SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki, Kimsuky

There is no description at this point.

References
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-08-23InQuestDmitry Melikov
@online{melikov:20210823:kimsuky:e899bfa, author = {Dmitry Melikov}, title = {{Kimsuky Espionage Campaign}}, date = {2021-08-23}, organization = {InQuest}, url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign}, language = {English}, urldate = {2021-08-30} } Kimsuky Espionage Campaign
Kimsuky
2020-12-15KISAKISA
@techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Kimsuky
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20220516 | Detects win.kimsuky.)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.kimsuky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 8d85e4fbffff 50 8d45e4 50 56 ff15???????? }
            // n = 7, score = 400
            //   68????????           |                     
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_1 = { 7503 56 eb18 6a00 6a00 6a00 68???????? }
            // n = 7, score = 400
            //   7503                 | jne                 5
            //   56                   | push                esi
            //   eb18                 | jmp                 0x1a
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_2 = { 8d85f8feffff 6a00 50 ff15???????? 8d85ecfbffff 50 }
            // n = 6, score = 400
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax

        $sequence_3 = { 6804010000 50 e8???????? 8d85f0fcffff 50 8d85f8feffff }
            // n = 6, score = 400
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_4 = { 84c0 75f9 2bca 51 8d85e4f5ffff 50 6a00 }
            // n = 7, score = 400
            //   84c0                 | test                al, al
            //   75f9                 | jne                 0xfffffffb
            //   2bca                 | sub                 ecx, edx
            //   51                   | push                ecx
            //   8d85e4f5ffff         | lea                 eax, [ebp - 0xa1c]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_5 = { 50 8d85f8feffff 50 8d85f4fdffff 68???????? }
            // n = 5, score = 400
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]
            //   68????????           |                     

        $sequence_6 = { 85c0 7516 ff15???????? 8bd8 e8???????? 0fafd8 }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   0fafd8               | imul                ebx, eax

        $sequence_7 = { ffd7 a3???????? 8d85dcf7ffff 50 53 }
            // n = 5, score = 400
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_8 = { b9???????? e8???????? 8d95ecfbffff b9???????? e8???????? }
            // n = 5, score = 400
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 4d8b36 4d85f6 0f8540feffff 488b6c2460 4c637d3c 33c9 41b800300000 }
            // n = 7, score = 300
            //   4d8b36               | dec                 eax
            //   4d85f6               | mov                 dword ptr [esp + 0x30], edi
            //   0f8540feffff         | inc                 ebp
            //   488b6c2460           | xor                 ebp, ebp
            //   4c637d3c             | inc                 ebp
            //   33c9                 | xor                 esp, esp
            //   41b800300000         | dec                 esp

        $sequence_10 = { 4533ed 4533e4 4c897c2468 e8???????? 488be8 b84d5a0000 0f1f440000 }
            // n = 7, score = 300
            //   4533ed               | je                  0xe
            //   4533e4               | dec                 eax
            //   4c897c2468           | dec                 ebp
            //   e8????????           |                     
            //   488be8               | jmp                 0xffffffe9
            //   b84d5a0000           | dec                 eax
            //   0f1f440000           | mov                 eax, dword ptr [0x60]

        $sequence_11 = { 7709 813c2a50450000 7405 48ffcd ebdb 65488b042560000000 48897c2430 }
            // n = 7, score = 300
            //   7709                 | dec                 esp
            //   813c2a50450000       | mov                 esi, dword ptr [ecx + 0x20]
            //   7405                 | dec                 ebp
            //   48ffcd               | test                esi, esi
            //   ebdb                 | je                  0x1dc
            //   65488b042560000000     | ja    0xb
            //   48897c2430           | cmp                 dword ptr [edx + ebp], 0x4550

        $sequence_12 = { 48896c2460 488b4818 41bb01000000 4c8b7120 4d85f6 0f84d6010000 }
            // n = 6, score = 300
            //   48896c2460           | dec                 eax
            //   488b4818             | mov                 dword ptr [esp + 0x60], ebp
            //   41bb01000000         | dec                 eax
            //   4c8b7120             | mov                 ecx, dword ptr [eax + 0x18]
            //   4d85f6               | inc                 ecx
            //   0f84d6010000         | mov                 ebx, 1

        $sequence_13 = { 33c9 41b800300000 4c03fd 448d4940 418b5750 4c897c2460 }
            // n = 6, score = 300
            //   33c9                 | mov                 ebp, dword ptr [esp + 0x60]
            //   41b800300000         | dec                 esp
            //   4c03fd               | arpl                word ptr [ebp + 0x3c], di
            //   448d4940             | xor                 ecx, ecx
            //   418b5750             | inc                 ecx
            //   4c897c2460           | mov                 eax, 0x3000

        $sequence_14 = { 4c897c2460 ffd6 458b4754 488bd5 4c8bf0 4d85c0 741e }
            // n = 7, score = 300
            //   4c897c2460           | nop                 dword ptr [eax + eax]
            //   ffd6                 | dec                 ebp
            //   458b4754             | mov                 esi, dword ptr [esi]
            //   488bd5               | dec                 ebp
            //   4c8bf0               | test                esi, esi
            //   4d85c0               | jne                 0xfffffe49
            //   741e                 | dec                 eax

