Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed
Contents
Known to be supported by North Korea, the Kimsuky threat group has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Since 2017, attacks targeting countries other than South Korea have also been observed. [1] The group usually launches spear phishing attacks against national defense, defense industries, media, diplomacy, national organizations, and academic sectors. Their attacks aim to steal internal information and technology from organizations. [2]
While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected.
Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed which was covered in a past report titled “Analysis Report …
While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected.
Such attack cases that use JavaScript-type malware usually involve the distribution of AppleSeed which was covered in a past report titled “Analysis Report …
IoC
02843206001cd952472abf5ae2b981b2
0cce02d2d835a996ad5dfc0406b44b01
104.168.145.83
107.148.71.88
153383634ee35b7db6ab59cde68bf526
159.100.6.137
1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
232046aff635f1a5d81e415ef64649b7
38.110.1.69
45.114.129.138
4511e57ae1eacdf1c2922bf1a94bfb8d
4cb843f2a5b6ed7e806c69e6c25a1025
52ff761212eeaadcd3a95a1f8cce4030
58fafabd6ae8360c9d604cd314a27159
5d3ab2baacf2ad986ed7542eeabf3dab
6a968fd1608bca7255c329a0701dbf58
76831271eb117b77a57869c80bfd6ba6
7a7937f8d4dcb335e96db05b2fb64a1b
8aeacd58d371f57774e63d217b6b6f98
ac99b5c1d66b5f0ddb4423c627ca8333
ae9593c0c80e55ff49c28e28bf8bc887
b5d3e0c3c470d2d41967229e17259c87
b6ab96dc4778c6704b6def5db448a020
b6f17d59f38aba69d6da55ce36406729
c560d3371a16ef17dd79412f6ea99d3a
cacf04cd560b70eaaf0e75f3da9a5e8f
cafc26b215550521a12b38de38fa802b
d4ad31f316dc4ca0e7170109174827cf
d94c6323c3f77965451c0b7ebeb32e13
db5fc5cf50f8c1e19141eb238e57658c
e34669d56a13d607da1f76618eb4b27e
e582bd909800e87952eb1f206a279e47
ee76638004c68cfc34ff1fea2a7565a7
f3a55d49562e41c7d339fb52457513ba
http://104.168.145.83:993
http://107.148.71.88:993
http://159.100.6.137:993
http://38.110.1.69:993
http://45.114.129.138:33890
http://45.114.129.138:5500
http://bitburny.kro.kr/aha/
http://bitthum.kro.kr/hu/
http://doma2.o-r.kr/
http://my.topton.r-e.kr/address/
http://nobtwoseb1.n-e.kr/
http://octseven1.p-e.kr/
http://tehyeran1.r-e.kr/
http://update.ahnlaib.kro.kr/aha/
http://update.doumi.kro.kr/aha/
http://update.onedrive.p-e.kr/aha/
http://yes24.r-e.kr/aha/
0cce02d2d835a996ad5dfc0406b44b01
104.168.145.83
107.148.71.88
153383634ee35b7db6ab59cde68bf526
159.100.6.137
1f7d2cbfc75d6eb2c4f2b8b7a3eec1bf
232046aff635f1a5d81e415ef64649b7
38.110.1.69
45.114.129.138
4511e57ae1eacdf1c2922bf1a94bfb8d
4cb843f2a5b6ed7e806c69e6c25a1025
52ff761212eeaadcd3a95a1f8cce4030
58fafabd6ae8360c9d604cd314a27159
5d3ab2baacf2ad986ed7542eeabf3dab
6a968fd1608bca7255c329a0701dbf58
76831271eb117b77a57869c80bfd6ba6
7a7937f8d4dcb335e96db05b2fb64a1b
8aeacd58d371f57774e63d217b6b6f98
ac99b5c1d66b5f0ddb4423c627ca8333
ae9593c0c80e55ff49c28e28bf8bc887
b5d3e0c3c470d2d41967229e17259c87
b6ab96dc4778c6704b6def5db448a020
b6f17d59f38aba69d6da55ce36406729
c560d3371a16ef17dd79412f6ea99d3a
cacf04cd560b70eaaf0e75f3da9a5e8f
cafc26b215550521a12b38de38fa802b
d4ad31f316dc4ca0e7170109174827cf
d94c6323c3f77965451c0b7ebeb32e13
db5fc5cf50f8c1e19141eb238e57658c
e34669d56a13d607da1f76618eb4b27e
e582bd909800e87952eb1f206a279e47
ee76638004c68cfc34ff1fea2a7565a7
f3a55d49562e41c7d339fb52457513ba
http://104.168.145.83:993
http://107.148.71.88:993
http://159.100.6.137:993
http://38.110.1.69:993
http://45.114.129.138:33890
http://45.114.129.138:5500
http://bitburny.kro.kr/aha/
http://bitthum.kro.kr/hu/
http://doma2.o-r.kr/
http://my.topton.r-e.kr/address/
http://nobtwoseb1.n-e.kr/
http://octseven1.p-e.kr/
http://tehyeran1.r-e.kr/
http://update.ahnlaib.kro.kr/aha/
http://update.doumi.kro.kr/aha/
http://update.onedrive.p-e.kr/aha/
http://yes24.r-e.kr/aha/