MITRE ATT&CK - Преступная группа Kimsuky

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky) Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0094

Associated Groups: Thallium, Black Banshee, STOLEN PENCIL, Velvet Chollima

Version: 3.1

Created: 26 Aug 2019

Last Modified: 24 May 2022

Name	Description
Associated Group Descriptions
Thallium	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
Black Banshee	(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)
STOLEN PENCIL	(Citation: Netscout Stolen Pencil Dec 2018)
Velvet Chollima	(Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Kimsuky has registered domains to spoof targeted organizations and trusted third parties.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
		.004	Acquire Infrastructure: Server	Kimsuky has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi)
		.006	Acquire Infrastructure: Web Services	Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Kimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021)
		.002	Application Layer Protocol: File Transfer Protocols	Kimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019)
		.003	Application Layer Protocol: Mail Protocols	Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Kimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021)
		.003	Archive Collected Data: Archive via Custom Method	Kimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Kimsuky has executed a variety of PowerShell scripts.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
		.003	Command and Scripting Interpreter: Windows Command Shell	Kimsuky has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
		.005	Command and Scripting Interpreter: Visual Basic	Kimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021)
		.006	Command and Scripting Interpreter: Python	Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi)
		.007	Command and Scripting Interpreter: JavaScript	Kimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1586	.002	Compromise Accounts: Email Accounts	Kimsuky has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1584	.001	Compromise Infrastructure: Domains	Kimsuky has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)
Enterprise	T1136	.001	Create Account: Local Account	Kimsuky has created accounts with `net user`.(Citation: KISA Operation Muzabi)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Kimsuky has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1074	.001	Data Staged: Local Data Staging	Kimsuky has staged collected data files under `C:\Program Files\Common Files\System\Ole DB\`.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1587	.001	Develop Capabilities: Malware	Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1114	.002	Email Collection: Remote Email Collection	Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi)
		.003	Email Collection: Email Forwarding Rule	Kimsuky has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1585	.001	Establish Accounts: Social Media Accounts	Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi)
		.002	Establish Accounts: Email Accounts	Kimsuky has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)
Enterprise	T1546	.001	Event Triggered Execution: Change Default File Association	Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1589	.002	Gather Victim Identity Information: Email Addresses	Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.(Citation: Malwarebytes Kimsuky June 2021)
		.003	Gather Victim Identity Information: Employee Names	Kimsuky has collected victim employee name information.(Citation: KISA Operation Muzabi)
Enterprise	T1564	.002	Hide Artifacts: Hidden Users	Kimsuky has run `reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v` to hide a newly created user.(Citation: KISA Operation Muzabi)
		.003	Hide Artifacts: Hidden Window	Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)
		.004	Impair Defenses: Disable or Modify System Firewall	Kimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013)
Enterprise	T1070	.004	Indicator Removal: File Deletion	Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
		.006	Indicator Removal: Timestomp	Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020)
Enterprise	T1056	.001	Input Capture: Keylogging	Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Kimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)
		.005	Masquerading: Match Legitimate Name or Location	Kimsuky has renamed malware to legitimate names such as `ESTCommon.dll` or `patch.dll`.(Citation: KISA Operation Muzabi)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Kimsuky has gathered credentials using Mimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)
Enterprise	T1588	.002	Obtain Capabilities: Tool	Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)
		.005	Obtain Capabilities: Exploits	Kimsuky has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
		.002	Phishing: Spearphishing Link	Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)
Enterprise	T1598	.003	Phishing for Information: Spearphishing Link	Kimsuky has used links in e-mail to steal account information.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
Enterprise	T1055	.012	Process Injection: Process Hollowing	Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	Kimsuky has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Kimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)
Enterprise	T1593	.001	Search Open Websites/Domains: Social Media	Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021)
		.002	Search Open Websites/Domains: Search Engines	Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi)
Enterprise	T1505	.003	Server Software Component: Web Shell	Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Kimsuky has checked for the presence of antivirus software with `powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct`.(Citation: KISA Operation Muzabi)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Kimsuky has signed files with the name EGIS CO,. Ltd..(Citation: ThreatConnect Kimsuky September 2020)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	Kimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)
		.010	System Binary Proxy Execution: Regsvr32	Kimsuky has executed malware with `regsvr32s`.(Citation: KISA Operation Muzabi)
		.011	System Binary Proxy Execution: Rundll32	Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	Kimsuky has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	Kimsuky has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky)
Enterprise	T1204	.001	User Execution: Malicious Link	Kimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi)
		.002	User Execution: Malicious File	Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)
Enterprise	T1078	.003	Valid Accounts: Local Accounts	Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018)
Enterprise	T1102	.002	Web Service: Bidirectional Communication	Kimsuky has used Blogspot pages for C2.(Citation: Talos Kimsuky Nov 2021)

