The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)
Contents
The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing)
Overview
In early January 2019, an email containing malware was distributed to 77 reporters covering topics related to the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server with a Korean domain name using Japanese IP address for at least 27 months continuously.
In addition to these phishing attacks containing malware, phishing attacks were also used to steal email account information. These attacks mainly targeted South Korean government personnel such as employees from the central government, unification ministry, diplomacy, and defense. Recently, they have also expanded their targets to include cryptocurrency exchanges and individual users.
Their main purpose is to capture government confidential information and achieve monetary gain through stealing cryptocurrencies such as Ethereum and Bitcoin. We decided to group these wave of …
Overview
In early January 2019, an email containing malware was distributed to 77 reporters covering topics related to the Unification Ministry of South Korea. We analysed these malware and identified them as malware used by SectorA05, and we confirm that they have been using a specific C2 server with a Korean domain name using Japanese IP address for at least 27 months continuously.
In addition to these phishing attacks containing malware, phishing attacks were also used to steal email account information. These attacks mainly targeted South Korean government personnel such as employees from the central government, unification ministry, diplomacy, and defense. Recently, they have also expanded their targets to include cryptocurrency exchanges and individual users.
Their main purpose is to capture government confidential information and achieve monetary gain through stealing cryptocurrencies such as Ethereum and Bitcoin. We decided to group these wave of …
IoC
028abdf89dc34088c2935e972a97f2d1249efe100f6282979d1771121c45101c
03cd82887b032ce2968bb739d13e1dd0ce3683df5bc1b87edc6872ddcd1dc625
051BC852ED4D1E4BD44030D6BF3187D0
08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8
098dd6d2556fa546132570795a9b901dbf93f306be1a9481b54b85d1f9203c9a
0ba05db51dfb118f82a38afaca2174a9b51ff59f20c90fd634b7298e019eacbf
12ee511259f7f03e8472efa8baf3e250
12ee511259f7f03e8472efa8baf3e250b64f8da65fe71212cedfdac887f503f4
159b20e19c43ff6a8ba906d23596d5d138efa94aa38b611ee36a3f4da813278c
177c404e7e60e48f303509592ecd0e29
2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433
2b8a31c6a2a70ad4b5c593400731b418b91b0d55c48158a8a024420792268328
2c523736994639172ee7375a8e1392081f699ae0cc397015e1cad47ce44cfded
2c7a76c85a182bf4045afe2180d1d845ddbfca6044995f2273c77cbeb1e42f8a
38368ada36a1d98bbc55408e26a2219ec60e0e53c8d34d67fd010af574f84e5a
