Kimsuky2021年上半年窃密活动总结

2021-07-26 Qihoo360 Summary of Kimsuky's secret theft activities in the first half of 2021

https://mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ

Thumbnail for Kimsuky2021年上半年窃密活动总结

360 Threat Intelligence Center profiles Kimsuky activity in the first half of 2021, describing a North Korea-linked espionage cluster focused on South Korean government, diplomatic, defense, academic, and think-tank targets. The campaigns relied heavily on spear-phishing with HWP or macro-enabled lure documents tied to meetings, questionnaires, and topical events, then used PowerShell, VBS, BAT scripts, desktop.ini persistence, and cloud or compromised-web infrastructure to collect host information. The report highlights repeated abuse of Google Blogspot, OneDrive, compromised Korean websites, and Hanmail/Daum accounts, including Gold Dragon-style samples that injected into svchost.exe and iexplorer.exe and exfiltrated encrypted data by email. Representative indicators include numerous MD5 hashes and defanged URLs such as connectter.atwebpages.com, quarez.atwebpages.com, worldinfocontact.club, and nuclearpolicy101.org paths.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN nuclearpolicy101.org 2021-07-26 2024-05-10
HASH 04a0505cc45d2dac4be9387768efcb7c 2021-07-26 2023-10-30
DOMAIN yanggucam.designsoup.co.kr 2021-07-26 2023-10-30
DOMAIN samsoding.homm7.gethompy.com 2021-07-26 2023-10-30
DOMAIN heritage2020.cafe24.com 2021-07-26 2023-10-30
DOMAIN beilksa.scienceontheweb.net 2021-04-02 2023-10-30
URL http://miracle.designsoup.co.kr… 2021-07-26 2023-06-14
DOMAIN miracle.designsoup.co.kr 2021-07-26 2023-06-14
HASH fa935505e2a9a7de6380ab9447d07d2c 2021-07-26 2022-11-29
URL http://eucie09111.myartsonline.… 2021-07-26 2021-11-10
DOMAIN eucie09111.myartsonline.com 2021-07-26 2021-11-10
DOMAIN kr2959.atwebpages.com 2021-07-26 2021-11-02
URL http://quarez.atwebpages.com/ds… 2021-07-26 2021-11-01
URL http://manct.atwebpages.com/ck/… 2021-07-26 2021-11-01
DOMAIN manct.atwebpages.com 2021-07-26 2021-11-01
DOMAIN quarez.atwebpages.com 2021-03-10 2021-11-01
HASH bce51419fae8acbeff3149ca53f8baad 2021-07-26 2021-09-01
HASH 4886f89546c422f5e04c2da33090a201 2021-07-26 2021-09-01
HASH 9ee9dacd6703c74e959a70a18ebb3875 2021-07-26 2021-09-01
HASH ec3f771c71a24c165697e26e136daa4a 2021-07-26 2021-09-01
HASH d8e817abd5ad765bf7acec5d672cbb8d 2021-07-26 2021-09-01
HASH 1269e2b00fd323a7748215124cb058cd 2021-07-26 2021-09-01
HASH 0d36f4f5a1f7bc7d89fbda02be7c2336 2021-07-26 2021-09-01
HASH d725efd437d26e01e3b64e722929c01e 2021-07-26 2021-09-01
HASH c9f23b6ee1ba97c753892e6c103521d6 2021-07-26 2021-09-01
HASH d3a317dd167cfa77c976fa9c86c24982 2021-07-26 2021-09-01
HASH 5973ba270e9b5ea57c138245ffc39552 2021-07-26 2021-09-01
HASH dfbe17d9dfa3f3bb715e1d8348bd1f50 2021-07-26 2021-09-01
HASH 5b2355014f72dc2714dc5a5f04fe9519 2021-07-26 2021-09-01
HASH af3288ed7853865d562ccd1f48fa4a16 2021-07-26 2021-09-01
HASH 86c462b8ceffbc10018df2c32e024b29 2021-07-26 2021-09-01
HASH dc5fa08c7e2bb959042f5572c91ada5e 2021-07-26 2021-09-01
