Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign

2023-05-04 Sentinel One

https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

Thumbnail for Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign

SentinelLabs observed ongoing Kimsuky campaigns using a new BabyShark-related reconnaissance component named ReconShark against carefully selected individuals and organizations. The activity used tailored spear-phishing emails with OneDrive links to password-protected malicious Word documents, including a campaign against Korea Risk Group and broader targeting of think tanks, research universities, government entities, and organizations in the United States, Europe, and Asia. ReconShark collects process, battery, and endpoint-security information through WMI, exfiltrates it via HTTP POST without writing it to disk first, and stages follow-on VBS, HTA, batch, Office template, DLL, LNK, or curl-based payloads depending on detected defenses. Infrastructure included NameCheap-hosted domains such as yonsei[.]lol, rfa[.]ink, mitmail[.]tech, and newshare[.]online, with links to earlier North Korea-associated credential-phishing infrastructure.

Indicators of Compromise

Type Value First Seen Last Seen
HASH c8f54cb73c240a1904030eb36bb2baa… 2023-05-04 2023-05-04
HASH 86a025e282495584eabece67e4e2a43… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/r.p… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=v… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=v… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/d.php?na=vb… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=v… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=d… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=v… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=r… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/t1.… 2023-05-04 2023-05-04
URL https://newshare.online/lee/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL http://rfa.ink/bio/ca.php?na=do… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/d.php?na=ba… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=d… 2023-05-04 2023-05-04
URL https://rfa.ink 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=d… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=d… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/t1.hta 2023-05-04 2023-05-04
URL https://rfa.ink/bio/r.php 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://rfa.ink/bio/ca.php?na=s… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
URL https://mitmail.tech/gorgon/ca.… 2023-05-04 2023-05-04
DOMAIN logmes.lives.com-change.info 2023-05-04 2023-05-04
DOMAIN accounts.lives.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.com-change.info 2023-05-04 2023-05-04
DOMAIN logrns.lives.com-change.info 2023-05-04 2023-05-04
DOMAIN microsoft.loginsaa.gmail.com-ch… 2023-05-04 2023-05-04
DOMAIN cashsentinel.navor.com-change.i… 2023-05-04 2023-05-04
DOMAIN cashsentinel.live.com-change.in… 2023-05-04 2023-05-04
DOMAIN paypal.com-change.info 2023-05-04 2023-05-04
DOMAIN publiccloud.navor.com-change.in… 2023-05-04 2023-05-04
DOMAIN microsoft.loginsaa.grnail.com-c… 2023-05-04 2023-05-04
DOMAIN naver.com-change.info 2023-05-04 2023-05-04
DOMAIN lives.com-change.info 2023-05-04 2023-05-04
DOMAIN downmail.navor.com-change.info 2023-05-04 2023-05-04
DOMAIN mainchksrh.com 2023-05-04 2023-05-04
DOMAIN loginsaa.gmail.com-change.info 2023-05-04 2023-05-04
DOMAIN newshare.online 2023-05-04 2023-05-04
DOMAIN live.com-change.info 2023-05-04 2023-05-04
DOMAIN outlock.com-change.info 2023-05-04 2023-05-04
DOMAIN cloud.navor.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.naver.com-change.i… 2023-05-04 2023-05-04
DOMAIN rfa.ink 2023-05-04 2023-05-04
DOMAIN accounts.live.com-change.info 2023-05-04 2023-05-04
DOMAIN outlook.com-change.info 2023-05-04 2023-05-04
DOMAIN loges.lives.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.microsoft.com-chan… 2023-05-04 2023-05-04
DOMAIN grnail.com-change.info 2023-05-04 2023-05-04
DOMAIN hotrnail.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.lives.com-change.i… 2023-05-04 2023-05-04
DOMAIN navers.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.outlock.com-change… 2023-05-04 2023-05-04
DOMAIN gmail.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.outlook.com-change… 2023-05-04 2023-05-04
DOMAIN loginsaa.grnail.com-change.info 2023-05-04 2023-05-04
DOMAIN navor.com-change.info 2023-05-04 2023-05-04
DOMAIN microsoft.com-change.info 2023-05-04 2023-05-04
DOMAIN skjflkjsjflejlkjieiieieiei.live… 2023-05-04 2023-05-04
DOMAIN nlds.navor.com-change.info 2023-05-04 2023-05-04
DOMAIN com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.navers.com-change.… 2023-05-04 2023-05-04
DOMAIN cashsentinel.hotrnail.com-chang… 2023-05-04 2023-05-04
DOMAIN hotmail.com-change.info 2023-05-04 2023-05-04
DOMAIN mitmail.tech 2023-05-04 2023-05-04
DOMAIN naver.loginsaa.gmail.com-change… 2023-05-04 2023-05-04
DOMAIN logws.lives.com-change.info 2023-05-04 2023-05-04
DOMAIN cashsentinel.hotmail.com-change… 2023-05-04 2023-05-04
DOMAIN aaaaawwqwdqkidoemsk.lives.com-c… 2023-05-04 2023-05-04

Related Actors

Related Reports

« Back