Threat Trend Report on Kimsuky – April 2023
2023-06-09 • Ahnlab •
Attachments
AhnLab’s April 2023 Kimsuky trend report says observed Kimsuky activity fell to less than half of March’s volume, but the group continued to show changes across FlowerPower, RandomQuery, and AppleSeed operations. FlowerPower continued using Korean-domain services such as kro.kr, n-e.kr, o-r.kr, p-e.kr, r-e.kr, and Punycode domains from 내도메인.한국, while RandomQuery showed no major change beyond additional FQDN discoveries. The most notable AppleSeed issue was that a domain used to distribute AppleSeed also delivered a Google Chrome Remote Desktop setup script, raising the possibility of a shift from the group’s usual VNC-based remote-control tooling such as TightVNC or TinyNuke. ASEC also observed AppleSeed execution using two different argument values instead of the usual repeated argument value between dropper and payload.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | o-r.kr | 2023-05-24 | 2026-06-01 |
| DOMAIN | r-e.kr | 2023-03-23 | 2026-06-01 |
| DOMAIN | n-e.kr | 2022-08-26 | 2026-06-01 |
| DOMAIN | p-e.kr | 2021-12-21 | 2026-06-01 |
| HASH | 433a2a49a84545f23a038f3584f28b4a | 2023-06-09 | 2023-12-18 |
| HASH | 955170427d0c4f9c23f7b8507a6003aa | 2023-06-09 | 2023-08-28 |
| HASH | 8867e234ed6e619c38198f1576ea9438 | 2023-06-09 | 2023-06-09 |
| HASH | c3026118c6ec57ef62b627b4a3ce0c31 | 2023-06-09 | 2023-06-09 |
| HASH | b29de686362ea0d2d1b768e2e4438a91 | 2023-06-09 | 2023-06-09 |
| HASH | 7fced6cd5c31375fdf4bf3ad9a24e5a8 | 2023-06-09 | 2023-06-09 |
| HASH | b5fa9fc4ce170ae200c6ff9b568cf967 | 2023-06-09 | 2023-06-09 |
| HASH | 6d788bc0be3f8f271de503cfc8bf5928 | 2023-06-09 | 2023-06-09 |
| HASH | 00dbf10c3103ed95f6abe0f98b2384f7 | 2023-06-09 | 2023-06-09 |
| HASH | 6158c202a1005f0ef64b3a9ac85c4950 | 2023-06-09 | 2023-06-09 |
| HASH | 6b017dcaaba40712b74fadaa5cbc94c9 | 2023-06-09 | 2023-06-09 |
| HASH | 1a7098ee5571a5fa928eb517a56740eb | 2023-06-09 | 2023-06-09 |
| HASH | bc1c1013568bf6deed4aa4af00536b47 | 2023-06-09 | 2023-06-09 |
| HASH | 1ff29b06dc80eae0f3583c965bbdfe92 | 2023-06-09 | 2023-06-09 |
| HASH | 84b18f77cf556c31582c96fde60cad34 | 2023-06-09 | 2023-06-09 |
| HASH | 5f88da72abdbd23da4df12385f26eb99 | 2023-06-09 | 2023-06-09 |
| HASH | 7bfba6a51c9193ac142eab8c2c180470 | 2023-06-09 | 2023-06-09 |
| HASH | e3fe5030ffa123fe6bebe6cb73e3949e | 2023-06-09 | 2023-06-09 |
| HASH | 34c58ac8f0f780512b7165697fc693fa | 2023-06-09 | 2023-06-09 |
| URL | http://ibsq.co.kr/m.layouts/dem… | 2023-06-09 | 2023-06-09 |
| DOMAIN | funny.storie2.r-e.kr | 2023-06-09 | 2023-06-09 |
| DOMAIN | coef.getenjoyment.net | 2023-06-09 | 2023-06-09 |
| DOMAIN | greenspace1.com | 2023-06-09 | 2023-06-09 |
| DOMAIN | grghergoij.getenjoyment.net | 2023-06-09 | 2023-06-09 |
| DOMAIN | clear.worksheet.n-e.kr | 2023-06-09 | 2023-06-09 |
| DOMAIN | metasa2.getenjoyment.net | 2023-06-09 | 2023-06-09 |
| DOMAIN | usn.drctech.kr | 2023-06-09 | 2023-06-09 |
| DOMAIN | ibsq.co.kr | 2023-03-14 | 2023-06-09 |