HASH 208a3b4565d3041d09448a23a80edf1c 2021-07-26 2021-09-01
HASH 49a04c85555b35f998b1787b325526e6 2021-07-26 2021-09-01
HASH 6a614ca002c5b3a4d7023faffc0546e1 2021-07-26 2021-09-01
HASH 8ca84c206fe8436dcc92bf6c1f7cf168 2021-07-26 2021-09-01
HASH 0a68d6a3d0aa9c5a3a4485d314ea8372 2021-07-26 2021-09-01
HASH 9d3b4e82d2c839ffc2887946fb204615 2021-07-26 2021-09-01
HASH 36ad6b5775ac550a36f56467051d2c03 2021-07-26 2021-09-01
HASH d7b717134358bbeefc5796b5912369f0 2021-07-26 2021-09-01
HASH c6437d685f4a489c867b4d2b68f07f1a 2021-07-26 2021-09-01
URL http://connectter.atwebpages.co… 2021-07-26 2021-09-01
URL http://pootball.medianewsonline… 2021-07-26 2021-09-01
URL http://quarez.atwebpages.com/ny… 2021-07-26 2021-09-01
URL http://waels.onlinewebshop.net/… 2021-07-26 2021-09-01
URL https://worldinfocontact.club/1… 2021-07-26 2021-09-01
URL http://heritage2020.cafe24.com/… 2021-07-26 2021-09-01
URL http://majar.medianewsonline.co… 2021-07-26 2021-09-01
URL http://wbg0909.scienceontheweb.… 2021-07-26 2021-09-01
URL http://quarez.atwebpages.com/ny… 2021-07-26 2021-09-01
URL http://fabre.myartsonline.com/y… 2021-07-26 2021-09-01
URL http://www.inonix.co.kr/kor/pag… 2021-07-26 2021-09-01
URL http://hanlight.mygamesonline.o… 2021-07-26 2021-09-01
DOMAIN hanlight.mygamesonline.org 2021-07-26 2021-09-01
DOMAIN majar.medianewsonline.com 2021-07-26 2021-09-01
DOMAIN worldinfocontact.club 2021-07-26 2021-09-01
DOMAIN pootball.medianewsonline.com 2021-07-26 2021-09-01
DOMAIN cwda.co.kr 2021-07-26 2021-09-01
DOMAIN connectter.atwebpages.com 2021-07-26 2021-09-01
DOMAIN waels.onlinewebshop.net 2021-07-26 2021-09-01
DOMAIN fabre.myartsonline.com 2021-07-26 2021-09-01
HASH 0821884168a644f3c27176a52763acc9 2021-07-19 2021-09-01
HASH 95c92bcfc39ceafc1735f190a575c60c 2021-07-19 2021-09-01
DOMAIN wbg0909.scienceontheweb.net 2021-07-19 2021-09-01
URL http://ftcpark59.getenjoyment.n… 2021-06-09 2021-09-01
URL http://alyssalove.getenjoyment.… 2021-06-09 2021-09-01
DOMAIN alyssalove.getenjoyment.net 2021-06-09 2021-09-01
URL http://rukagu.mypressonline.com… 2021-05-24 2021-09-01
DOMAIN rukagu.mypressonline.com 2021-05-24 2021-09-01
HASH 199674e87f437bdbd68884b155346d25 2021-05-06 2021-09-01
URL http://beilksa.scienceontheweb.… 2021-04-02 2021-09-01
DOMAIN ftcpark59.getenjoyment.net 2021-03-26 2021-09-01
HASH 27ee7cf37fffff7809e806f2462aeb00 2021-07-26 2021-07-26
HASH 2399df3a222032c188a22df52a49384a 2021-07-26 2021-07-26
HASH 523b3401b0fb0e8aec9be70f57686840 2021-07-26 2021-07-26
HASH 21b72a6ed58db07a7f7c16372c3422e2 2021-07-26 2021-07-26
HASH 425f291cbaee9b44214057642db271a5 2021-07-26 2021-07-26
HASH 0e998937644007904f27a1eaffe32df5 2021-07-26 2021-07-26
HASH a9b6cf8d8d0a67da4eea269dab16fe99 2021-07-26 2021-07-26
HASH fe4dd316363d3631c83c2995dd3775f4 2021-07-26 2021-07-26
HASH 4a139f6888790f059ff5e19056ca5664 2021-07-26 2021-07-26
HASH d79c92cc5ab70b61b2e174256577ea3a 2021-07-26 2021-07-26
HASH 15ec5c7125e6c74f740d6fc3376c130d 2021-07-26 2021-07-26
HASH 7f8a4e0dca2e18121af505d9198d81d1 2021-07-26 2021-07-26
HASH 9e0b68d23d36a6d276ba204bd8377120 2021-07-26 2021-07-26
