed4e06f9ed309331aaa6418ebd90d
3265b2d5e61971c43a076347fb405c4b
3fa45dcacf2193759086319c0d264341
40de99fb06e52e3364f2cd70f100ff71
490b2496434e6a20dae758d0b6fc6e00
56b5fec59e118ba324ccee8a336f7f12
56df55ef50e9b9c891437c7148a0764a
596251e844abdaa77eeca905f0cb7677
5b5247ee7b43f51092ab07a1d1a31936
5f38c57f83ee5d682ddf692442204fba
75ae786fe89491dc57509801c212fa8b
7a3e966d30fe5d52cfe97d998e8c49cb
7fb868e6baf93a86d7a6a17ac00f4827
809f60589ee8be7daf075446c2180eaa
8289771e7eeffd28fb8a9e1bdeb3e86c
85f24b0f10b77b033e6e66ae8b7d55fc
8735788b2422c7ab910953178af57376
96f5ef3d58a750a6db60f2e0566dc6e6
a871511ef8abae9f103a3dfe77b12b6d
b237b484c5c0fb020952e99b1134a527
b6ba7e07b4867e4bd36dc9713744aedc
b80d15cbb729e6ca86e3b41924407c30
c0097cfa2e05ab1d18cf3dad93d98050
c4a69dab3f8369d2f823c538590de345
c5ad15506ab05f054d547587111d6393
d9f2acfed7ede76f110334e2c572b74e
dfb8d00ce89172bfc7ee7b73b37129a9
edde6a385c86f60342831f24c3651925
http://0knw2300.mypressonline.com/d.php
http://21nari.getenjoyment.net/info.php?ki87ujhy=
http://21nari.mypressonline.com/s.php
http://21nari.scienceontheweb.net/r.php
http://attach.42web.io
http://attachment.a0001.net
http://bigfile.totalh.net
http://chmguide.atwebpages.com/?key=cWFLQ2hCU3ZTaUNha3hVaGdZSXRyQT09
http://chunyg21.sportsontheweb.net/info.php?ki87ujhy=
http://chunyg21.sportsontheweb.net/s.php
http://clouds.rf.gd
http://dmengineer.co.kr/images/s_title16.gif
http://dmengineer.co.kr/images/s_title17.gif
http://dmengineer.co.kr/images/s_title18.gif
http://faust22.mypressonline.com/1.txt
http://faust22.mypressonline.com/info.php
http://glib-warnings.000webhostapp.com/hta.php
http://glib-warnings.000webhostapp.com/info.php?ki87ujhy=
http://glib-warnings.000webhostapp.com/s.php
http://global.onedriver.epizy.com
http://global.web1337.net
http://hochdlincheon.mypressonline.com/f.txt
http://hochuliasdfasfdncheon.mypressonline.com/report.php?filename=
http://hochulidncheon.mypressonline.com/c.txt
http://hochulidncheon.mypressonline.com/k.txt
http://hochulincddheon.mypressonline.com/post.php
http://hochulincheon.mypressonline.com/c.txt
http://hochulincheon.mypressonline.com/down.php
http://hochulincheon.mypressonline.com/f.txt
http://hochulincheon.mypressonline.com/h.php
http://hochulincheon.mypressonline.com/k.txt
http://hochulincheon.mypressonline.com/post.php
http://hochulincheon.mypressonline.com/report.php?filename=
http://hochulincheon.mypressonline.com/w.txt
http://hochulindcheon.mypressonline.com/w.txt
http://hochulindddcheon.mypressonline.com/post.php
http://hochulinsfdgasdfcheon.mypressonline.com/post.php
http://koreajjjjj.atwebpages.com/1.hta
http://koreajjjjj.sportsontheweb.net/k.php
http://kpsa20201.getenjoyment.net/d.php
http://leehr24.mywebcommunity.org/h.php
http://leehr36.mypressonline.com/h.php
http://o61666ch.getenjoyment.net/post.php
http://o61666ch.getenjoyment.net/report.php?filename=
http://weworld59.myartsonline.com/h.php
http://weworld78.atwebpages.com/hta.php
http://weworld78.atwebpages.com/info.php?ki87ujhy=
http://weworld78.atwebpages.com/s.php
http://weworld79.mygamesonline.org/hta.php
http://yulsohnyonsei.atwebpages.com/1.hwp
http://yulsohnyonsei.atwewbpages.com/d.php
http://yulsohnyonsei.medianewsonline.com/1.hwp
http://yulsohnyonsei.medianewsonline.com/1.txt
http://yulsohnyonsei.medianewsonline.com/info.php?ki87ujhy=
http://yulsohnyonsei.medianewsonline.com/ksskdh/d.php
http://yulsohnyonsei.medianewsonline.com/post.php
http://yulsohnyonsei.medianewsonline.com/report.php?filename=
https://225b4d3c305f43e1a590.blogspot.com/2022/01/1.html
https://225b4d3c305f43e1a590.blogspot.com/2022/02/1.html
https://3a8f846675194d779198.blogspot.com/2021/10/1.html
https://c52ac2f8ac0693d8790c.blogspot.com/2021/10/1.html
https://leejong-sejong.blogspot.com/2022/01/blog-post.html