"Million OK!!!!" and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Contents
"Million OK !!!!" and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Published on
Published on
Published on
Dec 10, 2024
Dec 10, 2024
Dec 10, 2024
In March 2024, a security researcher on Twitter/X observed a series of IP addresses and domains delivering an unusual HTTP response: 'Million OK!!!!'. Subsequent analysis of the infrastructure and domains linked this activity to the North Korean threat group Kimsuky.
Hunt researchers recently observed additional activity involving recently registered domains returning the same response. These web pages use the favicon of Naver, a South Korean technology corporation, although they have no association with the company. Domain registration information suggests the group is actively maintaining and expanding its infrastructure.
Key observations:
- The reappearance of the 'Million OK!!!!' HTTP response.
- Continued reliance on top-level domains such as p-e.kr, o-r.kr, and n-e.kr, previously associated with Kimsuky.
- Use of Naver branding elements to enhance the credibility of malicious pages.
This post provides an overview of the newly …
Published on
Published on
Published on
Dec 10, 2024
Dec 10, 2024
Dec 10, 2024
In March 2024, a security researcher on Twitter/X observed a series of IP addresses and domains delivering an unusual HTTP response: 'Million OK!!!!'. Subsequent analysis of the infrastructure and domains linked this activity to the North Korean threat group Kimsuky.
Hunt researchers recently observed additional activity involving recently registered domains returning the same response. These web pages use the favicon of Naver, a South Korean technology corporation, although they have no association with the company. Domain registration information suggests the group is actively maintaining and expanding its infrastructure.
Key observations:
- The reappearance of the 'Million OK!!!!' HTTP response.
- Continued reliance on top-level domains such as p-e.kr, o-r.kr, and n-e.kr, previously associated with Kimsuky.
- Use of Naver branding elements to enhance the credibility of malicious pages.
This post provides an overview of the newly …
IoC
http://againcheck.site
http://123.58.200.50
http://118.194.248.148
http://123.58.200.13
http://nidcheck.o-r.kr
http://152.32.243.184
http://gmail.com
http://mail.ozszg.top
http://152.32.243.153
http://nidauth.r-e.kr
http://152.32.138.191
http://edoc-send.n-e.kr
http://checkagain.store
http://nld.blog-view.o-r.kr
http://118.193.69.248
http://101.36.114.153
http://ozszg.top
http://118.193.68.146
http://152.32.138.63
http://nidcorp.store
http://checkmail.kro.kr
118.194.248.148
123.58.200.50
118.193.69.248
152.32.243.153
152.32.243.184
101.36.114.153
152.32.138.191
152.32.138.63
123.58.200.13
118.193.68.146
[email protected]
[email protected]
974E386F8FACFF325EC2F3EBB7439A9A1E4E4C88944D5BEB5C341923DC993556
98C85EF91E05593CD470FFE8698AA6D97B36E8B885200BE87080B8C2A135FB9C
5F2C65E695D85395634E7AB561242425E6EF281CE2E14A0D5C1704ED593CFA5F
D8A8DDDA6CC12C5533268B20E48E1B636CE9173E9F9B5BB4C832FE00F1B26841
393CBD41F14B1C55BDE92A32E10B5D65384E33A97C77F352BD90FDB8FD5D73AE
http://123.58.200.50
http://118.194.248.148
http://123.58.200.13
http://nidcheck.o-r.kr
http://152.32.243.184
http://gmail.com
http://mail.ozszg.top
http://152.32.243.153
http://nidauth.r-e.kr
http://152.32.138.191
http://edoc-send.n-e.kr
http://checkagain.store
http://nld.blog-view.o-r.kr
http://118.193.69.248
http://101.36.114.153
http://ozszg.top
http://118.193.68.146
http://152.32.138.63
http://nidcorp.store
http://checkmail.kro.kr
118.194.248.148
123.58.200.50
118.193.69.248
152.32.243.153
152.32.243.184
101.36.114.153
152.32.138.191
152.32.138.63
123.58.200.13
118.193.68.146
[email protected]
[email protected]
974E386F8FACFF325EC2F3EBB7439A9A1E4E4C88944D5BEB5C341923DC993556
98C85EF91E05593CD470FFE8698AA6D97B36E8B885200BE87080B8C2A135FB9C
5F2C65E695D85395634E7AB561242425E6EF281CE2E14A0D5C1704ED593CFA5F
D8A8DDDA6CC12C5533268B20E48E1B636CE9173E9F9B5BB4C832FE00F1B26841
393CBD41F14B1C55BDE92A32E10B5D65384E33A97C77F352BD90FDB8FD5D73AE