코니(Konni)에서 만든 카카오 보안 메일 사칭 악성 링크 파일-피싱 카카오 뱅크 보안메일 비밀번호.lnk(2023.9.26)
2023-10-16 • Sakai • Malicious link file made by Konni impersonating Kakao security mail: phishing Kakao Bank security mail password.lnk (2023.9.26) •
A Korean malware analysis links a Kakao Bank security mail themed LNK file to Konni, a cluster associated with Thallium/APT37 and possibly Kimsuky. The shortcut drops a fake security-mail HTML file into the user temp directory, extracts a ZIP into C:\Users\Public, and launches an embedded mfc100.dll through rundll32 via a generated batch file. The PowerShell routine searches for the specific LNK by size, carves embedded content from it, and runs the payload while presenting a Korean password prompt. The sample contacts naver-file.com over HTTPS and uses additional network endpoints including 5.8.71.81:443 and 8.247.211.254:80.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e72c90aedd2ef27226d891f464caec1… | 2023-10-16 | 2023-10-16 |
| URL | http://sfsn.yettiesoft.com/vest… | 2023-10-16 | 2023-10-16 |
| DOMAIN | sfsn.yettiesoft.com | 2023-10-16 | 2023-10-16 |
| DOMAIN | mynumber.card.jp | 2023-10-16 | 2023-10-16 |
| HASH | 7336068f2c5ed3ed154b6c8b1d72726a | 2023-09-26 | 2023-10-16 |
| HASH | cb675bbebcc4a77cf5a3b341734b84de | 2023-06-09 | 2023-10-16 |
| HASH | 39663e144dc00e3eff004895347a91c… | 2023-06-09 | 2023-10-16 |
| URL | https://naver-file.com:443/down… | 2023-06-09 | 2023-10-16 |
| IPv4 | 5.8.71.81 | 2023-06-09 | 2023-10-16 |
| IPv4 | 8.247.211.254 | 2023-06-09 | 2023-10-16 |
| HASH | 0e926d8b6fbf6f14a2a19d4d4af8432… | 2023-05-01 | 2023-10-16 |
| HASH | 5a3f1d14b9cc4890db64fbc41818d70… | 2023-05-01 | 2023-10-16 |
| DOMAIN | naver-file.com | 2023-05-01 | 2023-10-16 |