Back to the Future: Inside the Kimsuky KGH Spyware Suite

2020-11-02 Cybereason

https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Thumbnail for Back to the Future: Inside the Kimsuky KGH Spyware Suite

Cybereason Nocturnus documented Kimsuky’s KGH_SPY modular spyware suite and a related CSPY Downloader used in espionage operations against targets including South Korean institutions, human-rights groups, think tanks, research organizations, journalists, and other entities tied to Korean Peninsula issues. KGH_SPY provides reconnaissance, keylogging, information stealing, and backdoor capabilities, while CSPY Downloader adds anti-analysis checks before retrieving additional payloads. The investigation linked new infrastructure to prior Kimsuky tooling such as BabyShark and AppleSeed through URI patterns, domains, strings, file naming, revoked EGIS code signing, PDB paths, and shared decryption behavior. The report also notes weaponized Word-document infection vectors and timestamp tampering intended to complicate forensic analysis.

Indicators of Compromise

Type Value First Seen Last Seen
URL http://foxonline123.atwebpages.… 2020-11-02 2021-05-01
DOMAIN foxonline123.atwebpages.com 2020-11-02 2021-05-01
DOMAIN portable.epizy.com 2020-09-04 2021-05-01
DOMAIN eastsea.or.kr 2020-11-02 2020-11-12
HASH 7af3930958f84e0b64f8297d1a556aa… 2020-11-02 2020-11-02
HASH 90d00ecb1e903959a3853e8ee1c8af8… 2020-11-02 2020-11-02
HASH 97d4898c4e70335f0adbbace3459323… 2020-11-02 2020-11-02
HASH 65fe4cd6deed85c3e39b9c1bb7c403d… 2020-11-02 2020-11-02
HASH f846981567760d40b5a90c8923ca8c2… 2020-11-02 2020-11-02
HASH d88c5695ccd83dce6729b84c8c43e8a… 2020-11-02 2020-11-02
HASH e9ea5d4e96211a28fe97ecb21b73723… 2020-11-02 2020-11-02
HASH e4d28fd7e0fc63429fc199c1b683340… 2020-11-02 2020-11-02
HASH f989d13f7d0801b32735fee018e816f… 2020-11-02 2020-11-02
HASH af13b16416760782ec81d587736cb4c… 2020-11-02 2020-11-02
HASH 66fc8b03bc0ab95928673e0ae7f06f3… 2020-11-02 2020-11-02
HASH bcf4113ec8e888163f1197a1dd9430a… 2020-11-02 2020-11-02
HASH fa282932f1e65235dc6b7dba2b397a1… 2020-11-02 2020-11-02
HASH 7158099406d99db82b7dc9f6418c118… 2020-11-02 2020-11-02
HASH 87b35e1998bf00a8b7e32ed391c217d… 2020-11-02 2020-11-02
URL http://wave.posadadesantiago.co… 2020-11-02 2020-11-02
URL http://hao.aini.pe.hu/init/imag… 2020-11-02 2020-11-02
URL http://attachchosun.atwebpages.… 2020-11-02 2020-11-02
URL http://portable.epizy.com/img/p… 2020-11-02 2020-11-02
URL http://nhpurumy.mireene.com/the… 2020-11-02 2020-11-02
URL http://mernberinfo.tech/wp-data… 2020-11-02 2020-11-02
URL http://dongkuiri.atwebpages.com… 2020-11-02 2020-11-02
URL http://myaccounts.posadadesanti… 2020-11-02 2020-11-02
URL http://eastsea.or.kr/?m=a&p1=00… 2020-11-02 2020-11-02
URL http://csv.posadadesantiago.com… 2020-11-02 2020-11-02
URL http://wave.posadadesantiago.co… 2020-11-02 2020-11-02
URL http://myaccounts.posadadesanti… 2020-11-02 2020-11-02
DOMAIN dongkuiri.atwebpages.com 2020-11-02 2020-11-02
DOMAIN csv.posadadesantiago.com 2020-11-02 2020-11-02
DOMAIN hao.aini.pe.hu 2020-11-02 2020-11-02
DOMAIN attachchosun.atwebpages.com 2020-11-02 2020-11-02
DOMAIN myaccounts.posadadesantiago.com 2020-11-02 2020-11-02
DOMAIN mernberinfo.tech 2020-11-02 2020-11-02
HASH 252d1b7a379f97fddd691880c1cf93e… 2020-09-28 2020-11-02
URL http://wave.posadadesantiago.co… 2020-09-28 2020-11-02
DOMAIN wave.posadadesantiago.com 2020-09-28 2020-11-02
IPv4 173.205.125.124 2020-09-28 2020-11-02
DOMAIN nhpurumy.mireene.com 2020-03-20 2020-11-02
URL http://jmable.mireene.com/shop/… 2019-05-10 2020-11-02
DOMAIN jmable.mireene.com 2019-05-10 2020-11-02

Related Actors

Related Reports

« Back