48ba9d01f1fba5421e8bfbdd384a3849
48ba9d01f1fba5421e8bfbdd384a3849916bbd3e7930557f7d8f92f27cceb5fe
493aadefcf45642c34b4d84a84a41da9ac173b52c3217f62b3e25ece6379bd94
55e69e1337af0d93b5a3742d999bf805
55e69e1337af0d93b5a3742d999bf805177c404e7e60e48f303509592ecd0e29
56C1BE63947D08B00FE0F2E84BC8AB82
56C1D749947D0FE00FE0ABC84BC8A02B
575606c03d3775cd8880c76a3ef7c014cfcab08411a01f07fc3fcb60166be50b
58dc45c15d17c609f5237abf9a6d0a896a310bfd3406e72413b2929c781d6979
59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e
59283e60015923ab16f51dcb29350158f8f86e6d86dcaf8377468bb20bea3570
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333
5f05c1dffda819f082a1df8cc81faa77d3d69ba4b1d0a2092c2d5b66234f2d7e
5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141
623458ffccbc4641a78914dcf9efdd78bbbd9103fc36d186c534a6d1aea4333d
71435327e8e0ea42b2e143b410a99d7b
71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4
74d6b81565aeb95ee9df37ef7738d10baa9866261fb894d9ee9d67fc7c66badc
7603be6e20fdf1338f5de8660b866a7d
7603be6e20fdf1338f5de8660b866a7dcb87f1468d139930d9afcba7f3acabb4
828f828a4c7b098786a0b719c4cecbb1fe3c28aaf25f81fc939b9099097e4c1e
84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90
8573d9008cca956a8f8b9a46ed7880b4
8573d9008cca956a8f8b9a46ed7880b471435327e8e0ea42b2e143b410a99d7b
860b3a252226dea43cba5ea52f094c4c7c408f20e236f49bc975ff374d2450b8
8719218fc45939cf55e3e2d66d83769d916e736514941ffce3fffc515614ef4a
891c2b7a374063ea4e7f2693906b9c5e916646b827601727e9aeea0fb3e37f4a
8f06cfe7b7fd3cec439dfe975c7ef51859661dd120bb3dd8ae0a530a0b01782e
916bbd3e7930557f7d8f92f27cceb5fe
9481b2f26f6c8a8fa6dc509f925e6da95606a5fb190c3153646357b04464505f
95f1a84103f789d1ae749a3f8a384a29b39d6766e8a13d450b6553c39aba4fd7
97f6f31e3b53d36378033f6ba72ddc29
9898a3669c457aa9ab56bd25d26d0a92605a4a0dccca2b2d8814f684bf2e9334
98a12699bd8f5c886f4b40ddee5a9abb9c130fac292a262c70ed92ee8c762cb0
98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63
B20A82932F459278D44058ADBF3113FB
B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B
[email protected]
b4bd3c50a5d7a7102a7e723f4b742f556a1ab93e3f5d4a36567a651109c4dfd9
b64f8da65fe71212cedfdac887f503f4
bbfc7578f6d18c7d139e2a9b4e8dd74786c7b4bfec824f7ac1049b94e72ee846
c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14
c87f4aeebd3f518ba30780cb9b8b55416dcdc5a38c3080d71d193428b0c1cc5a
cb87f1468d139930d9afcba7f3acabb4
[email protected]
d62bf83fb5a7b148f326908051b149b77663149d47426ce749e944f7abf5d304
d96f350c206b2d987c7b39daed7c81b7de4a5d1c73497c9971abb3114cc76e2d
d9746224143010adada9989bf6b1014bb10e8165615e1ef6b58fd429cd2aa20a
d992c84902992867a6dfc9caf4d80f211d4d7a7d3e9e043691768bb6d73b4987
e18ea5dcf830c1f7515be7610c34c445a699cd5d8a7aa8221fbe8cfdec25afd6
e7a314ac40b266415da32645f4bdeda7d8a448f0546fef49abc8958084f8ef38
ea1d4ce3f4a9a70670e67d69a36e5e65b314207d4d882a7e4bc26ddfbe6177b9
