The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs
Contents
The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs
03/03/2020
Introduction
Recently we have observed a significant increase in state-sponsored operations carried out by threat actors worldwide. APT34, Gamaredon, and Transparent Tribe are a few samples of the recently uncovered campaigns, the latter was spotted after four years of apparent inactivity. Cybaze-Yoroi ZLab decided to study in depth a recent threat attributed to a North Korean APT dubbed Kimsuky.
The Kimsuky APT group has been analyzed by several security teams. It was first spotted by Kaspersky researcher in 2013, recently its activity was detailed by ESTsecurity.
We decided to analysed the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.
Technical Analysis
Unlike other APT groups using long and complex infection chains, the Kimsuky group leverages a shorter attack chain, but at the same time, we believe it is very effective in achieving a low detection rate.
The …
03/03/2020
Introduction
Recently we have observed a significant increase in state-sponsored operations carried out by threat actors worldwide. APT34, Gamaredon, and Transparent Tribe are a few samples of the recently uncovered campaigns, the latter was spotted after four years of apparent inactivity. Cybaze-Yoroi ZLab decided to study in depth a recent threat attributed to a North Korean APT dubbed Kimsuky.
The Kimsuky APT group has been analyzed by several security teams. It was first spotted by Kaspersky researcher in 2013, recently its activity was detailed by ESTsecurity.
We decided to analysed the activity of the group after noticing a tweet of the user “@spider_girl22” in February 28th 2020.
Technical Analysis
Unlike other APT groups using long and complex infection chains, the Kimsuky group leverages a shorter attack chain, but at the same time, we believe it is very effective in achieving a low detection rate.
The …
IoC
757dfeacabf4c2f771147159d26117818354af14050e6ba42cc00f4a3d58e51f
817ef0d9d3584977d1114b7e92012b653d339434a90967cbe8016899801f3751
bbad65136d73cbd5262bc88571677b5434ceb54fc1103f2133757dae2ec4b47b
caa24c46089c8953b2a5465457a6c202ecfa83abbce7a9d3299ade52ec8382c2
d21523b7b8f6584305a0a6a83cd65c8ce0777a42ab781c35aa06c46c91f504b4
rule AutoUpdate_dll { meta: description = "Yara rule for the AutoUpdate_dll" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = {48 8B 3F 48 83 78 18 10 72} $a2 = {36 42 35 45 35 41 42 33 42 41 39} $a3 = { DD E7 FE DA C6 F7 F9 8D 7D F9 } $a4 = "1#SNAN" $a5 = "d$4D9L$t" $a6 = "DllRegisterServer" $a7 = "DllUnregisterServer" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }
rule injectedDLL { meta: description = "Yara rule for the injected DLL" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = {41 80 3E 5E 89 45 A4 75 08 49} $a2 = {60 03 50 02 30 58 68 01 00 70} $a3 = {98 F7 02 00 7B 44 00 00 91 44} $a4 = "/?m=b&p1=" $a5 = "&p2=b" $a6 = "/?m=a&p1=" $a7 = "AUAVAWH" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }
rule loader { meta: description = "Yara rule for the initial loader SRC" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = " goto Repeat1" $a2 = {84 58 43 F4 39 1B 96 32 E4 2D 63} $a3 = {89 04 4D 30 7A 05 10 41 EB E8 8B} $a4 = {80 A1 B2 F7 15 DE F0 7E 35 75} $a5 = {9C 0E 57 4C 77 B1 0E 06 08 5E} condition: uint16(0) == 0x5A4D and pe.number_of_sections == 5 and 3 of ($a*) }
817ef0d9d3584977d1114b7e92012b653d339434a90967cbe8016899801f3751
bbad65136d73cbd5262bc88571677b5434ceb54fc1103f2133757dae2ec4b47b
caa24c46089c8953b2a5465457a6c202ecfa83abbce7a9d3299ade52ec8382c2
d21523b7b8f6584305a0a6a83cd65c8ce0777a42ab781c35aa06c46c91f504b4
rule AutoUpdate_dll { meta: description = "Yara rule for the AutoUpdate_dll" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = {48 8B 3F 48 83 78 18 10 72} $a2 = {36 42 35 45 35 41 42 33 42 41 39} $a3 = { DD E7 FE DA C6 F7 F9 8D 7D F9 } $a4 = "1#SNAN" $a5 = "d$4D9L$t" $a6 = "DllRegisterServer" $a7 = "DllUnregisterServer" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }
rule injectedDLL { meta: description = "Yara rule for the injected DLL" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = {41 80 3E 5E 89 45 A4 75 08 49} $a2 = {60 03 50 02 30 58 68 01 00 70} $a3 = {98 F7 02 00 7B 44 00 00 91 44} $a4 = "/?m=b&p1=" $a5 = "&p2=b" $a6 = "/?m=a&p1=" $a7 = "AUAVAWH" condition: uint16(0) == 0x5A4D and pe.number_of_sections == 6 and (4 of ($a*)) }
rule loader { meta: description = "Yara rule for the initial loader SRC" author = "Yoroi - ZLab" last_updated = "2020-03-02" tlp = "white" category = "informational" strings: $a1 = " goto Repeat1" $a2 = {84 58 43 F4 39 1B 96 32 E4 2D 63} $a3 = {89 04 4D 30 7A 05 10 41 EB E8 8B} $a4 = {80 A1 B2 F7 15 DE F0 7E 35 75} $a5 = {9C 0E 57 4C 77 B1 0E 06 08 5E} condition: uint16(0) == 0x5A4D and pe.number_of_sections == 5 and 3 of ($a*) }