Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

KGH_SPY

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".(Citation: Cybereason Kimsuky November 2020)
ID: S0526
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 06 Nov 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

KGH_SPY can send data to C2 with HTTP POST requests.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

KGH_SPY has the ability to set the HKCU\Environment\UserInitMprLogonScript Registry key to execute logon scripts.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

KGH_SPY can execute PowerShell commands on the victim's machine.(Citation: Cybereason Kimsuky November 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

KGH_SPY has the ability to set a Registry key to run a cmd.exe command.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.(Citation: Cybereason Kimsuky November 2020)

.004 Credentials from Password Stores: Windows Credential Manager

KGH_SPY can collect credentials from the Windows Credential Manager.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

KGH_SPY can save collected system information to a file named "info" before exfiltration.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1114 .001 Email Collection: Local Email Collection

KGH_SPY can harvest data from mail clients.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1056 .001 Input Capture: Keylogging

KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

KGH_SPY has masqueraded as a legitimate Windows tool.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

KGH_SPY has used encrypted strings in its installer.(Citation: Cybereason Kimsuky November 2020)

Enterprise T1204 .002 User Execution: Malicious File

KGH_SPY has been spread through Word documents containing malicious macros.(Citation: Cybereason Kimsuky November 2020)

Groups That Use This Software

ID Name References
G0094 Kimsuky

(Citation: Cybereason Kimsuky November 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.