Kimsuky APT 그룹의 Storm 작전과 BabyShark Family 연관 분석
2023-10-30 • Genians • Analysis of the Kimsuky APT group Storm operation and its connection to the BabyShark family •
Attachments
Genians links Kimsuky's Storm operation to BabyShark-family tooling used in South Korean espionage activity from June through September 2023. The campaign impersonated officials from South Korea's Ministry of Foreign Affairs and Ministry of Unification, sent initial trust-building emails to North Korea specialists and diplomacy or unification targets, and then directed responsive victims to phishing pages disguised as secure mail or Gmail login screens. The operators registered lookalike domains such as mofa.go[.]ci and unikorea.go[.]ci, used Cloud DNS and Zoho Mail, and hosted phishing content on compromised Korean web servers. Genians also observed BabyShark-related CHM and LNK files, decoy HWP documents, repeated author metadata such as Leopard and Storm, and C2 paths on abused Korean websites that overlap earlier Kimsuky tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | ba-reum.co.kr | 2023-10-30 | 2024-03-15 |
| DOMAIN | bipaf.org | 2021-10-29 | 2023-11-01 |
| HASH | 00ff9f067c3adffe04e89b0a654865d2 | 2023-10-30 | 2023-10-30 |
| HASH | 119e6b7626e99b3569019f0c70885658 | 2023-10-30 | 2023-10-30 |
| HASH | 1287f69b59f67aab247487cdd12dfef7 | 2023-10-30 | 2023-10-30 |
| HASH | 1fd0abcccbc7d4bfdc1a11d4afa97e6d | 2023-10-30 | 2023-10-30 |
| HASH | f8d8650a8501533075126977f8404005 | 2023-10-30 | 2023-10-30 |
| HASH | 12ea0df10c1c0d23dc4141806dcdbb72 | 2023-10-30 | 2023-10-30 |
| DOMAIN | comr.scienceontheweb.net | 2023-10-30 | 2023-10-30 |
| DOMAIN | complletely.mywebcommunity.org | 2023-10-30 | 2023-10-30 |
| DOMAIN | gooogie.mygamesonline.org | 2023-10-30 | 2023-10-30 |
| DOMAIN | cainnick002.000webhostapp.com | 2023-10-30 | 2023-10-30 |
| DOMAIN | carbontc.co.kr | 2023-10-30 | 2023-10-30 |
| DOMAIN | oxusgreen.co.kr | 2023-10-30 | 2023-10-30 |
| DOMAIN | kessol.co.kr | 2023-10-30 | 2023-10-30 |
| DOMAIN | complletely.mypressonline.com | 2023-10-30 | 2023-10-30 |
| DOMAIN | infotechkorea.com | 2023-10-30 | 2023-10-30 |
| DOMAIN | dropped.atwebpages.com | 2023-10-30 | 2023-10-30 |
| DOMAIN | stommy.mywebcommunity.org | 2023-10-30 | 2023-10-30 |
| DOMAIN | up.co.kr | 2023-10-30 | 2023-10-30 |
| DOMAIN | isujeil.co.kr | 2023-09-26 | 2023-10-30 |
| HASH | 55a46a2415d18093abcd59a0bf33d0a9 | 2023-02-03 | 2023-10-30 |
| DOMAIN | jooshineng.com | 2023-02-03 | 2023-10-30 |
| DOMAIN | koreawus.com | 2023-01-03 | 2023-10-30 |
| DOMAIN | uppgrede.scienceontheweb.net | 2022-09-14 | 2023-10-30 |
| HASH | 04a0505cc45d2dac4be9387768efcb7c | 2021-07-26 | 2023-10-30 |
| DOMAIN | yanggucam.designsoup.co.kr | 2021-07-26 | 2023-10-30 |
| DOMAIN | samsoding.homm7.gethompy.com | 2021-07-26 | 2023-10-30 |
| DOMAIN | heritage2020.cafe24.com | 2021-07-26 | 2023-10-30 |
| DOMAIN | mechapia.com | 2021-07-26 | 2023-10-30 |
| DOMAIN | beilksa.scienceontheweb.net | 2021-04-02 | 2023-10-30 |
| DOMAIN | inonix.co.kr | 2021-03-22 | 2023-10-30 |
| DOMAIN | orblog.mireene.com | 2020-07-29 | 2023-10-30 |