Illicit Brand Impersonation | A Threat Hunting Approach
2023-08-01 • Sentinel One •
https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/
SentinelOne described threat-hunting methods for illicit brand impersonation, using VirusTotal NetIoc rules and repeated infrastructure traits such as favicons, outgoing links, trackers, hostnames, and URL patterns. The DPRK-relevant portion notes that APT campaigns can be tracked by similar reuse, citing SentinelOne's earlier work on Kimsuky's ReconShark-related reconnaissance activity. Rather than attributing the whole article to Kimsuky, the usable finding is that defenders can monitor brand-impersonation infrastructure patterns and organization-themed hostnames to surface Kimsuky and other actor activity. The source also contrasts this APT hunting approach with commodity phishing examples such as AWS and USPS impersonation.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | bit-albania.com | 2023-08-01 | 2025-07-01 |
| DOMAIN | namsouth.com | 2023-06-30 | 2024-02-28 |
| YARA | apt_nk_kimsuky_phishing_script | 2023-08-01 | 2023-08-01 |
| YARA | usps_phisher_tracker | 2023-08-01 | 2023-08-01 |
| YARA | aws_monitor_2 | 2023-08-01 | 2023-08-01 |
| YARA | aws_monitor | 2023-08-01 | 2023-08-01 |
| HASH | 256fa5009e8e82258876325b7d36f41… | 2023-08-01 | 2023-08-01 |
| DOMAIN | reasope.org | 2023-08-01 | 2023-08-01 |
| DOMAIN | usps-onlines.biz | 2023-08-01 | 2023-08-01 |
| DOMAIN | hankevin.cafe24.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | csmss.org | 2023-08-01 | 2023-08-01 |
| DOMAIN | flash-x32-adobe-add-on.exedl.ne… | 2023-08-01 | 2023-08-01 |
| DOMAIN | super-trackings.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | educacionit.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | absolutemedia.net | 2023-08-01 | 2023-08-01 |
| DOMAIN | jacobsenfamilyholdings.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | tracking-checks.me | 2023-08-01 | 2023-08-01 |
| DOMAIN | blogtify.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | vt.net | 2023-08-01 | 2023-08-01 |
| DOMAIN | aprendizajevirtual.une.net.co | 2023-08-01 | 2023-08-01 |
| DOMAIN | voesami.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | stmwa.de | 2023-08-01 | 2023-08-01 |
| DOMAIN | hetclick.biz | 2023-08-01 | 2023-08-01 |
| DOMAIN | renaissancenft.io | 2023-08-01 | 2023-08-01 |
| DOMAIN | kevinspie.co.kr | 2023-08-01 | 2023-08-01 |
| DOMAIN | diy-trackng.com | 2023-08-01 | 2023-08-01 |
| DOMAIN | uspps-onlynee.biz | 2023-08-01 | 2023-08-01 |
| DOMAIN | goodstracks.me | 2023-08-01 | 2023-08-01 |
| DOMAIN | usps.tracking-check.me | 2023-08-01 | 2023-08-01 |
| DOMAIN | chromatogramma.ru | 2023-08-01 | 2023-08-01 |
| IPv4 | 174.138.30.233 | 2023-08-01 | 2023-08-01 |
| IPv4 | 217.219.131.139 | 2023-08-01 | 2023-08-01 |
| IPv4 | 108.179.214.134 | 2023-08-01 | 2023-08-01 |
| IPv4 | 167.172.113.157 | 2023-08-01 | 2023-08-01 |
| DOMAIN | okbus.or.kr | 2021-03-26 | 2023-08-01 |