Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ID: G0094
Associated Groups: Black Banshee, THALLIUM, APT43, Emerald Sleet, TA427, Velvet Chollima
Version: 5.0
Created: 26 Aug 2019
Last Modified: 10 Oct 2024

Associated Group Descriptions

Name Description
Black Banshee (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
THALLIUM (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
APT43 (Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
Emerald Sleet (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA427 April 2024)
TA427 (Citation: Proofpoint TA427 April 2024)
Velvet Chollima (Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)

Techniques Used

Domain ID Name Use
Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

Kimsuky has added accounts to specific groups with net localgroup.(Citation: KISA Operation Muzabi)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)

.004 Acquire Infrastructure: Server

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi)

.006 Acquire Infrastructure: Web Services

Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Kimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)

.002 Application Layer Protocol: File Transfer Protocols

Kimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)

.003 Application Layer Protocol: Mail Protocols

Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Kimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)

.003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)

.003 Command and Scripting Interpreter: Windows Command Shell

Kimsuky has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

.005 Command and Scripting Interpreter: Visual Basic

Kimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021)

.006 Command and Scripting Interpreter: Python

Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)

.007 Command and Scripting Interpreter: JavaScript

Kimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)

Enterprise T1586 .002 Compromise Accounts: Email Accounts

Kimsuky has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)

Enterprise T1584 .001 Compromise Infrastructure: Domains

Kimsuky has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)

Enterprise T1136 .001 Create Account: Local Account

Kimsuky has created accounts with net user.(Citation: KISA Operation Muzabi)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)

Enterprise T1074 .001 Data Staged: Local Data Staging

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)

Enterprise T1587 .001 Develop Capabilities: Malware

Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)

Enterprise T1114 .002 Email Collection: Remote Email Collection

Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)

.003 Email Collection: Email Forwarding Rule

Kimsuky has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi)

.002 Establish Accounts: Email Accounts

Kimsuky has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.(Citation: Malwarebytes Kimsuky June 2021)(Citation: Proofpoint TA427 April 2024)

.003 Gather Victim Identity Information: Employee Names

Kimsuky has collected victim employee name information.(Citation: KISA Operation Muzabi)

Enterprise T1564 .002 Hide Artifacts: Hidden Users

Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.(Citation: KISA Operation Muzabi)

.003 Hide Artifacts: Hidden Window

Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)

.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)

Enterprise T1070 .004 Indicator Removal: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

.006 Indicator Removal: Timestomp

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Kimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)

.005 Masquerading: Match Legitimate Name or Location

Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.(Citation: Kimsuky Malwarebytes)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Kimsuky has gathered credentials using Mimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)

Enterprise T1588 .002 Obtain Capabilities: Tool

Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)

.005 Obtain Capabilities: Exploits

Kimsuky has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

.002 Phishing: Spearphishing Link

Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Proofpoint TA427 April 2024)

Enterprise T1055 .012 Process Injection: Process Hollowing

Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Kimsuky has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Kimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)

Enterprise T1593 .001 Search Open Websites/Domains: Social Media

Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)

.002 Search Open Websites/Domains: Search Engines

Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi)

Enterprise T1505 .003 Server Software Component: Web Shell

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.(Citation: KISA Operation Muzabi)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Kimsuky has signed files with the name EGIS CO,. Ltd..(Citation: ThreatConnect Kimsuky September 2020)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Kimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)

.010 System Binary Proxy Execution: Regsvr32

Kimsuky has executed malware with regsvr32s.(Citation: KISA Operation Muzabi)

.011 System Binary Proxy Execution: Rundll32

Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Kimsuky has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Kimsuky has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky)

Enterprise T1204 .001 User Execution: Malicious Link

Kimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)

.002 User Execution: Malicious File

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)

Enterprise T1078 .003 Valid Accounts: Local Accounts

Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)

Enterprise T1102 .002 Web Service: Bidirectional Communication

Kimsuky has used Blogspot pages for C2.(Citation: Talos Kimsuky Nov 2021)