f070768ba2d0091b66e2a15726e77165
f070768ba2d0091b66e2a15726e77165f64ec976e9930425009da79c7aa081ac
f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586
f64ec976e9930425009da79c7aa081ac
f66e8851285f15a6af8f25178180ae9685c01198b9afd21fc24cc0fc4bc8744d
fce7a02f4ca7bdab7fdb8168a2478e58
fce7a02f4ca7bdab7fdb8168a2478e5897f6f31e3b53d36378033f6ba72ddc29
http://[email protected]
http://acount-qooqle.pe.hu
http://ago2.co.kr
http://ago2.co.kr/bbs/data/F.php
http://ago2.co.kr/bbs/data/R.php
http://ago2.co.kr/bbs/data/dir/F.php
http://ago2.co.kr/bbs/data/dir/note.png
http://ago2.co.kr/bbs/data/dir/svchow.dat
http://ahnniab.esy.es
http://ahnniab.esy.es/w/b.js
http://aiyac-updaite.hol.es
http://aiyac-updaite.hol.es/Est/down/AlyacMonitor64
http://aiyac-updaite.hol.es/Est/down/AppContainer32.a
http://aiyac-updaite.hol.es/Est/down/AppContainer64.a
http://aiyac-updaite.hol.es/Est/down/BuildSteps32
http://aiyac-updaite.hol.es/Est/down/BuildSteps64
http://aiyac-updaite.hol.es/Est/down/Cookie.a
http://aiyac-updaite.hol.es/Est/down/CoreWin32
http://aiyac-updaite.hol.es/Est/down/CoreWin64
http://aiyac-updaite.hol.es/Est/down/MSOfficeUpdate64
http://aiyac-updaite.hol.es/Est/down/f.a
http://aiyac-updaite.hol.es/Est/down/kakao.a
http://aiyac-updaite.hol.es/Est/down/xpad64.exe
http://[email protected]
http://daum-safety-team.esy.es
http://gyjmc.com
http://jejuseongahn.org
http://jundosase.cafe24.com
http://kuku675.site11.com
http://kuku675.site11.com/data/zero/log.php
http://kuku79.herobo.com
http://kuku79.herobo.com/data/pod/fund.pas
http://mail-service.pe.hu
http://mail-support.esy.es
http://my-homework.890m.com
http://my-homework.890m.com/bbs/data/
http://my-homework.890m.com/bbs/data/board.php
http://my-homework.890m.com/bbs/data/board.php?v=a||Finished
http://my-homework.890m.com/bbs/data/board.php?v=b||The
http://my-homework.890m.com/bbs/data/board.php?v=c||The
http://my-homework.890m.com/bbs/data/board.php?v=e||Decoded
http://my-homework.890m.com/bbs/data/board.php?v=f||Executed
http://my-homework.890m.com/bbs/data/brave.ct
http://my-homework.890m.com/bbs/data/tmp/D.php
http://my-homework.890m.com/bbs/data/tmp/Ping.php
http://my-homework.890m.com/bbs/data/tmp/fileupload.php
http://my-homework.890m.com/gnu/board.php
http://my-homework.890m.com/gnu/board.php?m=MAC_ADDR&v=VERSION|TIMEOUT||Get
http://my-homework.890m.com/gnu/download/3.wsf
http://my-homework.890m.com/gnu/ver
http://myacccounts-goggle.hol.es
http://myaccounnts-goggle.esy.es
http://nav-mail.hol.es
http://nid-mail.esy.es
http://nid-mail.esy.es/bbs/data/tmp/D.php
http://nid-mail.esy.es/bbs/data/tmp/Ping.php
http://nid-mail.esy.es/bbs/data/tmp/alpha.php
http://nid-mail.esy.es/bbs/data/tmp/fileupload.php
http://nid-mail.esy.es/bbs/data/tmp/tie.txt
http://nid-naver.hol.es
http://qqoqle-centering.esy.es