HASH 68a1cc84de7d5802b7251786a8a5da0c 2021-07-26 2021-07-26
HASH 1670bb091dba017606ea5e763072d45f 2021-07-26 2021-07-26
HASH 7a67b8c387f24b782e46601634165681 2021-07-26 2021-07-26
HASH 72d43ff8f9ee0819e96ed7fd7d9a551a 2021-07-26 2021-07-26
HASH 71e480edcb51a02b8460ccc9b2dfa272 2021-07-26 2021-07-26
HASH d73239230625afd2d9fa6cce1c6c022c 2021-07-26 2021-07-26
HASH fe3ad944d07b66c83dc433c39fc054f4 2021-07-26 2021-07-26
HASH c9dae2b42f0b28631dc314a74fa2177f 2021-07-26 2021-07-26
HASH 0629fd238259d7df7aa22ca82ac6b93e 2021-07-26 2021-07-26
HASH e69294040dab044805c9d7c47fef4844 2021-07-26 2021-07-26
HASH e3e40b3eaefeb0c63dd449087a8988ef 2021-07-26 2021-07-26
HASH 41aba3f7a154fb209beba0e36e6ef3ab 2021-07-26 2021-07-26
HASH 37e4865de72c3169d591e16ef8823676 2021-07-26 2021-07-26
HASH 12047fd5ef345ce53c92324357bdffbe 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
EMAIL [email protected] 2021-07-26 2021-07-26
URL http://www.inonix.co.kr/kor/pag… 2021-07-26 2021-07-26
URL http://www.mechapia.com/_admin/… 2021-07-26 2021-07-26
URL http://cwda.co.kr/theme/basic/s… 2021-07-26 2021-07-26
URL https://worldinfocontact.club/1… 2021-07-26 2021-07-26
URL https://onedrive.live.com/?auth… 2021-07-26 2021-07-26
URL http://nuclearpolicy101.org/wp-… 2021-07-26 2021-07-26
URL http://ftcpark59.getenjoyment.n… 2021-07-26 2021-07-26
URL http://kr2959.atwebpages.com/vi… 2021-07-26 2021-07-26
URL http://nuclearpolicy101.org/wp-… 2021-07-26 2021-07-26
URL http://kr2959.atwebpages.com/vi… 2021-07-26 2021-07-26
URL http://eucie09111.myartsonline.… 2021-07-26 2021-07-26
URL http://majar.medianewsonline.co… 2021-07-26 2021-07-26
URL https://worldinfocontact.club/1… 2021-07-26 2021-07-26
URL http://connectter.atwebpages.co… 2021-07-26 2021-07-26
URL http://hanlight.mygamesonline.o… 2021-07-26 2021-07-26
URL http://beilksa.scienceontheweb.… 2021-07-26 2021-07-26
URL http://wbg0909.scienceontheweb.… 2021-07-26 2021-07-26
URL http://yanggucam.designsoup.co.… 2021-07-26 2021-07-26
URL https://1ive.me/ww/mac/0526_sim… 2021-07-26 2021-07-26
URL http://cwda.co.kr/theme/basic/s… 2021-07-26 2021-07-26
URL http://alyssalove.getenjoyment.… 2021-07-26 2021-07-26
URL http://samsoding.homm7.gethompy… 2021-07-26 2021-07-26
DOMAIN klsa.onlinewebshop.net 2021-07-26 2021-07-26
DOMAIN 1ive.me 2021-07-26 2021-07-26
HASH 11ac8609d64e5a5ade83eff92e4f1314 2021-05-01 2021-07-26
HASH cf5815a1f635dca148ccffeb074b64d5 2021-05-01 2021-07-26
HASH 6ec77913e6a359ee4e62909e28c08f1d 2021-05-01 2021-07-26
HASH 1d30dfa5d8f21d1465409b207115ded6 2021-05-01 2021-07-26
HASH 3ecc65085a91044a119abce4f0c0d4de 2021-05-01 2021-07-26
HASH ec19cd77170b6ac8772c5799fdd88852 2021-05-01 2021-07-26
URL https://reform-ouen.com/wp-incl… 2021-03-22 2021-07-26
URL http://www.anpcb.co.kr/plugin/s… 2021-03-22 2021-07-26
URL http://koreacit.co.kr/skin/new/… 2021-03-22 2021-07-26
URL http://www.inonix.co.kr/kor/boa… 2021-03-22 2021-07-26
DOMAIN reform-ouen.com 2021-03-22 2021-07-26
DOMAIN koreacit.co.kr 2021-03-22 2021-07-26
EMAIL [email protected] 2020-07-03 2021-07-26

Related Actors

Related Reports

« Back