Software

ID Name References Techniques
S1025 Amadey (Citation: BlackBerry Amadey 2020) (Citation: Korean FSI TA505 2020) (Citation: Mandiant APT43 March 2024) File and Directory Discovery, Obfuscated Files or Information, Fast Flux DNS, Security Software Discovery, Native API, Data from Local System, Exfiltration Over C2 Channel, Mark-of-the-Web Bypass, Ingress Tool Transfer, System Information Discovery, Modify Registry, Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, System Owner/User Discovery, System Location Discovery, Web Protocols, System Network Configuration Discovery
S0353 NOKKI (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Unit 42 Nokki Oct 2018) (Citation: Unit 42 NOKKI Sept 2018) System Time Discovery, Registry Run Keys / Startup Folder, Ingress Tool Transfer, Match Legitimate Name or Location, Obfuscated Files or Information, File Deletion, System Owner/User Discovery, Rundll32, Deobfuscate/Decode Files or Information, Web Protocols, Local Data Staging, System Network Configuration Discovery, Credential API Hooking, File Transfer Protocols, System Information Discovery
S0252 Brave Prince (Citation: Mandiant APT43 March 2024) (Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021) System Information Discovery, Exfiltration Over Unencrypted Non-C2 Protocol, Process Discovery, File and Directory Discovery, Query Registry, System Network Configuration Discovery, Disable or Modify Tools
S0622 AppleSeed (Citation: KISA Operation Muzabi) (Citation: Malwarebytes Kimsuky June 2021) JavaScript, PowerShell, Software Packing, System Network Configuration Discovery, Masquerading, Spearphishing Attachment, Deobfuscate/Decode Files or Information, Process Discovery, Access Token Manipulation, Keylogging, Data from Local System, Match Legitimate Name or Location, System Information Discovery, Automated Collection, Exfiltration Over Web Service, Data Transfer Size Limits, Native API, Archive Collected Data, Fallback Channels, Exfiltration Over C2 Channel, File and Directory Discovery, Obfuscated Files or Information, Web Protocols, File Deletion, Screen Capture, Malicious File, Local Data Staging, Archive via Utility, Registry Run Keys / Startup Folder, Data from Removable Media, System Time Discovery, Regsvr32
S0527 CSPY Downloader (Citation: Cybereason Kimsuky November 2020) File Deletion, Modify Registry, Scheduled Task, Indicator Removal, Code Signing, Ingress Tool Transfer, Masquerade Task or Service, Web Protocols, Malicious File, Bypass User Account Control, System Checks, Software Packing, Indicator Removal
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Mandiant APT43 March 2024) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) Shared Modules, Modify Registry, Ingress Tool Transfer, Process Injection, Rundll32, Service Execution, DLL Side-Loading, Command and Scripting Interpreter, Query Registry, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Non-Application Layer Protocol, Native API, Process Discovery, Windows Service, Registry Run Keys / Startup Folder, Clear Windows Event Logs, System Information Discovery, File Deletion, Screen Capture, Fast Flux DNS, Keylogging, Standard Encoding, Encrypted Channel
S0526 KGH_SPY (Citation: Cybereason Kimsuky November 2020) Match Legitimate Name or Location, Credentials from Web Browsers, Windows Command Shell, Malicious File, Logon Script (Windows), Ingress Tool Transfer, Web Protocols, Local Email Collection, File and Directory Discovery, Exfiltration Over C2 Channel, Encrypted/Encoded File, PowerShell, Windows Credential Manager, Local Data Staging, Software Discovery, System Information Discovery, Data from Local System, Keylogging, Deobfuscate/Decode Files or Information, Credentials from Password Stores
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: KISA Operation Muzabi) (Citation: Mandiant APT43 March 2024) (Citation: Netscout Stolen Pencil Dec 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0249 Gold Dragon (Citation: Mandiant APT43 March 2024) (Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021) File Deletion, System Owner/User Discovery, Ingress Tool Transfer, Local Data Staging, Registry Run Keys / Startup Folder, Archive Collected Data, Process Discovery, Disable or Modify Tools, File and Directory Discovery, Windows Command Shell, System Information Discovery, Web Protocols, Security Software Discovery, Query Registry
S0111 schtasks (Citation: Cybereason Kimsuky November 2020) (Citation: KISA Operation Muzabi) (Citation: TechNet Schtasks) Scheduled Task
S0414 BabyShark (Citation: CISA AA20-301A Kimsuky) (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Cybereason Kimsuky November 2020) (Citation: LATEOP) (Citation: Mandiant APT43 March 2024) (Citation: Unit42 BabyShark Apr 2019) (Citation: Unit42 BabyShark Feb 2019) Scheduled Task, System Owner/User Discovery, Ingress Tool Transfer, Query Registry, Mshta, Keylogging, Process Discovery, File and Directory Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Standard Encoding, File Deletion, Registry Run Keys / Startup Folder, System Network Configuration Discovery, Windows Command Shell
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: Mandiant APT43 March 2024) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Remote Desktop Protocol, Keylogging, Symmetric Cryptography, Credentials from Web Browsers, Registry Run Keys / Startup Folder, Hidden Window, System Information Discovery, Ingress Tool Transfer, System Location Discovery, Modify Registry, Hidden Files and Directories, System Owner/User Discovery, Bypass User Account Control, Data from Local System, Non-Application Layer Protocol, System Network Configuration Discovery, Credentials from Password Stores, Credentials In Files, Windows Command Shell, Proxy, Non-Standard Port, Code Signing, Scheduled Task, Video Capture
S0029 PsExec (Citation: Netscout Stolen Pencil Dec 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  2. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  3. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  4. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  5. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  6. Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
  7. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  8. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  9. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  10. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  11. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  12. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  13. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  14. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  15. AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
  16. ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
  17. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.