http://safe-naver-mail.pe.hu
http://safe-naver-mail.pe.hu/Est/down/2.a
http://safe-naver-mail.pe.hu/Est/down/AlyacMonitor64
http://safe-naver-mail.pe.hu/Est/down/cookie.a
http://suppcrt-seourity.esy.es
http://suppcrt-seourity.esy.es/update/templates/indox.php
http://www.gyjmc.com/board/data/cheditor/dir1/F.php
http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php
https://drive.google.com/uc?export=download&id=0B9_jdTGo3-snT3RTMHJMZEk2Szg
https://drive.google.com/uc?export=download&id=0B9_jdTGo3-sndXJESjllMkloOFU
https://drive.google.com/uc?export=download&id=1MVR58_5SlXgDZ5arasQk9AnmihAb3KJ6
https://drive.google.com/uc?export=download&id=1RC5_9WWrfMMZKfu11OfIac5y2d5vRH1c
https://drive.google.com/uc?export=download&id=1ocUSxHf_0jUjVMMbAQzwTJb0blUG0bYh
https://drive.google.com/uc?export=download&id=1olByidca-8vkS-5jRKL9CirKPEP7waHm
https://drive.google.com/uc?export=download&id=1xCePTgAdwNIAN7MWOH_80aN_TZgn8uFv
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
03cd82887b032ce2968bb739d13e1dd0ce3683df5bc1b87edc6872ddcd1dc625
051BC852ED4D1E4BD44030D6BF3187D0
08ac5048e86d368eea55d55781659dc54070debc9d117ed0a5ca8edd499fe1f8
098dd6d2556fa546132570795a9b901dbf93f306be1a9481b54b85d1f9203c9a
0ba05db51dfb118f82a38afaca2174a9b51ff59f20c90fd634b7298e019eacbf
12ee511259f7f03e8472efa8baf3e250
12ee511259f7f03e8472efa8baf3e250b64f8da65fe71212cedfdac887f503f4
159b20e19c43ff6a8ba906d23596d5d138efa94aa38b611ee36a3f4da813278c
177c404e7e60e48f303509592ecd0e29
2a25d42130837560fcff1e1e19264f05784bf9e9db6464afb15d7e26f7f4a433
2b8a31c6a2a70ad4b5c593400731b418b91b0d55c48158a8a024420792268328
2c523736994639172ee7375a8e1392081f699ae0cc397015e1cad47ce44cfded
2c7a76c85a182bf4045afe2180d1d845ddbfca6044995f2273c77cbeb1e42f8a
38368ada36a1d98bbc55408e26a2219ec60e0e53c8d34d67fd010af574f84e5a
48ba9d01f1fba5421e8bfbdd384a3849
48ba9d01f1fba5421e8bfbdd384a3849916bbd3e7930557f7d8f92f27cceb5fe
493aadefcf45642c34b4d84a84a41da9ac173b52c3217f62b3e25ece6379bd94
55e69e1337af0d93b5a3742d999bf805
55e69e1337af0d93b5a3742d999bf805177c404e7e60e48f303509592ecd0e29
56C1BE63947D08B00FE0F2E84BC8AB82
56C1D749947D0FE00FE0ABC84BC8A02B
575606c03d3775cd8880c76a3ef7c014cfcab08411a01f07fc3fcb60166be50b
58dc45c15d17c609f5237abf9a6d0a896a310bfd3406e72413b2929c781d6979
59203b2253e5a53a146c583ac1ab8dcf78f8b9410dee30d8275f1d228975940e
59283e60015923ab16f51dcb29350158f8f86e6d86dcaf8377468bb20bea3570
5bfa034f7555a38e64c078af71b4ff8c49511579fa826a87661940b7e9a6e333
5f05c1dffda819f082a1df8cc81faa77d3d69ba4b1d0a2092c2d5b66234f2d7e
5f2ac8672e19310bd532c47d209272bd75075696dea6ffcc47d1d37f18aff141
623458ffccbc4641a78914dcf9efdd78bbbd9103fc36d186c534a6d1aea4333d
71435327e8e0ea42b2e143b410a99d7b
71841a1b5ee1b383a9282bf513723b7f1713a0e1ee501db38d64c2db9ba08ec4
74d6b81565aeb95ee9df37ef7738d10baa9866261fb894d9ee9d67fc7c66badc
7603be6e20fdf1338f5de8660b866a7d
