kimsuky group's attack using hwp malware
2019-10-20 • kino •
The source analyzes a Kimsuky-style malicious HWP document disguised as a KINU expert consultation request on Korea-related policy issues. Embedded exploit and shellcode content decrypted a payload, injected code into HimTrayIcon.exe and userinit.exe, and then used svchost.exe for follow-on activity. The malware collected system information, supported file upload and download through Daum mail, and referenced C2 paths under clouds.scienceontheweb.net. The archive includes hashes, mutex values, RC4 key material, and related URLs for defenders investigating the intrusion chain.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 42ae424f27d83fa132b2967b64f6ba21 | 2019-10-20 | 2021-05-01 |
| HASH | 702074bb1b644e1207633154ebf08eb9 | 2019-10-20 | 2021-05-01 |
| URL | http://clouds.scienceontheweb.n… | 2019-10-20 | 2021-05-01 |
| URL | http://clouds.scienceontheweb.n… | 2019-10-20 | 2021-05-01 |
| DOMAIN | clouds.scienceontheweb.net | 2019-10-20 | 2021-05-01 |
| HASH | 0aa978d3ec302c57370201906148280… | 2019-10-20 | 2019-10-20 |
| HASH | ddbca65cf7246eb3c970c00165c2245… | 2019-10-20 | 2019-10-20 |
| HASH | ed4c809ec7fb8aec56e4280b3f2867a… | 2019-10-20 | 2019-10-20 |
| HASH | 9e52e4295ba389d3912c7305aee6aba… | 2019-10-20 | 2019-10-20 |
| HASH | fb6eabdefca6d447e72147f8054a28a… | 2019-10-20 | 2019-10-20 |
| HASH | d94f26158dc3fd9fd93aa7f38afe63f… | 2019-10-20 | 2019-10-20 |
| HASH | 683dd86af996b9e7e10c54f99e64753c | 2019-10-20 | 2019-10-20 |
| [email protected] | 2019-10-20 | 2019-10-20 | |
| URL | http://clouds.scienceontheweb.n… | 2019-10-20 | 2019-10-20 |
Related Actors
Related Reports
2019-12-03 •
80% Match
#Kimsuky
Shares tag: Kimsuky • Same author: kino
Shares tag: Kimsuky • Published within a week
Shares tag: Kimsuky • Published within a month
Shares tag: Kimsuky • Published within a month
2020-01-23 •
75% Match
#Kimsuky
Shares tag: Kimsuky • Same author: kino
Shares tag: Kimsuky • Shares 5 IOCs