揭开 Kimsuky 黑客的面纱

2024-03-30 haidragon Unmasking the Kimsuky Hackers

https://mp.weixin.qq.com/s?__biz=MzkwOTE5MDY5NA==&mid=2247494713&idx=1&sn=da10e98545daabe66e8bdee567d67c69&chksm=c0ccb694e87071043daa2db3e09fc5178cfe4088d002a9c16cdcf95ac8273f21ce9cb36fae49&scene=126&sessionid=1711758738&key=adc69fa84030ff254b0f19fde373ab5bb04f27e9d750fe8857d7978d95775d6291fd690199ed930ca2d3aac5f2f87563406e4056172d2bb718e266b018e579696ac07a98c4ab854379e8491e2833f2288186eb2fbd4cc9469b3ab8f69203a67da7bc1af816f02bd3dc6b6900aed7ad4a583fd5bd7230c778361dce2d1333123c

Thumbnail for 揭开 Kimsuky 黑客的面纱

The Chinese-language analysis attributes activity to Kimsuky and describes exploitation of ConnectWise ScreenConnect CVE-2024-1708 and CVE-2024-1709 to deploy ToddlerShark, a newer variant related to BabyShark and ReconShark. After gaining access to ScreenConnect endpoints, the operators use Microsoft binaries such as mshta.exe to run obfuscated VBScript, modify Office macro settings, and create scheduled tasks for persistence. ToddlerShark collects host information, encodes it in PEM certificate data, and exfiltrates it to C2 infrastructure. The report also reviews BabyShark behavior, HTA-based staging, macro persistence, HTTP C2 traffic, registry changes, and representative hashes and URLs for hunting.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 53d5d5890514cd89fb4fd773da22badf 2024-03-30 2024-03-30
HASH 94a09aff59c0c27d1049509032d5ba0… 2019-02-22 2024-03-30
HASH 1334c087390fb946c894c1863dfc9f0… 2019-02-22 2024-03-30
HASH 9d842c9c269345cd3b2a9ce7d338a03… 2019-02-22 2024-03-30
HASH 6f76a8e16908ba2d576cf0e8cdb7011… 2019-02-22 2024-03-30
HASH dc425e93e83fe02da9c76b56f6fd286… 2019-02-22 2024-03-30
HASH 52b898adaaf2da71c5ad6b3dfd3ecf6… 2019-02-22 2024-03-30
HASH 66439f0e377bbe8cda3e516e801a86c… 2019-02-22 2024-03-30
HASH 331d17dbe4ee61d8f2c91d7e4af17fb… 2019-02-22 2024-03-30
HASH 2b6dc1a826a4d5d5de5a30b458e6ed9… 2019-02-22 2024-03-30
HASH 7b77112ac7cbb7193bcd891ce48ab2a… 2019-02-22 2024-03-30
HASH 8ef4bc09a9534910617834457114b92… 2019-02-22 2024-03-30
URL https://tdalpacafarm.com/files/… 2019-02-22 2024-03-30
DOMAIN tdalpacafarm.com 2019-02-22 2024-03-30

Related Actors

Related Reports

2024-07-19 • 50% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1082, T1112
2024-09-12 • 45% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1082, T1112
« Back