lazarusholic

Everyday is lazarus.dayβ

TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)

2024-02-23, Ahnlab
https://asec.ahnlab.com/en/61934/
#D2Innovation #TrollAgent #Kimsuky

Contents

AhnLab SEcurity intelligence Center (ASEC) recently discovered that malware strains are downloaded into systems when users try to download security programs from a Korean construction-related association’s website. Login is required to use the website’s services, and various security programs must be installed to log in.
Among the programs that must be installed for login, one of the installers had malware strains inside. When the user downloads and installs the installer, the malware strains are also installed along with the security program.
The two types of malware strains installed through this process are as follows: a backdoor malware that receives the threat actor’s commands externally and then carry them out, and an Infostealer that collects information from the infected systems. Therefore, users may be victims of user credentials theft, simply by installing security programs from the official website.
1. Distribution Method
Upon accessing and attempting to log in to the organization’s website, the website prompts …

IoC

013c4ee2b32511b11ee9540bb0fdb9d1
035cf750c67de0ab2e6228409ac85ea3
19c2decfa7271fa30e48d4750c1d18c1
27ef6917fe32685fdf9b755eb8e97565
2aaa3f1859102aab35519f0d4c1585dd
2b678c0f59924ca90a753daa881e9fd3
4168ff8b0a3e2f7e9c96afb653d42a01
4222492e069ac78a55d3451f4b9b9fca
42ea65fda0f92bbeca5f4535155125c7
6097d030fe6f05ec0249e4d87b6be4a6
62fba369711087ea37ef0b0ab62f3372
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
87429e9223d45e0359cd1c41c0301836
88f183304b99c897aacfa321d58e1840
8d4af59eebdcda10f3c88049bb097a3a
9360a895837177d8a23b2e3f79508059
9e75705b4930f50502bcbd740fc3ece1
a67cf9add2905c11f5c466bc01d554b0
b532f3dcc788896c4844f36eb6cee3d1
b97abf7b17aeb4fa661594a4a1e5c77f
c8e7b0d3b6afa22e801cacaf16b37355
d67abe980a397a94e1715df6e64eedc8
dc636da03e807258d2a10825780b4639
e4a6d47e9e60e4c858c1314d263aa317
http://ai.aerosp.p-e.kr/index.php
http://ai.bananat.p-e.kr/index.php
http://ai.daysol.p-e.kr/index.php
http://ai.kimyy.p-e.kr/index.php
http://ai.kostin.p-e.kr/index.php
http://ai.limsjo.p-e.kr/index.php
http://ai.negapa.p-e.kr/index.php
http://ai.selecto.p-e.kr/index.php
http://ai.ssungmin.p-e.kr/index.php
http://ar.kostin.p-e.kr/index.php
http://ca.bananat.p-e.kr/index.php
http://ce.aerosp.p-e.kr/index.php
http://coolsystem.co.kr/admin/mail/index.php
http://dl.netup.p-e.kr/index.php
http://li.ssungmin.p-e.kr/index.php
http://ol.negapa.p-e.kr/index.php
http://pe.daysol.p-e.kr/index.php
http://pi.selecto.p-e.kr/index.php
http://qa.jaychoi.p-e.kr/index.php
http://qi.limsjo.p-e.kr/index.php
http://sa.netup.p-e.kr/index.php
http://ve.kimyy.p-e.kr/index.php
http://viewer.appofficer.kro.kr/index.php