북한 김수키(Kimsuky)에서 만든 악성코드-DDD.html(2023.03.27)
2023-03-29 • Sakai • Malicious code created by North Korea's Kimsuky - DDD.html (2023.03.27) •
A Korean malware-analysis post attributes DDD.html to Kimsuky and describes it as JavaScript/VBScript malware used in North Korea-linked activity against South Korea-focused targets. The sample hides VBScript logic that creates a WScript.Shell object, attempts to kill mstsc.exe and shut down the system, and sends synchronous POST traffic to zetaros.000webhostapp.com search paths. The source lists multiple hashes for the HTML sample, C2-style URLs under zetaros.000webhostapp.com, IPs 145.14.144.162 and 145.14.145.67 on TCP/80, and antivirus detections such as Downloader/VBS.Kimsuky.S1997 and VBS/TrojanDownloader.Agent.YND. The report is useful for Kimsuky tracking because it ties script behavior, network infrastructure, and representative file indicators to a specific March 2023 sample.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7a45a529b275cfaa6ebde88bf00413a… | 2023-03-29 | 2023-03-29 |
| HASH | 76f3f377aa66f9beaa8a103a4dd67f4… | 2023-03-29 | 2023-03-29 |
| URL | http://zetaros.000webhostapp.co… | 2023-03-29 | 2023-03-29 |
| URL | http://zetaros.000webhostapp.co… | 2023-03-29 | 2023-03-29 |
| URL | http://zetaros.000webhostapp.co… | 2023-03-29 | 2023-03-29 |
| URL | http://zetaros.000webhostapp.co… | 2023-03-29 | 2023-03-29 |
| IPv4 | 145.14.145.67 | 2023-03-29 | 2023-03-29 |
| IPv4 | 145.14.144.162 | 2023-03-29 | 2023-03-29 |
| HASH | ec3c0d9cbf4e27e0240c5b5d888687ec | 2023-03-24 | 2023-03-29 |
| DOMAIN | zetaros.000webhostapp.com | 2023-03-24 | 2023-03-29 |