Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Kimsuky
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Kimsuky
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups. In 2023, Kimsuky has used commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI)
ID: G0094
Associated Groups: Velvet Chollima, Black Banshee, THALLIUM, APT43, Emerald Sleet, TA427, Springtail
Version: 5.1
Created: 26 Aug 2019
Last Modified: 29 Jan 2025

Associated Group Descriptions
Name Description
Velvet Chollima (Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)
Black Banshee (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
THALLIUM (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
APT43 (Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
Emerald Sleet (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA427 April 2024)
TA427 (Citation: Proofpoint TA427 April 2024)
Springtail (Citation: Symantec Troll Stealer 2024)

Techniques Used
Domain ID Name Use
Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

Kimsuky has added accounts to specific groups with net localgroup.(Citation: KISA Operation Muzabi)
Enterprise T1583 .001 Acquire Infrastructure: Domains

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Mandiant APT43 Full PDF Report)
.004 Acquire Infrastructure: Server

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi)

.006 Acquire Infrastructure: Web Services

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Kimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)
.002 Application Layer Protocol: File Transfer Protocols

Kimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)

.003 Application Layer Protocol: Mail Protocols

Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Kimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)
.003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)
.003 Command and Scripting Interpreter: Windows Command Shell

Kimsuky has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

.005 Command and Scripting Interpreter: Visual Basic

Kimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021)

.006 Command and Scripting Interpreter: Python

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)

.007 Command and Scripting Interpreter: JavaScript

Kimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky) Kimsuky has used TRANSLATEXT, which contained four Javascript files for bypassing defenses, collecting sensitive information and screenshots, and exfiltrating data.(Citation: Zscaler Kimsuky TRANSLATEXT)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

Kimsuky has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)
Enterprise T1584 .001 Compromise Infrastructure: Domains

Kimsuky has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Mandiant APT43 Full PDF Report)
Enterprise T1136 .001 Create Account: Local Account

Kimsuky has created accounts with net user.(Citation: KISA Operation Muzabi)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)
Enterprise T1587 .001 Develop Capabilities: Malware

Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)
Enterprise T1114 .002 Email Collection: Remote Email Collection

Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)
.003 Email Collection: Email Forwarding Rule

Kimsuky has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi)
.002 Establish Accounts: Email Accounts

Kimsuky has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.(Citation: Malwarebytes Kimsuky June 2021)(Citation: Proofpoint TA427 April 2024)(Citation: Mandiant APT43 Full PDF Report)
.003 Gather Victim Identity Information: Employee Names

Kimsuky has collected victim employee name information.(Citation: KISA Operation Muzabi)

Enterprise T1564 .002 Hide Artifacts: Hidden Users

Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.(Citation: KISA Operation Muzabi)
.003 Hide Artifacts: Hidden Window

Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)
.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)

Enterprise T1070 .004 Indicator Removal: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
.006 Indicator Removal: Timestomp

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Kimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)
.005 Masquerading: Match Legitimate Resource Name or Location

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.(Citation: Kimsuky Malwarebytes)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Kimsuky has gathered credentials using Mimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise T1588 .002 Obtain Capabilities: Tool

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)
.003 Obtain Capabilities: Code Signing Certificates

Kimsuky has stolen a valid certificate that is used to sign the malware and the dropper.(Citation: S2W Troll Stealer 2024)

.005 Obtain Capabilities: Exploits

Kimsuky has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
.002 Phishing: Spearphishing Link

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Proofpoint TA427 April 2024)
Enterprise T1055 .012 Process Injection: Process Hollowing

Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021)
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Kimsuky has used a modified TeamViewer client as a command and control channel.(Citation: Securelist Kimsuky Sept 2013)(Citation: Crowdstrike GTR2020 Mar 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Kimsuky has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Kimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)
Enterprise T1593 .001 Search Open Websites/Domains: Social Media

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)
.002 Search Open Websites/Domains: Search Engines

Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi)

Enterprise T1505 .003 Server Software Component: Web Shell

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.(Citation: KISA Operation Muzabi)
Enterprise T1176 .001 Software Extensions: Browser Extensions