        $sequence_15 = { ffd3 488bc3 4883c440 415f }
            // n = 4, score = 300
            //   ffd3                 | mov                 dword ptr [esp + 0x68], edi
            //   488bc3               | dec                 eax
            //   4883c440             | mov                 ebp, eax
            //   415f                 | mov                 eax, 0x5a4d

        $sequence_16 = { 895c2458 eb04 8b5c2458 c685700d000000 }
            // n = 4, score = 200
            //   895c2458             | mov                 eax, 0x3000
            //   eb04                 | dec                 esp
            //   8b5c2458             | add                 edi, ebp
            //   c685700d000000       | inc                 esp

        $sequence_17 = { 85c0 7464 c7453038000000 33c0 }
            // n = 4, score = 200
            //   85c0                 | dec                 eax
            //   7464                 | add                 esp, 0x40
            //   c7453038000000       | inc                 ecx
            //   33c0                 | pop                 edi

        $sequence_18 = { 89442450 8bf0 8bc8 e8???????? }
            // n = 4, score = 200
            //   89442450             | test                esi, esi
            //   8bf0                 | jne                 0xfffffe49
            //   8bc8                 | dec                 eax
            //   e8????????           |                     

        $sequence_19 = { ff15???????? 498bc6 488b4d20 4833cc }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   498bc6               | lea                 ecx, [eax + 1]
            //   488b4d20             | mov                 ebx, eax
            //   4833cc               | imul                ebx, eax

        $sequence_20 = { 85c0 0f84e6000000 c6850801000000 33c0 }
            // n = 4, score = 200
            //   85c0                 | mov                 ebp, dword ptr [esp + 0x60]
            //   0f84e6000000         | dec                 esp
            //   c6850801000000       | arpl                word ptr [ebp + 0x3c], di
            //   33c0                 | xor                 ecx, ecx

        $sequence_21 = { 85c0 0f8432020000 8b7590 660f1f440000 837df000 0f841b020000 }
            // n = 6, score = 200
            //   85c0                 | dec                 esp
            //   0f8432020000         | mov                 dword ptr [esp + 0x60], edi
            //   8b7590               | call                esi
            //   660f1f440000         | inc                 ebp
            //   837df000             | mov                 eax, dword ptr [edi + 0x54]
            //   0f841b020000         | dec                 eax

        $sequence_22 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 }
            // n = 6, score = 200
            //   4c89642430           | mov                 byte ptr [ecx + edi], 0
            //   c744242880000000     | cmp                 byte ptr [edi], 0
            //   c744242002000000     | je                  0x16
            //   4533c9               | test                eax, eax
            //   4533c0               | je                  0x238
            //   ba00000040           | mov                 esi, dword ptr [ebp - 0x70]

        $sequence_23 = { 8b4c2468 c6043900 803f00 740d }
            // n = 4, score = 200
            //   8b4c2468             | mov                 edx, ebp
            //   c6043900             | dec                 esp
            //   803f00               | mov                 esi, eax
            //   740d                 | dec                 ebp

        $sequence_24 = { 85c0 0f84b3000000 85f6 0f8497000000 8bd6 }
            // n = 5, score = 200
            //   85c0                 | inc                 ecx
            //   0f84b3000000         | mov                 eax, 0x3000
            //   85f6                 | call                ebx
            //   0f8497000000         | dec                 eax
            //   8bd6                 | mov                 eax, ebx

        $sequence_25 = { 488d4c2450 e8???????? 90 488b5008 }
            // n = 4, score = 200
            //   488d4c2450           | mov                 esi, dword ptr [ebp - 0x70]
            //   e8????????           |                     
            //   90                   | nop                 word ptr [eax + eax]
            //   488b5008             | cmp                 dword ptr [ebp - 0x10], 0

        $sequence_26 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? }
            // n = 4, score = 200
            //   488d8a38000000       | je                  0x234
            //   e9????????           |                     
            //   488d8a28010000       | mov                 ecx, dword ptr [esp + 0x68]
            //   e9????????           |                     

        $sequence_27 = { 88436f 0fb64313 884370 0fb64312 }
            // n = 4, score = 100
            //   88436f               | mov                 ecx, dword ptr [eax + 0x18]
            //   0fb64313             | dec                 esp
            //   884370               | arpl                word ptr [ebp + 0x3c], di
            //   0fb64312             | xor                 ecx, ecx

        $sequence_28 = { 88436c 0fb6430e 88436d 8b430c c1e808 88436e 0fb6430c }
            // n = 7, score = 100
            //   88436c               | mov                 ebx, eax
            //   0fb6430e             | imul                ebx, eax
            //   88436d               | test                eax, eax
            //   8b430c               | jne                 0x18
            //   c1e808               | mov                 ebx, eax
            //   88436e               | imul                ebx, eax
            //   0fb6430c             | jne                 0x18

        $sequence_29 = { 884370 0fb64312 884371 8b4310 }
            // n = 4, score = 100
            //   884370               | dec                 ecx
            //   0fb64312             | mov                 ecx, esi
            //   884371               | inc                 ecx
            //   8b4310               | lea                 edx, [eax + 1]

        $sequence_30 = { 88436e 0fb6430c 88436f 0fb64313 }
            // n = 4, score = 100
            //   88436e               | dec                 esp
            //   0fb6430c             | mov                 dword ptr [esp + 0x20], ebp
            //   88436f               | xor                 esi, esi
            //   0fb64313             | inc                 ebp

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules