SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki


There is no description at this point.

References
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Ransomware Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd7 a3???????? 8d85d4f5ffff 50 }
            // n = 4, score = 200
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85d4f5ffff         | lea                 eax, [ebp - 0xa2c]
            //   50                   | push                eax

        $sequence_1 = { 807c01ff2f 7505 c644242000 33ff }
            // n = 4, score = 200
            //   807c01ff2f           | cmp                 byte ptr [ecx + eax - 1], 0x2f
            //   7505                 | jne                 7
            //   c644242000           | mov                 byte ptr [esp + 0x20], 0
            //   33ff                 | xor                 edi, edi

        $sequence_2 = { 750a bffeffffff e9???????? 3dfafe0000 0f8217010000 83bbc0af060000 0f840a010000 }
            // n = 7, score = 200
            //   750a                 | jne                 0xc
            //   bffeffffff           | mov                 edi, 0xfffffffe
            //   e9????????           |                     
            //   3dfafe0000           | cmp                 eax, 0xfefa
            //   0f8217010000         | jb                  0x11d
            //   83bbc0af060000       | cmp                 dword ptr [ebx + 0x6afc0], 0
            //   0f840a010000         | je                  0x110

        $sequence_3 = { b9???????? e8???????? 8d95e4f9ffff b9???????? e8???????? }
            // n = 5, score = 200
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95e4f9ffff         | lea                 edx, [ebp - 0x61c]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 8bd6 b130 e8???????? 837c245800 8b7c2444 7470 85ff }
            // n = 7, score = 200
            //   8bd6                 | mov                 edx, esi
            //   b130                 | mov                 cl, 0x30
            //   e8????????           |                     
            //   837c245800           | cmp                 dword ptr [esp + 0x58], 0
            //   8b7c2444             | mov                 edi, dword ptr [esp + 0x44]
            //   7470                 | je                  0x72
            //   85ff                 | test                edi, edi

        $sequence_5 = { 6a00 6a00 e8???????? 83c418 50 ff15???????? 8b4dfc }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_6 = { ffc9 0f84fe070000 ffc9 0f84ee070000 ffc9 }
            // n = 5, score = 200
            //   ffc9                 | dec                 ecx
            //   0f84fe070000         | je                  0x804
            //   ffc9                 | dec                 ecx
            //   0f84ee070000         | je                  0x7f4
            //   ffc9                 | dec                 ecx

        $sequence_7 = { 740b 83c820 894718 e9???????? 83c801 894718 }
            // n = 6, score = 200
            //   740b                 | je                  0xd
            //   83c820               | or                  eax, 0x20
            //   894718               | mov                 dword ptr [edi + 0x18], eax
            //   e9????????           |                     
            //   83c801               | or                  eax, 1
            //   894718               | mov                 dword ptr [edi + 0x18], eax

        $sequence_8 = { 0f284890 0f294a90 0f2840a0 0f2942a0 }
            // n = 4, score = 200
            //   0f284890             | movaps              xmm1, xmmword ptr [eax - 0x70]
            //   0f294a90             | movaps              xmmword ptr [edx - 0x70], xmm1
            //   0f2840a0             | movaps              xmm0, xmmword ptr [eax - 0x60]
            //   0f2942a0             | movaps              xmmword ptr [edx - 0x60], xmm0

        $sequence_9 = { 8d4fff 8d53ff 03c8 03d0 3bd9 7704 }
            // n = 6, score = 200
            //   8d4fff               | lea                 ecx, [edi - 1]
            //   8d53ff               | lea                 edx, [ebx - 1]
            //   03c8                 | add                 ecx, eax
            //   03d0                 | add                 edx, eax
            //   3bd9                 | cmp                 ebx, ecx
            //   7704                 | ja                  6

        $sequence_10 = { 50 8d85f8feffff 6804010000 50 e8???????? 83c418 8d85f8feffff }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   6804010000           | push                0x104
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_11 = { 740a 33ff ff15???????? eb06 }
            // n = 4, score = 200
            //   740a                 | je                  0xc
            //   33ff                 | xor                 edi, edi
            //   ff15????????         |                     
            //   eb06                 | jmp                 8

        $sequence_12 = { 8b442430 e9???????? c7431400000001 33c0 e9???????? }
            // n = 5, score = 200
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   e9????????           |                     
            //   c7431400000001       | mov                 dword ptr [ebx + 0x14], 0x1000000
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_13 = { 8d85dcf7ffff 50 53 ffd7 a3???????? }
            // n = 5, score = 200
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   a3????????           |                     

        $sequence_14 = { 6a00 6800f70484 6a00 6a00 68???????? 8d85e4fbffff 50 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6800f70484           | push                0x8404f700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax

        $sequence_15 = { c705????????00000800 eb2f c705????????00000100 eb23 ff15???????? }
            // n = 5, score = 200
            //   c705????????00000800     |     
            //   eb2f                 | jmp                 0x31
            //   c705????????00000100     |     
            //   eb23                 | jmp                 0x25
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules