March 2023 Threat Trend Report on Kimsuky Group

2023-05-24 Ahnlab

https://asec.ahnlab.com/wp-content/uploads/2023/05/ATIP_2023_Mar_Threat-Trend-Report-on-Kimsuky_20230407.pdf

Attachments

ATIP_2023_Mar_Threat-Trend-Report-on-Kimsuky_20230407.pdf (888 KB)

Thumbnail for March 2023 Threat Trend Report on Kimsuky Group

AhnLab observed reduced Kimsuky activity in March 2023 compared with February, with RandomQuery becoming the most active type ahead of AppleSeed and FlowerPower. FlowerPower began using Korean-language Punycode domains and free Korean hosting domains such as r-e.kr, p-e.kr, o-r.kr, n-e.kr, and kro-kr to appear more trustworthy to Korean victims, including attacks against professors. RandomQuery activity used multiple initial delivery methods, including LNK archives that launched embedded PowerShell, revealed an HWP password as a decoy, and downloaded additional scripts from command-and-control infrastructure. Kimsuky also adopted OneNote delivery, placing malicious scripts over document names, while xRAT was distributed through Google Drive using a macro-enabled Word lure that loaded scripts, performed process hollowing, and used three C2 IP-and-port pairs.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN o-r.kr 2023-05-24 2026-06-01
DOMAIN r-e.kr 2023-03-23 2026-06-01
DOMAIN n-e.kr 2022-08-26 2026-06-01
DOMAIN p-e.kr 2021-12-21 2026-06-01
DOMAIN smart.com 2023-05-24 2025-11-29
DOMAIN partybbq.co.kr 2023-05-24 2024-11-13
DOMAIN thrhtsgdsfg.medianewsonline.com 2023-05-24 2023-11-01
DOMAIN ibsq.co.kr 2023-03-14 2023-06-09
HASH 9d8c438b710b314b2dc2e003b2f177b7 2023-05-24 2023-06-05
HASH 3cb38651abffd4624e3a2983b886d869 2023-05-24 2023-05-24
HASH 8a8ab44759d17b9058168e69274389c1 2023-05-24 2023-05-24
HASH 3e167be30e343c723fcc42b6f763de69 2023-05-24 2023-05-24
HASH 923e117de7b4c115c97410babc104240 2023-05-24 2023-05-24
HASH 86028bbad6c09f8697d2f5da87d5fd06 2023-05-24 2023-05-24
HASH 610dea8394f486102fc51a2f0560b28a 2023-05-24 2023-05-24
HASH 3332170ee3c8df42df9ad656d0d0038c 2023-05-24 2023-05-24
HASH da33f76de05aa4a97bda5a91d7272f28 2023-05-24 2023-05-24
HASH 313d77caaa199188530b15d5bf59a51f 2023-05-24 2023-05-24
HASH 3ce601bf7fefdd325e596ccb4aacaf93 2023-05-24 2023-05-24
HASH 9e3d8f0b174f717f0291daab6fd090aa 2023-05-24 2023-05-24
HASH 67fc30944a5db08defa3a5d09f731746 2023-05-24 2023-05-24
HASH 804371c4a0dd4fd8aba732d202f140ab 2023-05-24 2023-05-24
HASH 0f7cc24438e0ad3815b19c0c031d87f9 2023-05-24 2023-05-24
HASH 02b6fa59f889cabf36a7ca2a69a7be86 2023-05-24 2023-05-24
HASH 7903d922e89d872c9f2c00c7a10fef3d 2023-05-24 2023-05-24
HASH 6fe432e9d8c70391e9b6cd3e074b0760 2023-05-24 2023-05-24
HASH 6c67341b2873ef27bdbfe3e2ad0a8b56 2023-05-24 2023-05-24
HASH 954b021e7cc0ff404bdbd57a26509a61 2023-05-24 2023-05-24
HASH 05e9f932bf0bba8ed0c12194e89ec899 2023-05-24 2023-05-24
HASH 5939bb4cb87344eb0bdbf0ebbc998d8a 2023-05-24 2023-05-24
HASH ace6ca3fbc585c4ebb67dadccb79980e 2023-05-24 2023-05-24
HASH b0d7ff7323a0a2ccd0424fac906f0be0 2023-05-24 2023-05-24
HASH 283d238d309667734d0e5dc33ee7e647 2023-05-24 2023-05-24
HASH 071f39b1884d2214204aa3d61a170c3e 2023-05-24 2023-05-24