7603be6e20fdf1338f5de8660b866a7dcb87f1468d139930d9afcba7f3acabb4
828f828a4c7b098786a0b719c4cecbb1fe3c28aaf25f81fc939b9099097e4c1e
84edc9b828de54d4bd00959fabf583a1392cb4c3eab3498c52818c96dc554b90
8573d9008cca956a8f8b9a46ed7880b4
8573d9008cca956a8f8b9a46ed7880b471435327e8e0ea42b2e143b410a99d7b
860b3a252226dea43cba5ea52f094c4c7c408f20e236f49bc975ff374d2450b8
8719218fc45939cf55e3e2d66d83769d916e736514941ffce3fffc515614ef4a
891c2b7a374063ea4e7f2693906b9c5e916646b827601727e9aeea0fb3e37f4a
8f06cfe7b7fd3cec439dfe975c7ef51859661dd120bb3dd8ae0a530a0b01782e
916bbd3e7930557f7d8f92f27cceb5fe
9481b2f26f6c8a8fa6dc509f925e6da95606a5fb190c3153646357b04464505f
95f1a84103f789d1ae749a3f8a384a29b39d6766e8a13d450b6553c39aba4fd7
97f6f31e3b53d36378033f6ba72ddc29
9898a3669c457aa9ab56bd25d26d0a92605a4a0dccca2b2d8814f684bf2e9334
98a12699bd8f5c886f4b40ddee5a9abb9c130fac292a262c70ed92ee8c762cb0
98e1cc1b96b420ece848a2b43a0c1ae0b5f9356a11227fca181ada95435d2c63
B20A82932F459278D44058ADBF3113FB
B20A82932F459278D44058ADBF3113FB56C1D749947D0FE00FE0ABC84BC8A02B
[email protected]
b4bd3c50a5d7a7102a7e723f4b742f556a1ab93e3f5d4a36567a651109c4dfd9
b64f8da65fe71212cedfdac887f503f4
bbfc7578f6d18c7d139e2a9b4e8dd74786c7b4bfec824f7ac1049b94e72ee846
c6c332ae1ccb580ac621d3cf667ce9c017be41f8ad04a94c0c0ea37c4789dd14
c87f4aeebd3f518ba30780cb9b8b55416dcdc5a38c3080d71d193428b0c1cc5a
cb87f1468d139930d9afcba7f3acabb4
[email protected]
d62bf83fb5a7b148f326908051b149b77663149d47426ce749e944f7abf5d304
d96f350c206b2d987c7b39daed7c81b7de4a5d1c73497c9971abb3114cc76e2d
d9746224143010adada9989bf6b1014bb10e8165615e1ef6b58fd429cd2aa20a
d992c84902992867a6dfc9caf4d80f211d4d7a7d3e9e043691768bb6d73b4987
e18ea5dcf830c1f7515be7610c34c445a699cd5d8a7aa8221fbe8cfdec25afd6
e7a314ac40b266415da32645f4bdeda7d8a448f0546fef49abc8958084f8ef38
ea1d4ce3f4a9a70670e67d69a36e5e65b314207d4d882a7e4bc26ddfbe6177b9
f070768ba2d0091b66e2a15726e77165
f070768ba2d0091b66e2a15726e77165f64ec976e9930425009da79c7aa081ac
f483d5051f39d1b08613479ccbc81423a15bfe5c5fb5a7792d4307a8af4e4586
f64ec976e9930425009da79c7aa081ac
f66e8851285f15a6af8f25178180ae9685c01198b9afd21fc24cc0fc4bc8744d
fce7a02f4ca7bdab7fdb8168a2478e58
fce7a02f4ca7bdab7fdb8168a2478e5897f6f31e3b53d36378033f6ba72ddc29
http://[email protected]
http://acount-qooqle.pe.hu
http://ago2.co.kr
http://ago2.co.kr/bbs/data/F.php
http://ago2.co.kr/bbs/data/R.php
http://ago2.co.kr/bbs/data/dir/F.php
http://ago2.co.kr/bbs/data/dir/note.png
http://ago2.co.kr/bbs/data/dir/svchow.dat
http://ahnniab.esy.es
http://ahnniab.esy.es/w/b.js
http://aiyac-updaite.hol.es
http://aiyac-updaite.hol.es/Est/down/AlyacMonitor64
http://aiyac-updaite.hol.es/Est/down/AppContainer32.a
http://aiyac-updaite.hol.es/Est/down/AppContainer64.a
http://aiyac-updaite.hol.es/Est/down/BuildSteps32
http://aiyac-updaite.hol.es/Est/down/BuildSteps64