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)(Citation: Mandiant APT43 Full PDF Report)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Kimsuky has signed files with the name EGIS CO,. Ltd. and has stolen a valid certificate that is used to sign the malware and the dropper.(Citation: ThreatConnect Kimsuky September 2020)(Citation: S2W Troll Stealer 2024)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Kimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)
.010 System Binary Proxy Execution: Regsvr32

Kimsuky has executed malware with regsvr32s.(Citation: KISA Operation Muzabi)

.011 System Binary Proxy Execution: Rundll32

Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Kimsuky has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Kimsuky has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky)
Enterprise T1204 .001 User Execution: Malicious Link

Kimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)
.002 User Execution: Malicious File

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)

Enterprise T1078 .003 Valid Accounts: Local Accounts

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise T1102 .001 Web Service: Dead Drop Resolver

Kimsuky has used TRANSLATEXT and a dead drop resolver to retrieve configurations and commands from a public blog site.(Citation: Zscaler Kimsuky TRANSLATEXT)

.002 Web Service: Bidirectional Communication

Kimsuky has used Blogspot pages and a Github repository for C2.(Citation: Talos Kimsuky Nov 2021)(Citation: Zscaler Kimsuky TRANSLATEXT)

Software
ID Name References Techniques
S1025 Amadey (Citation: BlackBerry Amadey 2020) (Citation: Korean FSI TA505 2020) (Citation: Mandiant APT43 Full PDF Report) (Citation: Mandiant APT43 March 2024) System Owner/User Discovery, Fast Flux DNS, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Modify Registry, System Network Configuration Discovery, File and Directory Discovery, Mark-of-the-Web Bypass, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, System Location Discovery, Security Software Discovery, Web Protocols, Ingress Tool Transfer
S0353 NOKKI (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Unit 42 NOKKI Sept 2018) (Citation: Unit 42 Nokki Oct 2018) System Owner/User Discovery, Rundll32, Local Data Staging, Match Legitimate Resource Name or Location, System Information Discovery, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, File Transfer Protocols, Registry Run Keys / Startup Folder, Obfuscated Files or Information, File Deletion, Web Protocols, Ingress Tool Transfer, System Time Discovery, Credential API Hooking
S0252 Brave Prince (Citation: Mandiant APT43 March 2024) (Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021) System Information Discovery, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Disable or Modify Tools, Query Registry, Exfiltration Over Unencrypted Non-C2 Protocol
S0622 AppleSeed (Citation: KISA Operation Muzabi) (Citation: Malwarebytes Kimsuky June 2021) Archive via Utility, Screen Capture, Keylogging, JavaScript, Data from Removable Media, Local Data Staging, Match Legitimate Resource Name or Location, Malicious File, Spearphishing Attachment, Automated Collection, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service, Masquerading, Archive Collected Data, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Regsvr32, Data Transfer Size Limits, File Deletion, Access Token Manipulation, Software Packing, Web Protocols, Fallback Channels, System Time Discovery
S1198 Gomir (Citation: Symantec Troll Stealer 2024) Standard Encoding, Cron, System Information Discovery, System Network Configuration Discovery, File and Directory Discovery, Local Groups, Unix Shell, Encrypted Channel, Asymmetric Cryptography, File Deletion, Web Protocols, Systemd Service, Remote System Discovery, Internal Proxy
S1201 TRANSLATEXT (Citation: Zscaler Kimsuky TRANSLATEXT) Screen Capture, Steal Web Session Cookie, Email Collection, Match Legitimate Resource Name or Location, Browser Extensions, Traffic Signaling, Browser Session Hijacking, Modify Registry, Credentials from Web Browsers, Exfiltration Over C2 Channel, PowerShell, Bidirectional Communication, Query Registry, Web Protocols, Dead Drop Resolver
S0527 CSPY Downloader (Citation: Cybereason Kimsuky November 2020) Scheduled Task, Bypass User Account Control, Malicious File, System Checks, Code Signing, Modify Registry, Indicator Removal, Masquerade Task or Service, File Deletion, Software Packing, Web Protocols, Ingress Tool Transfer
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Mandiant APT43 Full PDF Report) (Citation: Mandiant APT43 March 2024) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Screen Capture, Rundll32, Standard Encoding, Keylogging, Shared Modules, Symmetric Cryptography, Windows Service, Fast Flux DNS, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Clear Windows Event Logs, Command and Scripting Interpreter, Process Discovery, Registry Run Keys / Startup Folder, Encrypted Channel, Non-Application Layer Protocol, Query Registry, File Deletion, Ingress Tool Transfer, Service Execution
