북한 해킹 그룹의 문서형 악성코드 공격 사례 분석

2021-11-01 • Somansa • Analysis of document-type malware attacks by North Korean hacking groups •

https://www.somansa.com/wp-content/uploads/2022/04/north2021.11.pdf

Attachments

north2021.11.pdf (2 MB)

Thumbnail for 북한 해킹 그룹의 문서형 악성코드 공격 사례 분석

Somansa's report reviews document-based malware attacks by North Korean hacking groups against South Korean targets. It describes Lazarus, Kimsuky, ScarCruft, and Andariel as groups conducting spear-phishing and APT operations against major companies, the Ministry of National Defense, defense contractors, government-related bodies, and other institutions. The analyzed cases used malicious documents with embedded code and deceptive filenames or themes to persuade victims to open files, allowing attacker-controlled malware to run on the victim's PC.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	gosiweb.gosiclass.com	2021-11-01	2024-03-20
DOMAIN	samsoding.homm7.gethompy.com	2021-07-26	2023-10-30
HASH	6310cd9f8b6ae1fdc1b55fe190026a1…	2021-11-01	2021-12-22
HASH	137ae3c16f1d6d3e8008e4635bc8ab1…	2021-11-01	2021-11-01
HASH	32fb66dbb18dd189337c9eabf270164…	2021-11-01	2021-11-01
HASH	ca7eecb0d135f064da15343c08811ef…	2021-11-01	2021-11-01
HASH	79e15cc02c6359cdb84885f6b84facb…	2021-11-01	2021-11-01
HASH	0cfa89348dc6007c89852907e464f3e…	2021-11-01	2021-11-01
HASH	700db4ae28f53782d239e83db189c7c…	2021-11-01	2021-11-01
HASH	934731692b12fd182acbc698dd3f8ef…	2021-11-01	2021-11-01
URL	http://samsoding.homm7.gethompy…	2021-11-01	2021-11-01
URL	http://gosiweb.gosiclass.com/m/…	2021-11-01	2021-11-01
URL	https://api.onedrive.com/v1.0/s…	2021-11-01	2021-11-01
URL	https://1drv.ms/u/s!AjUrd9h	2021-11-01	2021-11-01
IPv4	4.7.4.1	2021-11-01	2021-11-01
IPv4	4.2.4.1	2021-11-01	2021-11-01
IPv4	4.3.4.1	2021-11-01	2021-11-01
IPv4	4.5.4.1	2021-11-01	2021-11-01
IPv4	4.4.4.1	2021-11-01	2021-11-01
IPv4	4.6.4.1	2021-11-01	2021-11-01
IPv4	4.1.6.1	2021-11-01	2021-11-01
URL	http://regedit.onlinewebshop.ne…	2021-08-24	2021-11-01
DOMAIN	regedit.onlinewebshop.net	2021-08-24	2021-11-01
URL	http://quarez.atwebpages.com/ds…	2021-07-26	2021-11-01
URL	http://manct.atwebpages.com/ck/…	2021-07-26	2021-11-01
DOMAIN	manct.atwebpages.com	2021-07-26	2021-11-01
DOMAIN	quarez.atwebpages.com	2021-03-10	2021-11-01

Related Reports

2021-09-01 • 17% Match

2021년 상반기 Kimsuky 공격 동향

Igloo

#Kimsuky

Shares 5 IOCs

2021-08-24 • 12% Match

‘수출용 골드바 매매 계약서’로 위장한 악성 워드문서

Ahnlab

#Kimsuky

Shares 2 IOCs

2021-07-26 • 12% Match

Kimsuky2021年上半年窃密活动总结

Qihoo360

#Kimsuky

Shares 5 IOCs

2021-12-22 • 11% Match

Establishing the TigerRAT and TigerDownloader malware families

Threatray

#Andariel #TigerRAT #T1041 #T1113 #T1071.001 #T1056.001 #T1059.007 #T1204.002 #T1057 #T1583.003 #T1566.001 #T1036.005 #T1497.001 #T1486 #T1573.001 #T1189 #T1049 #T1095 #T1027.003 #T1584.006

Shares 1 IOC

2024-03-20 • 1% Match

The Updated APT Playbook: Tales from the Kimsuky threat actor group

Rapid7

#CHM #Kimsuky #T1059.003 #T1547.001

Shares 1 IOC

2023-10-30 • 1% Match

Kimsuky APT 그룹의 Storm 작전과 BabyShark Family 연관 분석

Genians

#Kimsuky #BabyShark

Shares 1 IOC

« Back