SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki, Kimsuky


There is no description at this point.

References
2020-12-15KISAKISA
@techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Kimsuky
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Ransomware Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8d95ecfbffff b9???????? e8???????? }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_1 = { 6a00 6a00 68???????? 8d85e4fbffff 50 8d45e4 50 }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax

        $sequence_2 = { ff15???????? 85c0 7516 ff15???????? 8bd8 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_3 = { 50 56 ffd7 a3???????? 8d85ccf3ffff 50 56 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85ccf3ffff         | lea                 eax, [ebp - 0xc34]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_4 = { 8d85f8feffff 6804010000 50 e8???????? 8d85f0fcffff 50 }
            // n = 6, score = 400
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85f0fcffff         | lea                 eax, [ebp - 0x310]
            //   50                   | push                eax

        $sequence_5 = { ff15???????? 8bd8 e8???????? 0fafd8 }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   0fafd8               | imul                ebx, eax

        $sequence_6 = { 8d85f0feffff 50 68???????? ff15???????? 6a04 6a00 }
            // n = 6, score = 400
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a04                 | push                4
            //   6a00                 | push                0

        $sequence_7 = { 75f9 2bca 51 8d85e4f5ffff }
            // n = 4, score = 400
            //   75f9                 | jne                 0xfffffffb
            //   2bca                 | sub                 ecx, edx
            //   51                   | push                ecx
            //   8d85e4f5ffff         | lea                 eax, [ebp - 0xa1c]

        $sequence_8 = { 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff }
            // n = 4, score = 400
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]

        $sequence_9 = { a3???????? 8d85dcf7ffff 50 53 ffd7 }
            // n = 5, score = 400
            //   a3????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ffd7                 | call                edi

        $sequence_10 = { 498bce 418d5001 ffd3 488bc3 4883c440 415f 415e }
            // n = 7, score = 300
            //   498bce               | dec                 ecx
            //   418d5001             | mov                 ecx, esi
            //   ffd3                 | inc                 ecx
            //   488bc3               | lea                 edx, [eax + 1]
            //   4883c440             | call                ebx
            //   415f                 | dec                 eax
            //   415e                 | mov                 eax, ebx

        $sequence_11 = { 4883c9ff 4903de ff542468 4533c0 498bce 418d5001 ffd3 }
            // n = 7, score = 300
            //   4883c9ff             | dec                 eax
            //   4903de               | add                 esp, 0x40
            //   ff542468             | inc                 ecx
            //   4533c0               | pop                 edi
            //   498bce               | inc                 ecx
            //   418d5001             | pop                 esi
            //   ffd3                 | dec                 eax

        $sequence_12 = { 4156 4157 4883ec40 48896c2470 4889742438 }
            // n = 5, score = 300
            //   4156                 | dec                 ecx
            //   4157                 | mov                 ecx, esi
            //   4883ec40             | inc                 ecx
            //   48896c2470           | lea                 edx, [eax + 1]
            //   4889742438           | call                ebx

        $sequence_13 = { 4d8b36 4d85f6 0f8540feffff 488b6c2460 4c637d3c }
            // n = 5, score = 300
            //   4d8b36               | dec                 esp
            //   4d85f6               | mov                 dword ptr [esp + 0x68], edi
            //   0f8540feffff         | inc                 ecx
            //   488b6c2460           | mov                 ebx, 1
            //   4c637d3c             | inc                 ecx

        $sequence_14 = { 48896c2460 488b4818 41bb01000000 4c8b7120 4d85f6 0f84d6010000 }
            // n = 6, score = 300
            //   48896c2460           | lea                 ebx, [ebx + 2]
            //   488b4818             | dec                 ebp
            //   41bb01000000         | test                ebp, ebp
            //   4c8b7120             | je                  0x1e
            //   4d85f6               | dec                 ebp
            //   0f84d6010000         | test                esp, esp

        $sequence_15 = { 4c897c2468 41bb01000000 418d5b02 4d85ed 740f 4d85e4 }
            // n = 6, score = 300
            //   4c897c2468           | or                  ecx, 0xffffffff
            //   41bb01000000         | dec                 ecx
            //   418d5b02             | add                 ebx, esi
            //   4d85ed               | call                dword ptr [esp + 0x68]
            //   740f                 | inc                 ebp
            //   4d85e4               | xor                 eax, eax

        $sequence_16 = { 85c9 0f8494020000 89bda0000000 897d30 }
            // n = 4, score = 200
            //   85c9                 | mov                 dword ptr [esp + 0x38], esi
            //   0f8494020000         | dec                 ebp
            //   89bda0000000         | mov                 esi, dword ptr [esi]
            //   897d30               | dec                 ebp

        $sequence_17 = { e8???????? 90 83bd8000000000 7443 8b8584000000 85c0 750b }
            // n = 7, score = 200
            //   e8????????           |                     
            //   90                   | test                esi, esi
            //   83bd8000000000       | jne                 0xfffffe49
            //   7443                 | dec                 eax
            //   8b8584000000         | mov                 ebp, dword ptr [esp + 0x60]
            //   85c0                 | dec                 esp
            //   750b                 | arpl                word ptr [ebp + 0x3c], di

        $sequence_18 = { 0f84b3000000 85f6 0f8497000000 8bd6 }
            // n = 4, score = 200
            //   0f84b3000000         | inc                 ecx
            //   85f6                 | push                edi
            //   0f8497000000         | dec                 eax
            //   8bd6                 | sub                 esp, 0x40

        $sequence_19 = { ff15???????? 85c0 7464 c7453038000000 33c0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   7464                 | mov                 dword ptr [esp + 0x60], ebp
            //   c7453038000000       | dec                 eax
            //   33c0                 | mov                 ecx, dword ptr [eax + 0x18]

        $sequence_20 = { e8???????? eb2e 83f801 750b }
            // n = 4, score = 200
            //   e8????????           |                     
            //   eb2e                 | dec                 eax
            //   83f801               | mov                 dword ptr [esp + 0x70], ebp
            //   750b                 | dec                 eax

        $sequence_21 = { 8d4702 03c2 89442450 8bf0 8bc8 e8???????? }
            // n = 6, score = 200
            //   8d4702               | je                  0x1e
            //   03c2                 | dec                 ebp
            //   89442450             | test                esp, esp
            //   8bf0                 | inc                 ecx
            //   8bc8                 | push                esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules