Kimsuky组织网络攻击活动追溯分析报告
2021-03-26 • Qihoo360 • Kimsuky organization network attack activity retrospective analysis report •
360’s retrospective report attributes a spear-phishing and server-compromise activity cluster to Kimsuky, also tracked as BabyShark, Thallium and Black Banshee. The activity used malicious macro documents, DLL hijacking files such as version.dll and wtsapi32.dll, malicious Normal.dotm templates, OneDrive-hosted VBS payloads, compromised websites and hardcoded commands to stage follow-on scripts and report victim status. The researchers also found compromised servers with detect.vbs backdoors, RDP scanning tools, AnyDesk-based remote-control tests, keylogging scripts and security-tool archives, showing the group’s use of third-party cloud storage and already-breached servers as operational infrastructure.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | okbus.or.kr | 2021-03-26 | 2023-08-01 |
| HASH | c2be3221ba6b7722d1e0941995c0ab3a | 2021-03-26 | 2021-03-26 |
| HASH | 2d9b478d3161eaea8060d38d0a2dc8f5 | 2021-03-26 | 2021-03-26 |
| URL | https://newwebsearcher.com/winm… | 2021-03-26 | 2021-03-26 |
| URL | http://okbus.or.kr/libs/phpmail… | 2021-03-26 | 2021-03-26 |
| URL | https://assuredshippings.com/wp… | 2021-03-26 | 2021-03-26 |
| URL | https://onedrive.live.com/authk… | 2021-03-26 | 2021-03-26 |
| URL | https://onedrive.live.com/?auth… | 2021-03-26 | 2021-03-26 |
| URL | https://assuredshippings.com/wp… | 2021-03-26 | 2021-03-26 |
| URL | https://assuredshippings.com/wp… | 2021-03-26 | 2021-03-26 |
| URL | https://newspeers.com/000/wjb/e… | 2021-03-26 | 2021-03-26 |
| URL | https://assuredshippings.com/wp… | 2021-03-26 | 2021-03-26 |
| URL | https://onedrive.live.com/authk… | 2021-03-26 | 2021-03-26 |
| DOMAIN | assuredshippings.com | 2021-03-26 | 2021-03-26 |
| DOMAIN | rapid2019.com | 2021-03-26 | 2021-03-26 |
| DOMAIN | newspeers.com | 2021-03-26 | 2021-03-26 |
| DOMAIN | newwebsearcher.com | 2021-03-26 | 2021-03-26 |
