Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)
Contents
AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. [1]
While there are no records of the dropper being used in actual attacks, there was an attack case that involved the backdoor created by the dropper at around the same period as when the dropper was collected. The threat actor used the backdoor to download additional malware or install screenshot-taking malware. Endoor is constantly employed in other attacks as well; in the past, it has been used alongside Nikidoor, which is distributed via spear phishing attacks.
1. Dropper Disguised as Installer from Korean Public Institution
The dropper was disguised as an installer for a certain public …
While there are no records of the dropper being used in actual attacks, there was an attack case that involved the backdoor created by the dropper at around the same period as when the dropper was collected. The threat actor used the backdoor to download additional malware or install screenshot-taking malware. Endoor is constantly employed in other attacks as well; in the past, it has been used alongside Nikidoor, which is distributed via spear phishing attacks.
1. Dropper Disguised as Installer from Korean Public Institution
The dropper was disguised as an installer for a certain public …
IoC
210.16.120.210
7034268d1c52539ea0cd48fd33ae43c4
7beaf468765b2f1f346d43115c894d4b
b74efd8470206a20175d723c14c2e872
b8ffb0b5bc3c66b7f1b0ec5cc4aadafc
f03618281092b02589bca833f674e8a0
http://127.0.0.1:8080/recv
http://210.16.120.210/rdpclip.dat
http://minish.wiki.gd/c.pdf
http://minish.wiki.gd/eng.db
http://minish.wiki.gd/index.php
http://minish.wiki.gd/upload.php
http://ngrok-free.app
https://fitting-discrete-lemur.ngrok-free.app/minish/index.php
https://real-joey-nicely.ngrok-free.app/mir/index.php
7034268d1c52539ea0cd48fd33ae43c4
7beaf468765b2f1f346d43115c894d4b
b74efd8470206a20175d723c14c2e872
b8ffb0b5bc3c66b7f1b0ec5cc4aadafc
f03618281092b02589bca833f674e8a0
http://127.0.0.1:8080/recv
http://210.16.120.210/rdpclip.dat
http://minish.wiki.gd/c.pdf
http://minish.wiki.gd/eng.db
http://minish.wiki.gd/index.php
http://minish.wiki.gd/upload.php
http://ngrok-free.app
https://fitting-discrete-lemur.ngrok-free.app/minish/index.php
https://real-joey-nicely.ngrok-free.app/mir/index.php