Threat Trend Report on Kimsuky – June 2023
2023-08-16 • Ahnlab •
Attachments
AhnLab’s June 2023 Kimsuky trend report says observed Kimsuky activity slightly increased in fully qualified domain names, with more AppleSeed-type activity than in May. The report highlights FlowerPower samples that briefly removed an information-collection function before reintroducing it, suggesting testing or detection-evasion changes, and notes that RandomQuery’s attempted transition to a new system had not materially changed since March. Kimsuky tooling continued to be delivered through Word, CHM, OneNote, and more recently .NET EXE files that write Base64-encoded data as update.vbs, display a North Korean-grammar “document corrupted” message, and download additional scripts from C2 infrastructure. The PDF also includes IOC sections for file paths, MD5 hashes, domains, URLs, and IP addresses.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | well-story.co.kr | 2023-06-16 | 2024-04-17 |
| HASH | bc5be496b0ae7c64d8f2c19cd48372f4 | 2023-08-16 | 2023-08-16 |
| HASH | 497ac9ce0a90e1d8a80e25ae9c4c97a2 | 2023-08-16 | 2023-08-16 |
| HASH | 0456cc20eacc2d4e8a542c73c5472ffb | 2023-08-16 | 2023-08-16 |
| HASH | 1ff6fa140ea1a8d8c54c4230e78481cb | 2023-08-16 | 2023-08-16 |
| HASH | 6800ec49a66bcdb10ec93cd2e2edf7dd | 2023-08-16 | 2023-08-16 |
| HASH | 5219814e59f8a6ab7eeffc72e83177a3 | 2023-08-16 | 2023-08-16 |
| HASH | be73b571c65c69cb9b5e42115a95db9e | 2023-08-16 | 2023-08-16 |
| HASH | 586aed4e9d72a59f7f870ddc2d690013 | 2023-08-16 | 2023-08-16 |
| HASH | 324a4fa70f9614cd51b128b0edde9a3c | 2023-08-16 | 2023-08-16 |
| HASH | 2edc8c2125d8c8c2088d444101bb3900 | 2023-08-16 | 2023-08-16 |
| HASH | f9d71355f670859072736dd79ad98eaa | 2023-08-16 | 2023-08-16 |
| HASH | 3fe2da9f950d9b7eff5e0a41b45ae247 | 2023-08-16 | 2023-08-16 |
| HASH | d1c2b846cd88c3f40278ada4f5324a16 | 2023-08-16 | 2023-08-16 |
| HASH | 91834990b5a5db82affc54397a5358ca | 2023-08-16 | 2023-08-16 |
| HASH | 38b47a5d7da67ab354875dffffa78632 | 2023-08-16 | 2023-08-16 |
| HASH | 5f1865e9743fb422e6cbcc80071ecaa3 | 2023-08-16 | 2023-08-16 |
| HASH | 2a64975138726094644d9adfe594b48a | 2023-08-16 | 2023-08-16 |
| HASH | 2848cdf503a646596f7f90b476fa2dea | 2023-08-16 | 2023-08-16 |
| HASH | 317813d9dba23495d65a93413d60271e | 2023-08-16 | 2023-08-16 |
| HASH | 7e864d6dabceb615714c00ddf0c79649 | 2023-08-16 | 2023-08-16 |
| HASH | 52151a3b6cff1f354015004289117309 | 2023-08-16 | 2023-08-16 |
| HASH | 2a09648e314a3e90143dbbf2f9a93011 | 2023-08-16 | 2023-08-16 |
| DOMAIN | jw577.co.kr | 2023-08-16 | 2023-08-16 |
| DOMAIN | ktapp.p-e.kr | 2023-08-16 | 2023-08-16 |
| DOMAIN | my.worksp.p-e.kr | 2023-08-16 | 2023-08-16 |
| DOMAIN | xo.ultra.r-e.kr | 2023-08-16 | 2023-08-16 |
| DOMAIN | kede.co.kr | 2023-08-16 | 2023-08-16 |
| DOMAIN | app.awiki.org | 2023-08-16 | 2023-08-16 |
| HASH | c447624d99292f1465b51d3efeda9e73 | 2023-07-28 | 2023-08-16 |
| HASH | 97de7d4c5115c02d08de760e1dafc403 | 2023-07-28 | 2023-08-16 |
| HASH | 80f381a20d466e7a02ea37592a26b0b8 | 2023-06-28 | 2023-08-16 |
| HASH | b6d11017e02e7d569cfe203eda25f3aa | 2023-06-28 | 2023-08-16 |
| DOMAIN | pikaros2.r-e.kr | 2023-06-28 | 2023-08-16 |
| DOMAIN | getara1.mygamesonline.org | 2023-06-28 | 2023-08-16 |
| HASH | 042fb52b45f396d7792785d5b2cf0865 | 2023-06-26 | 2023-08-16 |
| HASH | 88d09f09a3b717fee194f7b13186a215 | 2023-06-26 | 2023-08-16 |
| HASH | eb063fe691240f22acd8921f47609a3c | 2023-06-26 | 2023-08-16 |
| HASH | e8c32a91d00c6dc1eda38efdfdd9a05f | 2023-06-26 | 2023-08-16 |
| HASH | 3c165e9f3b996ac5895e2e4aa223ff77 | 2023-06-26 | 2023-08-16 |
| HASH | 91029801f6f3a415392ccfee8226be67 | 2023-06-16 | 2023-08-16 |
| HASH | 73174c9d586531153a5793d050a394a8 | 2023-06-16 | 2023-08-16 |
| HASH | c5e0a2b881a60fb3440bb78e9920dccd | 2023-06-09 | 2023-08-16 |
| DOMAIN | pita1.sportsontheweb.net | 2023-06-09 | 2023-08-16 |