Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)
2024-03-26 • Ahnlab •
The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. Nikidoor is a backdoor used by the Kimsuky group and was mentioned in the post “Kimsuky Targets South Korean Research Institutes with Fake Import Declaration” [4]. [2] The AhnLab Smart Defense (ASD) infrastructure showed a record of Endoor having been used in an attack, but it is not certain whether the backdoor was installed using the dropper covered above or through a different route. This backdoor can steal information about the infected system and perform malicious actions through the commands it receives like other malware such as AppleSeed and Endoor.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7034268d1c52539ea0cd48fd33ae43c4 | 2024-03-19 | 2024-03-26 |
| HASH | f03618281092b02589bca833f674e8a0 | 2024-03-19 | 2024-03-26 |
| HASH | 7beaf468765b2f1f346d43115c894d4b | 2024-03-19 | 2024-03-26 |
| HASH | b74efd8470206a20175d723c14c2e872 | 2024-03-19 | 2024-03-26 |
| HASH | b8ffb0b5bc3c66b7f1b0ec5cc4aadafc | 2024-03-19 | 2024-03-26 |
| URL | http://minish.wiki.gd/index.php | 2024-03-19 | 2024-03-26 |
| URL | http://minish.wiki.gd/eng.db | 2024-03-19 | 2024-03-26 |
| URL | http://minish.wiki.gd/upload.php | 2024-03-19 | 2024-03-26 |
| URL | https://real-joey-nicely.ngrok-… | 2024-03-19 | 2024-03-26 |
| URL | http://minish.wiki.gd/c.pdf | 2024-03-19 | 2024-03-26 |
| URL | https://fitting-discrete-lemur.… | 2024-03-19 | 2024-03-26 |
| DOMAIN | minish.wiki.gd | 2024-03-19 | 2024-03-26 |
| IPv4 | 210.16.120.210 | 2024-03-19 | 2024-03-26 |