APT 캠페인 'Konni' & 'Kimsuky' 조직의 공통점 발견
2019-06-10 • ESTSecurity • Discovering commonalities between APT campaign ‘Konni' & ‘Kimsuky' organizations •
ESRC links Konni activity to Thallium/Kimsuky and describes spear-phishing campaigns that used North Korea-themed lures before expanding into cryptocurrency-related targeting. One malicious document masqueraded as a Huobi Research Weekly file, prompted macro execution, downloaded a DAT payload, and fetched a decoy document to reduce suspicion. The payload installed itself under a Chrome-like Roaming directory, executed through rundll32 with the insrchmdl argument, and established persistence through the Run registry key. The excerpt identifies C2 infrastructure including fighiting1013[.]org and naoei3-tosma.96[.]lt, and notes FTP-based command activity, attacker-staged variants, and overlap with Kimsuky-linked WSF tradecraft from Operation Cobra Venom.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | sariwon.co.kr | 2019-06-10 | 2026-01-14 |
| DOMAIN | my-homework.890m.com | 2019-01-30 | 2020-11-12 |
| DOMAIN | ondol.inodea.co.kr | 2019-06-10 | 2020-04-08 |
| DOMAIN | gyjmc.com | 2019-01-30 | 2019-10-04 |
| DOMAIN | fighiting1013.org | 2019-05-16 | 2019-08-29 |
| IPv4 | 103.249.31.159 | 2018-12-20 | 2019-08-29 |
| HASH | c616893e73cfa2a5456deb578725f1e7 | 2019-06-10 | 2019-06-10 |
| HASH | 3dcd31490846e235bc17cbfdac0a9484 | 2019-06-10 | 2019-06-10 |
| HASH | b5d9d194e1bea5889096460172673081 | 2019-06-10 | 2019-06-10 |
| HASH | dfe2f5fc4579f5cb56a76702a61e692a | 2019-06-10 | 2019-06-10 |
| HASH | 87e00dede257d234d2558ed2ae0d7ec2 | 2019-06-10 | 2019-06-10 |
| HASH | 49b3c5975c8717da0606ec060b4271a2 | 2019-06-10 | 2019-06-10 |
| HASH | 2614bd5b8177ef93efaa9b06beda2398 | 2019-06-10 | 2019-06-10 |
| HASH | b9ba36607ea379da4b6620c4e3fce2ca | 2019-06-10 | 2019-06-10 |
| URL | http://www.jejuseongahn.org/hbo… | 2019-06-10 | 2019-06-10 |
| URL | http://naoei3-tosma.96.lt/1 | 2019-06-10 | 2019-06-10 |
| URL | http://fighiting1013.org/2 | 2019-06-10 | 2019-06-10 |
| URL | http://rotcian.com/host/img/jpg… | 2019-06-10 | 2019-06-10 |
| URL | http://naoei3-tosma.96.lt/3 | 2019-06-10 | 2019-06-10 |
| URL | http://ago2.co.kr/bbs/data/dir | 2019-06-10 | 2019-06-10 |
| URL | http://ago2.co.kr/data/file/Acc… | 2019-06-10 | 2019-06-10 |
| DOMAIN | oeks39402.890m.com | 2019-06-10 | 2019-06-10 |
| DOMAIN | rotcian.com | 2019-06-10 | 2019-06-10 |
| DOMAIN | naiei-aldiel.16mb.com | 2019-06-10 | 2019-06-10 |
| DOMAIN | mailout05.yourhostingaccount.com | 2019-06-10 | 2019-06-10 |
| DOMAIN | walcustweb0403.yourhostingaccou… | 2019-06-10 | 2019-06-10 |
| DOMAIN | naoei3-tosma.96.lt | 2019-06-10 | 2019-06-10 |
| DOMAIN | carolie-svr-v1.16mb.com | 2019-06-10 | 2019-06-10 |
| DOMAIN | upgradesrv.890m.com | 2019-06-10 | 2019-06-10 |
| IPv4 | 175.167.138.222 | 2019-06-10 | 2019-06-10 |
| IPv4 | 65.254.254.73 | 2019-06-10 | 2019-06-10 |
| IPv4 | 202.168.155.156 | 2019-06-10 | 2019-06-10 |
| IPv4 | 175.167.130.236 | 2019-06-10 | 2019-06-10 |
| IPv4 | 175.167.138.225 | 2019-06-10 | 2019-06-10 |
| IPv4 | 124.217.209.11 | 2019-06-10 | 2019-06-10 |
| IPv4 | 175.167.146.58 | 2019-06-10 | 2019-06-10 |
| DOMAIN | kuku675.site11.com | 2019-01-30 | 2019-06-10 |
| DOMAIN | kuku79.herobo.com | 2019-01-30 | 2019-06-10 |
| DOMAIN | jejuseongahn.org | 2019-01-30 | 2019-06-10 |
| DOMAIN | ago2.co.kr | 2019-01-30 | 2019-06-10 |
| HASH | 0eb6090397c74327cd4d47819f724953 | 2018-12-20 | 2019-06-10 |
| HASH | 2bfbf8ce47585aa86b1ab90ff109fd57 | 2018-12-20 | 2019-06-10 |
| DOMAIN | filer2.1apps.com | 2018-12-20 | 2019-06-10 |
| URL | http://filer1.1apps.com/1.txt | 2018-11-29 | 2019-06-10 |
| DOMAIN | filer1.1apps.com | 2018-11-29 | 2019-06-10 |
| DOMAIN | gmall.com | 2018-09-06 | 2019-06-10 |