http://aiyac-updaite.hol.es/Est/down/Cookie.a
http://aiyac-updaite.hol.es/Est/down/CoreWin32
http://aiyac-updaite.hol.es/Est/down/CoreWin64
http://aiyac-updaite.hol.es/Est/down/MSOfficeUpdate64
http://aiyac-updaite.hol.es/Est/down/f.a
http://aiyac-updaite.hol.es/Est/down/kakao.a
http://aiyac-updaite.hol.es/Est/down/xpad64.exe
http://[email protected]
http://daum-safety-team.esy.es
http://gyjmc.com
http://jejuseongahn.org
http://jundosase.cafe24.com
http://kuku675.site11.com
http://kuku675.site11.com/data/zero/log.php
http://kuku79.herobo.com
http://kuku79.herobo.com/data/pod/fund.pas
http://mail-service.pe.hu
http://mail-support.esy.es
http://my-homework.890m.com
http://my-homework.890m.com/bbs/data/
http://my-homework.890m.com/bbs/data/board.php
http://my-homework.890m.com/bbs/data/board.php?v=a||Finished
http://my-homework.890m.com/bbs/data/board.php?v=b||The
http://my-homework.890m.com/bbs/data/board.php?v=c||The
http://my-homework.890m.com/bbs/data/board.php?v=e||Decoded
http://my-homework.890m.com/bbs/data/board.php?v=f||Executed
http://my-homework.890m.com/bbs/data/brave.ct
http://my-homework.890m.com/bbs/data/tmp/D.php
http://my-homework.890m.com/bbs/data/tmp/Ping.php
http://my-homework.890m.com/bbs/data/tmp/fileupload.php
http://my-homework.890m.com/gnu/board.php
http://my-homework.890m.com/gnu/board.php?m=MAC_ADDR&v=VERSION|TIMEOUT||Get
http://my-homework.890m.com/gnu/download/3.wsf
http://my-homework.890m.com/gnu/ver
http://myacccounts-goggle.hol.es
http://myaccounnts-goggle.esy.es
http://nav-mail.hol.es
http://nid-mail.esy.es
http://nid-mail.esy.es/bbs/data/tmp/D.php
http://nid-mail.esy.es/bbs/data/tmp/Ping.php
http://nid-mail.esy.es/bbs/data/tmp/alpha.php
http://nid-mail.esy.es/bbs/data/tmp/fileupload.php
http://nid-mail.esy.es/bbs/data/tmp/tie.txt
http://nid-naver.hol.es
http://qqoqle-centering.esy.es
http://safe-naver-mail.pe.hu
http://safe-naver-mail.pe.hu/Est/down/2.a
http://safe-naver-mail.pe.hu/Est/down/AlyacMonitor64
http://safe-naver-mail.pe.hu/Est/down/cookie.a
http://suppcrt-seourity.esy.es
http://suppcrt-seourity.esy.es/update/templates/indox.php
http://www.gyjmc.com/board/data/cheditor/dir1/F.php
http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php
https://drive.google.com/uc?export=download&id=0B9_jdTGo3-snT3RTMHJMZEk2Szg
https://drive.google.com/uc?export=download&id=0B9_jdTGo3-sndXJESjllMkloOFU
https://drive.google.com/uc?export=download&id=1MVR58_5SlXgDZ5arasQk9AnmihAb3KJ6
https://drive.google.com/uc?export=download&id=1RC5_9WWrfMMZKfu11OfIac5y2d5vRH1c
https://drive.google.com/uc?export=download&id=1ocUSxHf_0jUjVMMbAQzwTJb0blUG0bYh
https://drive.google.com/uc?export=download&id=1olByidca-8vkS-5jRKL9CirKPEP7waHm
https://drive.google.com/uc?export=download&id=1xCePTgAdwNIAN7MWOH_80aN_TZgn8uFv
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]