New North-Korean based backdoor packs a punch

2024-06-19 • Cyberarmor •

https://cyberarmor.tech/wp-content/uploads/2024/06/New-North-Korean-based-backdoor-packs-a-punch.pdf

#Kimsuky #Niki #Nexaweb #T1082 #T1041 #T1113 #T1027 #T1071 #T1204 #T1566 #T1547

Attachments

New-North-Korean-based-backdoor-packs-a-punch.pdf (6 MB)

CyberArmor analyzes a newly observed North Korean campaign named Niki that targets aerospace and defense companies with job-description lures. The intrusion begins with a RAR archive masquerading as a ZIP file for a General Dynamics safety manager role, which drops a decoy PDF and executes a Windows DLL backdoor through PowerShell, certutil, and regsvr32. The backdoor, internally named httpSpy.dll, persists as a Windows service called CacheDB, decrypts its command-and-control configuration, and supports reconnaissance and follow-on payload delivery. The report highlights extensive string and API obfuscation, Korean-language document metadata, and indicators including the lure archive, JSE dropper, DLL hashes, file paths, and HTTP POST-based C2 behavior. The activity matters because it shows continued North Korea-linked interest in aerospace and defense targets using tailored recruitment-themed delivery and a previously undocumented lightweight backdoor.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	8346d90508b5d41d151b7098c7a3e868	2024-06-07	2025-06-09
HASH	537806c02659a12c5b21efa51b2322c1	2024-06-07	2025-06-09
DOMAIN	download.uberlingen.com	2024-06-07	2025-06-09
HASH	aa8936431f7bc0fabb0b9efb6ea153f9	2024-06-19	2025-05-30
HASH	73d2899aade924476e58addf26254c2e	2024-06-19	2025-05-24
HASH	27d4ff7439694041ef86233c2b804e1f	2024-06-19	2024-06-20
HASH	8d948bb863ea38ecb46b7e78d1b1abfa	2024-06-19	2024-06-20
URL	http://imagedownload.ignorelist…	2024-06-19	2024-06-20
URL	http://en.uberlingen.com/index.…	2024-06-19	2024-06-20
URL	http://playboys.chickenkiller.c…	2024-06-19	2024-06-20
DOMAIN	imagedownload.ignorelist.com	2024-06-19	2024-06-20
DOMAIN	download-attachments.mooo.com	2024-06-19	2024-06-20
DOMAIN	en.uberlingen.com	2024-06-19	2024-06-20
DOMAIN	playboys.chickenkiller.com	2024-06-19	2024-06-20
IPv4	67.217.62.219	2024-06-19	2024-06-20
URL	http://download.uberlingen.com/…	2024-06-07	2024-06-20
YARA	NikiCert	2024-06-19	2024-06-19
YARA	NikiGo	2024-06-19	2024-06-19
YARA	NikiHTTP	2024-06-19	2024-06-19
HASH	e86ed825887efef54feff4dec45855f9	2024-06-19	2024-06-19
HASH	a637d9836285254831c80fdd407f4da…	2024-06-19	2024-06-19
HASH	3671eaf95ce83f769ee2bd73f5c1c9e…	2024-06-19	2024-06-19
HASH	162b24784dd0dd19c2ce08961a9b836…	2024-06-19	2024-06-19
HASH	5d40a3422b4d5fa9c77eb5c6fd7605c…	2024-06-19	2024-06-19
HASH	596880007009d7bc21bed99022b02fd…	2024-06-19	2024-06-19
HASH	df3dd9685d47b0b79d81fb049df3e5a…	2024-06-19	2024-06-19
HASH	b75816a259098d39e5b666a867edf708	2024-06-19	2024-06-19
HASH	d2b7e3c736a38c56ec3d7d3779fb463…	2024-06-19	2024-06-19
HASH	fd578bbc1a967a345d09ef09209612b…	2024-06-19	2024-06-19
HASH	c90a00b80670da65da968e0503f41b4…	2024-06-19	2024-06-19
HASH	5b3cc9cced1ef0cb0bba5549cc2ac09…	2024-06-19	2024-06-19
HASH	3775bf222c77eea4683941bd7c51e80…	2024-06-19	2024-06-19
HASH	5dd9f817d184115d17da659f59641d0…	2024-06-19	2024-06-19
HASH	faca8b6f046dad8f0e27a75fa2dc547…	2024-06-19	2024-06-19
HASH	6951bdbd78deb691b9a12de360f31628	2024-06-19	2024-06-19
HASH	3de6024e95b875885b42d19fce2baa18	2024-06-19	2024-06-19
HASH	cca1705d7a85fe45dce9faec5790d49…	2024-06-19	2024-06-19
HASH	c94a5817fcd6a4ea93d47d70b9f2b17…	2024-06-19	2024-06-19
HASH	4f463f3fe541288d16ffd89f81d83d7…	2024-06-19	2024-06-19
HASH	0e42f20eb0aab1a4570b0e96b36ceb8…	2024-06-19	2024-06-19
HASH	000e2926f6e094d01c64ff972e958cd…	2024-06-19	2024-06-19
HASH	e9f134a3f4bc5bec1f71906c37f3258…	2024-06-19	2024-06-19
HASH	20ea6517f4490dc504756299263a06b…	2024-06-19	2024-06-19
HASH	a8ed2e894dd32e31dc7a19b5c27686c5	2024-06-19	2024-06-19
HASH	62840447d4d17f14047d7aa0b0916ed…	2024-06-19	2024-06-19
URL	http://download-attachments.moo…	2024-06-19	2024-06-19
URL	http://download-attachments.moo…	2024-06-19	2024-06-19
DOMAIN	afraid.org	2024-06-19	2024-06-19
DOMAIN	attachments.mooo.com	2024-06-19	2024-06-19
IPv4	100.100.100.2	2024-06-19	2024-06-19
HASH	6e5d5a8d06452852f1ccbc9b6dbab3eb	2024-06-07	2024-06-19
HASH	f58a9905aad4d82a89a787017f1a357…	2024-06-07	2024-06-19
HASH	3314b6ea393e180c20db52448ab6980…	2024-06-07	2024-06-19
HASH	24a42a912c6ad98ab3910cb1e031edb…	2024-06-07	2024-06-19

