The Updated APT Playbook: Tales from the Kimsuky threat actor group

2024-03-20 Rapid7

https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/

Thumbnail for The Updated APT Playbook: Tales from the Kimsuky threat actor group

Rapid7 attributes a recent wave of activity with moderate confidence to Kimsuky, also known as Black Banshee or Thallium, and frames it as an updated espionage playbook. The activity uses CHM help files delivered in containers such as ISO, VHD, ZIP, or RAR to bypass initial defenses and execute hidden JavaScript, ActiveX, and Base64-encoded VBScript on Windows systems. The CHM lure content is Korean and themed around North Korean nuclear issues, while the embedded commands decode a VBS file, establish Run-key persistence, collect system, process, recent document, and directory information, and exfiltrate it to attacker infrastructure. Observed C2 paths include 00701111.000webhostapp.com/wp-extra and gosiweb.gosiclass[.]com/m/gnu/convert/html/com/list.php?query=6, with related samples showing code reuse and continued refinement into 2024.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN niscarea.com 2023-11-28 2024-12-27
DOMAIN 00701111.000webhostapp.com 2023-09-23 2024-12-27
HASH 5c7b2705155023e6e438399d895d30b… 2024-03-20 2024-03-20
HASH e8000ddfddbe120b5f2fb3677abbad9… 2024-03-20 2024-03-20
HASH 71db2ae9c36403cec1fd38864d64f239 2024-03-20 2024-03-20
URL http://gosiweb.gosiclass.com/m/… 2024-03-20 2024-03-20
HASH d4fa57f9c9e35222a8cacddc79055c1… 2023-11-28 2024-03-20
HASH da79eea1198a1a10e2ffd50fd949521… 2023-11-28 2024-03-20
HASH f35b05779e9538cec363ca37ab38e287 2023-11-28 2024-03-20
HASH b5224224fdbabdea53a91a96e9f816c… 2023-09-23 2024-03-20
HASH 364d4fdf430477222fe854b3cd5b6d40 2023-09-23 2024-03-20
HASH c62677543eeb50e0def44fc75009a77… 2023-09-23 2024-03-20
DOMAIN gosiweb.gosiclass.com 2021-11-01 2024-03-20

Related Actors

Related Reports

2024-09-12 • 55% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: Kimsuky, T1059.003, T1547.001
2024-07-19 • 55% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Kimsuky, T1059.003, T1547.001
« Back