HASH c623dbe17f278fd3a72c5681102a74d8 2023-05-24 2023-05-24
HASH 864d6e847d3034c01901d378c59dff93 2023-05-24 2023-05-24
HASH 4103d0b42dd6230dc1062156356f1d9b 2023-05-24 2023-05-24
HASH e17b91341ea079d23e9703e55d37dd44 2023-05-24 2023-05-24
HASH 93476273ce03da710d25de7da1924603 2023-05-24 2023-05-24
HASH 46c7c3d128be033d92a7ae75464ade79 2023-05-24 2023-05-24
HASH ef3211c7567fa7a5b8944d7beeef2869 2023-05-24 2023-05-24
HASH 249e111ad3aa659b89e14147f708812c 2023-05-24 2023-05-24
HASH d68d3782a74e471f27d6ad18bfb8eaaa 2023-05-24 2023-05-24
HASH d8c1abfb0a0b34e4338ad8dfbd6d95fa 2023-05-24 2023-05-24
HASH 93bc23b9e082c97edd8f78d76672bb0d 2023-05-24 2023-05-24
HASH 976f6bb98e116da2bfd8f283058bcd14 2023-05-24 2023-05-24
HASH 858907d12008a093e40c501d892a5e90 2023-05-24 2023-05-24
HASH 63b3b94cd606b5c3be5f5b40a9781ca5 2023-05-24 2023-05-24
HASH 66a249025ab5e39debcb1c141ef1fd25 2023-05-24 2023-05-24
HASH ac999462b9a7b1a81307b5386adb9128 2023-05-24 2023-05-24
HASH b7c2a9774bd25b36f89417a7bb4bb3d2 2023-05-24 2023-05-24
HASH 7d40fd8e68a5b0f0125d9711fb26b6a3 2023-05-24 2023-05-24
HASH 0a6f0d8a277d93303b1d2d8afb2d3323 2023-05-24 2023-05-24
HASH 56e9f5ccebd7252e695b74a9ada18c6f 2023-05-24 2023-05-24
HASH 4a977d0c8b3d9eaa644a3ae93f3d224f 2023-05-24 2023-05-24
HASH d382cc7f10fdaec150184941b68cf39e 2023-05-24 2023-05-24
HASH 2c69d81ca8d01f082ae2489e3975a0a2 2023-05-24 2023-05-24
EMAIL [email protected] 2023-05-24 2023-05-24
URL http://okas.kr/gnuboard4/adm/aa… 2023-05-24 2023-05-24
URL http://haebyeong.com/modules/tr… 2023-05-24 2023-05-24
DOMAIN febro.myartsonline.com 2023-05-24 2023-05-24
DOMAIN nideso.mywebcommunity.org 2023-05-24 2023-05-24
DOMAIN haebyeong.com 2023-05-24 2023-05-24
DOMAIN publiccreation.getenjoyment.net 2023-05-24 2023-05-24
DOMAIN realtime.mypressonline.com 2023-05-24 2023-05-24
DOMAIN uljincablecar.com 2023-05-24 2023-05-24
DOMAIN kakacorpnet.myartsonline.com 2023-05-24 2023-05-24
DOMAIN dhct.co.kr 2023-05-24 2023-05-24
DOMAIN peosljeos.scienceontheweb.net 2023-05-24 2023-05-24
DOMAIN thissiteerverarg.medianewsonlin… 2023-05-24 2023-05-24
DOMAIN xortes.000webhostapp.com 2023-05-24 2023-05-24
DOMAIN eum-it.co.kr 2023-05-24 2023-05-24
DOMAIN pcloud.myartsonline.com 2023-05-24 2023-05-24
DOMAIN okas.kr 2023-05-24 2023-05-24
IPv4 115.21.139.222 2023-05-24 2023-05-24
IPv4 211.115.73.132 2023-05-24 2023-05-24
IPv4 121.160.252.1 2023-05-24 2023-05-24
IPv4 47.103.206.233 2023-05-24 2023-05-24
IPv4 1.234.41.14 2023-05-24 2023-05-24
HASH aca61a168d95c5f72b8e02650f727000 2023-03-24 2023-05-24
HASH aa756b20170aa0869d6f5d5b5f1b7c37 2023-03-17 2023-05-24
HASH f2a0e92b80928830704a00c91df87644 2023-03-17 2023-05-24
HASH 3c687fb0a1921a53f9c607938f25fdd1 2023-03-15 2023-05-24
HASH d4bb07f5a9462612cd0e8a9290e27fc8 2023-03-15 2023-05-24
HASH 8f411a46490016ac5d126b83cee65022 2023-03-15 2023-05-24
HASH e0cf0881de0fe35732bb02c1f4df02a3 2023-03-15 2023-05-24
HASH ded83a6bd7438b34b058f2fe5ee54c7e 2023-03-14 2023-05-24
URL http://ibsq.co.kr/config/demo.t… 2023-03-14 2023-05-24
HASH 726af41024d06df195784ae88f2849e4 2023-03-08 2023-05-24

Related Actors

Related Reports

« Back