AutoIt을 사용해 악성코드를 제작하는 Kimsuky 그룹 (RftRAT, Amadey)

2023-12-01 • Ahnlab • Kimsuky group (RftRAT, Amadey) uses AutoIt to create malware •

https://asec.ahnlab.com/ko/59460/

#Kimsuky #Amadey #AutoIt #RftRAT

Thumbnail for AutoIt을 사용해 악성코드를 제작하는 Kimsuky 그룹 (RftRAT, Amadey)

Kimsuky used spear phishing attachments and download links to deliver archive files containing decoy documents and malicious LNK shortcuts, then unpacked BAT and VBS scripts for collection, persistence, and payload download. ASEC analyzed 2023 activity where the group installed XRat, Amadey, and RftRAT after initial access, including loaders that decrypted payloads from companion configuration files and injected them into normal processes. The report notes newer AutoIt variants of Amadey and RftRAT, with Amadey preserving its HTTP request structure, Korean antivirus checks, DGA-based backup C2 logic, and support for additional exe, DLL, PowerShell, VBS, and JavaScript payloads. RftRAT activity included svchost.exe injection, UAC bypass through ICMLuaUtil, system information collection, and command handling through files under the user profile.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	39e755c08156123e4cabac6bf8d1fd3a	2023-12-01	2023-12-08
HASH	14a7f83d6215a4d4c426ad371e0810a2	2023-12-01	2023-12-08
HASH	7f582f0c5c9a14c736927d4dbb47c5fa	2023-12-01	2023-12-08
HASH	f5ea621f482f9ac127e8f7b784733514	2023-12-01	2023-12-08
HASH	94aef716b23e8fa96808f1096724f77f	2023-12-01	2023-12-08
HASH	e665a985f71567f24a293ea430aad67d	2023-12-01	2023-12-08
HASH	119063c82373598d00d17734dd280016	2023-12-01	2023-12-08
HASH	d070cf19b66da341f64c01f8195afaed	2023-12-01	2023-12-08
HASH	32696d9e1e72affaf8bc707ab271200d	2023-12-01	2023-12-08
HASH	0786984ab46482637c2d483ffbaf66dc	2023-12-01	2023-12-08
HASH	b67e6e4c16e0309cfc2511414915df15	2023-12-01	2023-12-08
HASH	74d5dac64c0740d3ff5a9e3aca51ccdf	2023-12-01	2023-12-08
HASH	068d395c60e32f01b5424e2a8591ba73	2023-12-01	2023-12-08
HASH	0f5762be09db44b2f0ccf05822c8531a	2023-12-01	2023-12-08
HASH	d820ddb3026a5960b2c6f39780480d28	2023-12-01	2023-12-08
HASH	0fc1c99fd0d6f5488ab77e296216c7c6	2023-12-01	2023-12-08
HASH	4b667f7ea5bdc9d872774f733fdf4d6a	2023-12-01	2023-12-08
HASH	4fc726ab835ce559bada42e695b3d341	2023-12-01	2023-12-08
HASH	c55da826e50e2615903607e61968778f	2023-12-01	2023-12-08
HASH	862a855557cc274ab86e226e45338cff	2023-12-01	2023-12-08
HASH	cf3440fa165e3f78d2a2252a6924f702	2023-12-01	2023-12-08
HASH	5c2809177bb95edc68f9a08a96420bb7	2023-12-01	2023-12-08
HASH	aaa42b1209ed54bfcbd2493fe073d59b	2023-12-01	2023-12-08
HASH	e860dac57933f63be9a374fb78bca209	2023-12-01	2023-12-08
HASH	bac7f5eefe6a67e9555e93b0d950db59	2023-12-01	2023-12-08
HASH	1f63ce3677253636a273a88c5b26418d	2023-12-01	2023-12-08
HASH	baa058003bf79ba82ac1b744ed8d58cb	2023-12-01	2023-12-08
HASH	c52410ed6787c39db87c4158e73089d4	2023-12-01	2023-12-08
HASH	c87094e261860e3a1f70b0681e1bc8c5	2023-12-01	2023-12-08
HASH	f76cde928a6eda27793ade673bcd6620	2023-12-01	2023-12-08
HASH	6f7cd8c0d9bfb0f97083e4431e4944c1	2023-12-01	2023-12-08
HASH	1003a440c710ddf7faa1a54919dd01d8	2023-12-01	2023-12-08
HASH	0bf558adde774215bb221465a4edd2fe	2023-12-01	2023-12-08
HASH	d541aa6bae0f8c9bd7e7b6193b52e8f2	2023-12-01	2023-12-08
HASH	355817015c8510564c6ac89c976f2416	2023-12-01	2023-12-08
HASH	f9c4d236b893c0d72321a9210359f530	2023-12-01	2023-12-08
HASH	38182f1f0a1cf598295cfbbabd9c5bf4	2023-12-01	2023-12-08
HASH	1ac0b0da11e413a21bec08713e1e7c59	2023-12-01	2023-12-08
HASH	4eddf54757ae168450882176243d2bd2	2023-12-01	2023-12-08
HASH	a7c9b4d70e4fad86598de37d7bf1fe96	2023-12-01	2023-12-08
HASH	e96ca2aa7c6951802e4b17649cc5b581	2023-12-01	2023-12-08
HASH	b1337eb53b21594ac5dbd76138054ffb	2023-12-01	2023-12-08
HASH	187aa9b12c05cd1ff030044786903e7e	2023-12-01	2023-12-08
HASH	4d4d485d3bfd3cbc97ed4b9a671f740f	2023-12-01	2023-12-08
HASH	093608a2d6eb098eb7ea917cc22e9998	2023-12-01	2023-12-08
HASH	e22336eaf1980d2be5feed61b2dbc839	2023-12-01	2023-12-08
HASH	f3caa0f922600b4423ebcb16d7ea2dc6	2023-12-01	2023-12-08
HASH	c5a1305aba22c8fedd6624753849905b	2023-12-01	2023-12-08
HASH	7b6471f4430c2d6907ce4d349f59e69f	2023-12-01	2023-12-08
HASH	272c29bf65680b1ac8ec7f518780ba92	2023-12-01	2023-12-08
HASH	aa2cf925bae24c5cad2b1e1ad745b881	2023-12-01	2023-12-08
URL	https://topspace.org/index.php	2023-12-01	2023-12-08
URL	https://theservicellc.com/index…	2023-12-01	2023-12-08
URL	https://techgolfs.com/index.php	2023-12-01	2023-12-08
URL	https://splitbusiness.com/index…	2023-12-01	2023-12-08
URL	http://brhosting.net/index.php	2023-12-01	2023-12-08
URL	https://prohomepage.net/index.p…	2023-12-01	2023-12-08
DOMAIN	splitbusiness.com	2023-12-01	2023-12-08
DOMAIN	techgolfs.com	2023-12-01	2023-12-08
DOMAIN	brhosting.net	2023-12-01	2023-12-08
DOMAIN	theservicellc.com	2023-12-01	2023-12-08
DOMAIN	topspace.org	2023-12-01	2023-12-08
DOMAIN	prohomepage.net	2023-12-01	2023-12-08
IPv4	23.236.181.108	2023-12-01	2023-12-08
IPv4	45.76.93.204	2023-12-01	2023-12-08
IPv4	192.236.154.125	2023-12-01	2023-12-08
IPv4	152.89.247.57	2023-12-01	2023-12-08
IPv4	91.202.5.80	2023-12-01	2023-12-08
IPv4	209.127.37.40	2023-12-01	2023-12-08
IPv4	172.93.201.248	2023-12-01	2023-12-08