Related Actors

Kimsuky

Kaspersky

First seen: Sep 2013

Last seen: Jun 2026

Related Reports

2024-07-19 • 69% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Kimsuky, T1082, T1041 • Published within a month

2024-07-15 • 54% Match

Kimsuky APT: The TrollAgent Stealer Analysis

Darkatlas

#Kimsuky #TrollAgent #T1082 #T1059.003 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1083 #T1036 #T1555.003 #T1057 #T1518.001 #T1539 #T1027.002 #T1016 #T1087.001 #T1218.011

Shares tags: Kimsuky, T1082, T1041 • Published within a month

2024-06-27 • 50% Match

Kimsuky deploys TRANSLATEXT to target South Korean academia

Zscaler

#Kimsuky #TRANSLATEXT #T1041 #T1113 #T1071.001 #T1555.003 #T1059.001 #T1102.001 #T1176

Shares tags: Kimsuky, T1041, T1113 • Published within a month

2019-08-26 • 49% Match

Kimsuky

MITRE

#Kimsuky #G0094 #T1082 #T1140 #T1005 #T1041 #T1555 #T1560 #T1112 #T1083 #T1036 #T1027 #T1567 #T1071 #T1204 #T1552 #T1057 #T1053 #T1566 #T1102 #T1059 #T1003 #T1105 #T1219 #T1055 #T1543 #T1078 #T1133 #T1218 #T1190 #T1588 #T1114 #T1098 #T1593 #T1589 #T1016 #T1587 #T1111 #T1591 #T1585 #T1598 #T1583 #T1594 #T1557 #T1547 #T1562 #T1608 #T1546 #T1070 #T1074 #T1056 #T1586 #T1176 #T1553 #T1012 #T1534 #T1007 #T1518 #T1021 #T1040 #T1564 #T1584 #T1136 #T1505 #T1550

Shares tags: Kimsuky, T1082, T1041

2024-06-07 • 48% Match

Kimsuky is targeting an arms manufacturer in Europe

Dimitribest

#Kimsuky #YARA

Shares tag: Kimsuky • Shares 8 IOCs • Published within a month

2024-09-12 • 44% Match

APT PROFILE – KIMSUKY

Cyfirma

#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: Kimsuky, T1082, T1041

« Back