S0526 KGH_SPY (Citation: Cybereason Kimsuky November 2020) Keylogging, Encrypted/Encoded File, Local Data Staging, Match Legitimate Resource Name or Location, Local Email Collection, Malicious File, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Credentials from Password Stores, Credentials from Web Browsers, File and Directory Discovery, Exfiltration Over C2 Channel, PowerShell, Windows Command Shell, Windows Credential Manager, Web Protocols, Software Discovery, Ingress Tool Transfer, Logon Script (Windows)
S1197 GoBear (Citation: S2W Troll Stealer 2024) (Citation: Symantec Troll Stealer 2024) Match Legitimate Resource Name or Location, Code Signing, Proxy
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: KISA Operation Muzabi) (Citation: Mandiant APT43 March 2024) (Citation: Netscout Stolen Pencil Dec 2018) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0249 Gold Dragon (Citation: Mandiant APT43 March 2024) (Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021) System Owner/User Discovery, Local Data Staging, System Information Discovery, Archive Collected Data, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Query Registry, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer
S0111 schtasks (Citation: Cybereason Kimsuky November 2020) (Citation: KISA Operation Muzabi) (Citation: TechNet Schtasks) Scheduled Task
S0414 BabyShark (Citation: CISA AA20-301A Kimsuky) (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Cybereason Kimsuky November 2020) (Citation: LATEOP) (Citation: Mandiant APT43 Full PDF Report) (Citation: Mandiant APT43 March 2024) (Citation: Unit42 BabyShark Apr 2019) (Citation: Unit42 BabyShark Feb 2019) Scheduled Task, System Owner/User Discovery, Standard Encoding, Keylogging, System Information Discovery, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, File and Directory Discovery, Mshta, Process Discovery, Registry Run Keys / Startup Folder, Query Registry, Windows Command Shell, File Deletion, Visual Basic, Ingress Tool Transfer
S1196 Troll Stealer (Citation: ASEC Troll Stealer 2024) (Citation: S2W Troll Stealer 2024) (Citation: Symantec Troll Stealer 2024) Screen Capture, Rundll32, Standard Encoding, Local Data Staging, Match Legitimate Resource Name or Location, Symmetric Cryptography, Code Signing, System Information Discovery, Data from Local System, Mutual Exclusion, Archive Collected Data, Browser Information Discovery, Private Keys, System Network Configuration Discovery, File and Directory Discovery, Exfiltration Over C2 Channel, PowerShell, Windows Command Shell, Data from Information Repositories, File Deletion, Software Packing, Web Protocols
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: Mandiant APT43 Full PDF Report) (Citation: Mandiant APT43 March 2024) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Scheduled Task, System Owner/User Discovery, Keylogging, Bypass User Account Control, Symmetric Cryptography, Code Signing, System Information Discovery, Data from Local System, Credentials from Password Stores, Modify Registry, Credentials from Web Browsers, Video Capture, System Network Configuration Discovery, Proxy, Credentials In Files, Registry Run Keys / Startup Folder, Non-Standard Port, Non-Application Layer Protocol, System Location Discovery, Hidden Window, Windows Command Shell, Ingress Tool Transfer, Remote Desktop Protocol, Hidden Files and Directories
S0029 PsExec (Citation: Netscout Stolen Pencil Dec 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
  2. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  3. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  4. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  5. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.
  6. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  7. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  8. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  9. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  10. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  11. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  12. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  13. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  14. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  15. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  16. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  17. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
  18. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.
  19. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  20. Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024.
  21. OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024.
  22. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  23. Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024.
  24. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  25. ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.