SmallTiger Malware Used Against South Korean Businesses (Kimsuky and Andariel)
Contents
AhnLab SEcurity intelligence Center (ASEC) is responding to recently discovered cases that are using the SmallTiger malware to attack South Korean businesses. The method of initial access has not yet been identified, but the threat actor distributed SmallTiger into the companies’ systems during the lateral movement phase. South Korean defense contractors, automobile part manufacturers, and semiconductor manufacturers are some of the confirmed targets.
The attacks were first found in November 2023, and the malware strains found inside the affected systems seemed to indicate that the Kimsuky group was utilizing their typical method. However, instead of taking an orthodox Kimsuky group approach, the threat actor exploited the software updater programs of the companies during the internal propagation phase. Furthermore, it is noteworthy that the backdoor malware installed at the end is DurianBeacon, a malware strain found in Andariel’s past attack cases.
The same threat actor resumed attacks in February 2024, and the malware …
The attacks were first found in November 2023, and the malware strains found inside the affected systems seemed to indicate that the Kimsuky group was utilizing their typical method. However, instead of taking an orthodox Kimsuky group approach, the threat actor exploited the software updater programs of the companies during the internal propagation phase. Furthermore, it is noteworthy that the backdoor malware installed at the end is DurianBeacon, a malware strain found in Andariel’s past attack cases.
The same threat actor resumed attacks in February 2024, and the malware …
IoC
0859f9666e0428447451c036a38057f6
0be7d0975d3d81403d16ba4c4c9c7bf8
104.168.145.83
104.36.229.179
1210ff921922f2e27db4feae9fe63394
188f289206c3a945d670f29400d9f77f
232046aff635f1a5d81e415ef64649b7
2766fcf5fa81a2877864a07ef306cde4
2a60348bd0fb2b5fadeb2a691c921370
2a66a7ada05eb52f1776838b3dce5d06
2ab94919a1201f5fb4d2173405f3cfac
2b8fabd12a20fd4a6b5b426dca916f68
38.110.1.69
383e179513166b4869992072829f0ffb
461024c289d60c40093b82eed59afff9
48d53985cefb9029feb349bcd514c444
49070c554161628b85157423611fb764
57445041f7a1e57da92e858fc3efeabe
5e287812438655b76132a904e340c023
5e7acd7bf25dd7ef69bd76cbf7e96819
7327039d79843587b76af435e7ac27cd
751229f1aed80d2a5097010118d11152
88f7dd7c62cd5d24c2b837e006c01919
91.228.218.7
9283c404ec0e6f6e13780722f17e8acb
9c184826f3204461ae0a08dbc825473b
9e1203bbd0b90461022b66d9e9197cc9
afe4a8291fb1d6a050a657b1d6d0f650
c08e276205ed88e7fecf8c0914453702
d6a38ffdbac241d69674fb142a420740
e582bd909800e87952eb1f206a279e47
e930b05efe23891d19bc354a4209be3e
ee1db63be5d5ee0938d98e6a3d8094db
f873e1ffac39818f4dd86b17843f9351
fc8eb59d39dc5a3ee7cf231c76f2e606
ffb29b1cd4e0ffa1f96df9514711fefc
http://104.168.145.83:993
http://104.36.229.179/
http://104.36.229.179/am.dll
http://38.110.1.69/
http://38.110.1.69:993
http://91.228.218.7/
http://kevinblog.ddns.net/
http://my.shoping.kro.kr/m.dat
http://my.shoping.kro.kr/ng.db
http://my.shoping.kro.kr/setting.dat
http://w3.navver.o-r.kr/
http://w3.navver.o-r.kr/bbs.html
http://w3.navver.o-r.kr:53
http://www.aslark.kro.kr:1433
http://www.aslark1.kro.kr:1433
http://www.devf.n-e.kr:443
http://www.kepir.p-e.kr/
http://www.kepir.p-e.kr:1521
http://www.kepir.p-e.kr:53
http://www.lazor.kro.kr:3306
http://www.lazor.kro.kr:443
http://www.lazor.kro.kr:53
http://www.lfgu.n-e.kr:53
http://www.luvb.n-b.kr:3306
http://www.navver.o-r.kr/
http://www.navver.o-r.kr/nav.html
http://www.navver.o-r.kr:53
http://www.yah00.o-r.kr/
http://www.yah00.o-r.kr:53
https://raw.githubusercontent.com/phantom5201314/google/main/kiss
https://raw.githubusercontent.com/phantom5201314/google/main/nav.html
https://raw.githubusercontent.com/phantom5201314/google/main/top.png
0be7d0975d3d81403d16ba4c4c9c7bf8
104.168.145.83
104.36.229.179
1210ff921922f2e27db4feae9fe63394
188f289206c3a945d670f29400d9f77f
232046aff635f1a5d81e415ef64649b7
2766fcf5fa81a2877864a07ef306cde4
2a60348bd0fb2b5fadeb2a691c921370
2a66a7ada05eb52f1776838b3dce5d06
2ab94919a1201f5fb4d2173405f3cfac
2b8fabd12a20fd4a6b5b426dca916f68
38.110.1.69
383e179513166b4869992072829f0ffb
461024c289d60c40093b82eed59afff9
48d53985cefb9029feb349bcd514c444
49070c554161628b85157423611fb764
57445041f7a1e57da92e858fc3efeabe
5e287812438655b76132a904e340c023
5e7acd7bf25dd7ef69bd76cbf7e96819
7327039d79843587b76af435e7ac27cd
751229f1aed80d2a5097010118d11152
88f7dd7c62cd5d24c2b837e006c01919
91.228.218.7
9283c404ec0e6f6e13780722f17e8acb
9c184826f3204461ae0a08dbc825473b
9e1203bbd0b90461022b66d9e9197cc9
afe4a8291fb1d6a050a657b1d6d0f650
c08e276205ed88e7fecf8c0914453702
d6a38ffdbac241d69674fb142a420740
e582bd909800e87952eb1f206a279e47
e930b05efe23891d19bc354a4209be3e
ee1db63be5d5ee0938d98e6a3d8094db
f873e1ffac39818f4dd86b17843f9351
fc8eb59d39dc5a3ee7cf231c76f2e606
ffb29b1cd4e0ffa1f96df9514711fefc
http://104.168.145.83:993
http://104.36.229.179/
http://104.36.229.179/am.dll
http://38.110.1.69/
http://38.110.1.69:993
http://91.228.218.7/
http://kevinblog.ddns.net/
http://my.shoping.kro.kr/m.dat
http://my.shoping.kro.kr/ng.db
http://my.shoping.kro.kr/setting.dat
http://w3.navver.o-r.kr/
http://w3.navver.o-r.kr/bbs.html
http://w3.navver.o-r.kr:53
http://www.aslark.kro.kr:1433
http://www.aslark1.kro.kr:1433
http://www.devf.n-e.kr:443
http://www.kepir.p-e.kr/
http://www.kepir.p-e.kr:1521
http://www.kepir.p-e.kr:53
http://www.lazor.kro.kr:3306
http://www.lazor.kro.kr:443
http://www.lazor.kro.kr:53
http://www.lfgu.n-e.kr:53
http://www.luvb.n-b.kr:3306
http://www.navver.o-r.kr/
http://www.navver.o-r.kr/nav.html
http://www.navver.o-r.kr:53
http://www.yah00.o-r.kr/
http://www.yah00.o-r.kr:53
https://raw.githubusercontent.com/phantom5201314/google/main/kiss
https://raw.githubusercontent.com/phantom5201314/google/main/nav.html
https://raw.githubusercontent.com/phantom5201314/google/main/top.png