ID	Name	References	Techniques
Software
S0353	NOKKI	(Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Unit 42 Nokki Oct 2018) (Citation: Unit 42 NOKKI Sept 2018)	System Time Discovery, Registry Run Keys / Startup Folder, Ingress Tool Transfer, Match Legitimate Name or Location, Obfuscated Files or Information, File Deletion, System Owner/User Discovery, Rundll32, Deobfuscate/Decode Files or Information, Web Protocols, Local Data Staging, System Network Configuration Discovery, Credential API Hooking, File Transfer Protocols, System Information Discovery
S0252	Brave Prince	(Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021)	System Information Discovery, Exfiltration Over Unencrypted Non-C2 Protocol, Process Discovery, File and Directory Discovery, Query Registry, System Network Configuration Discovery, Disable or Modify Tools
S0622	AppleSeed	(Citation: KISA Operation Muzabi) (Citation: Malwarebytes Kimsuky June 2021)	JavaScript, PowerShell, Software Packing, System Network Configuration Discovery, Masquerading, Spearphishing Attachment, Deobfuscate/Decode Files or Information, Process Discovery, Access Token Manipulation, Keylogging, Data from Local System, Match Legitimate Name or Location, System Information Discovery, Automated Collection, Exfiltration Over Web Service, Data Transfer Size Limits, Native API, Archive Collected Data, Fallback Channels, Exfiltration Over C2 Channel, File and Directory Discovery, Obfuscated Files or Information, Web Protocols, File Deletion, Screen Capture, Malicious File, Local Data Staging, Archive via Utility, Registry Run Keys / Startup Folder, Data from Removable Media, System Time Discovery, Regsvr32
S0527	CSPY Downloader	(Citation: Cybereason Kimsuky November 2020)	File Deletion, Modify Registry, Scheduled Task, Indicator Removal, Code Signing, Ingress Tool Transfer, Masquerade Task or Service, Web Protocols, Malicious File, Bypass User Account Control, System Checks, Software Packing, Indicator Removal
S0526	KGH_SPY	(Citation: Cybereason Kimsuky November 2020)	Match Legitimate Name or Location, Credentials from Web Browsers, Windows Command Shell, Malicious File, Logon Script (Windows), Ingress Tool Transfer, Web Protocols, Local Email Collection, File and Directory Discovery, Exfiltration Over C2 Channel, Obfuscated Files or Information, PowerShell, Windows Credential Manager, Local Data Staging, Software Discovery, System Information Discovery, Data from Local System, Keylogging, Deobfuscate/Decode Files or Information, Credentials from Password Stores
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: KISA Operation Muzabi) (Citation: Netscout Stolen Pencil Dec 2018)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0249	Gold Dragon	(Citation: McAfee Gold Dragon) (Citation: Talos Kimsuky Nov 2021)	File Deletion, System Owner/User Discovery, Ingress Tool Transfer, Local Data Staging, Registry Run Keys / Startup Folder, Archive Collected Data, Process Discovery, Disable or Modify Tools, File and Directory Discovery, Windows Command Shell, System Information Discovery, Web Protocols, Security Software Discovery, Query Registry
S0111	schtasks	(Citation: Cybereason Kimsuky November 2020) (Citation: KISA Operation Muzabi) (Citation: TechNet Schtasks)	Scheduled Task
S0414	BabyShark	(Citation: CISA AA20-301A Kimsuky) (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: Cybereason Kimsuky November 2020) (Citation: Unit42 BabyShark Apr 2019) (Citation: Unit42 BabyShark Feb 2019)	Scheduled Task, System Owner/User Discovery, Ingress Tool Transfer, Query Registry, Mshta, Keylogging, Process Discovery, File and Directory Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Standard Encoding, File Deletion, Registry Run Keys / Startup Folder, System Network Configuration Discovery, Windows Command Shell
S0029	PsExec	(Citation: Netscout Stolen Pencil Dec 2018) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)	SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Kimsuky

Associated Group Descriptions

Techniques Used

Software

References