SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki, Kimsuky


There is no description at this point.

References
2023-05-22AhnLabASEC
@online{asec:20230522:kimsuky:6007eeb, author = {ASEC}, title = {{Kimsuky Group Using Meterpreter to Attack Web Servers}}, date = {2023-05-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/53046/}, language = {English}, urldate = {2023-08-07} } Kimsuky Group Using Meterpreter to Attack Web Servers
Kimsuky Meterpreter
2022-08-26cocomelonc
@online{cocomelonc:20220826:malware:c330f1e, author = {cocomelonc}, title = {{Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.}}, date = {2022-08-26}, url = {https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.
Kimsuky
2022-08-09Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220809:pivoting:7afbaea, author = {Jason Reaves and Joshua Platt}, title = {{Pivoting on a SharpExt to profile Kimusky panels for great good}}, date = {2022-08-09}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9}, language = {English}, urldate = {2023-02-06} } Pivoting on a SharpExt to profile Kimusky panels for great good
Kimsuky
2022-08-02ASECASEC Analysis Team
@online{team:20220802:word:dbe2c7e, author = {ASEC Analysis Team}, title = {{Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)}}, date = {2022-08-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/37396/}, language = {English}, urldate = {2022-08-02} } Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)
Kimsuky
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-08-23InQuestDmitry Melikov
@online{melikov:20210823:kimsuky:e899bfa, author = {Dmitry Melikov}, title = {{Kimsuky Espionage Campaign}}, date = {2021-08-23}, organization = {InQuest}, url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign}, language = {English}, urldate = {2021-08-30} } Kimsuky Espionage Campaign
Kimsuky
2020-12-15KISAKISA
@techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Kimsuky
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20230715 | Detects win.kimsuky.)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.kimsuky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 85ff 740a 33ff }
            // n = 4, score = 400
            //   56                   | push                esi
            //   85ff                 | test                edi, edi
            //   740a                 | je                  0xc
            //   33ff                 | xor                 edi, edi

        $sequence_1 = { 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff b9???????? e8???????? }
            // n = 6, score = 400
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95ecfbffff         | lea                 edx, [ebp - 0x414]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_2 = { ff15???????? 85c0 7516 ff15???????? 8bd8 e8???????? }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_3 = { 50 ffd6 8bd8 85db 7510 5e }
            // n = 6, score = 400
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7510                 | jne                 0x12
            //   5e                   | pop                 esi

        $sequence_4 = { 833d????????00 7413 b801000000 8b4dfc 33cd e8???????? 8be5 }
            // n = 7, score = 400
            //   833d????????00       |                     
            //   7413                 | je                  0x15
            //   b801000000           | mov                 eax, 1
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   33cd                 | xor                 ecx, ebp
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp

        $sequence_5 = { 53 ffd7 a3???????? 8d85d4f5ffff }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85d4f5ffff         | lea                 eax, [ebp - 0xa2c]

        $sequence_6 = { 7503 56 eb18 6a00 6a00 6a00 68???????? }
            // n = 7, score = 400
            //   7503                 | jne                 5
            //   56                   | push                esi
            //   eb18                 | jmp                 0x1a
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_7 = { 2bca 51 8d85e4f5ffff 50 6a00 6a00 }
            // n = 6, score = 400
            //   2bca                 | sub                 ecx, edx
            //   51                   | push                ecx
            //   8d85e4f5ffff         | lea                 eax, [ebp - 0xa1c]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 6a00 50 ff15???????? 8d85ecfbffff 50 8d85f8feffff }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]

        $sequence_9 = { 75af 4c897c2468 41bb01000000 418d5b02 4d85ed 740f 4d85e4 }
            // n = 7, score = 300
            //   75af                 | add                 ebx, esi
            //   4c897c2468           | call                dword ptr [esp + 0x68]
            //   41bb01000000         | inc                 ebp
            //   418d5b02             | xor                 eax, eax
            //   4d85ed               | dec                 ecx
            //   740f                 | mov                 ecx, esi
            //   4d85e4               | inc                 ecx

        $sequence_10 = { 4c03fd 448d4940 418b5750 4c897c2460 ffd6 458b4754 488bd5 }
            // n = 7, score = 300
            //   4c03fd               | movzx               eax, byte ptr [ecx]
            //   448d4940             | nop                 dword ptr [eax]
            //   418b5750             | inc                 ebp
            //   4c897c2460           | xor                 ebp, ebp
            //   ffd6                 | inc                 ebp
            //   458b4754             | xor                 esp, esp
            //   488bd5               | dec                 esp

        $sequence_11 = { ebdb 65488b042560000000 48897c2430 48896c2460 488b4818 41bb01000000 4c8b7120 }
            // n = 7, score = 300
            //   ebdb                 | dec                 esp
            //   65488b042560000000     | mov    dword ptr [esp + 0x28], esp
            //   48897c2430           | dec                 esp
            //   48896c2460           | mov                 dword ptr [esp + 0x20], ebp
            //   488b4818             | xor                 esi, esi
            //   41bb01000000         | inc                 ebp
            //   4c8b7120             | xor                 ebp, ebp

        $sequence_12 = { 4533ff 4c89642428 4c896c2420 33f6 4533ed 4533e4 4c897c2468 }
            // n = 7, score = 300
            //   4533ff               | lea                 edx, [eax + 1]
            //   4c89642428           | call                ebx
            //   4c896c2420           | jne                 0xffffffb1
            //   33f6                 | dec                 esp
            //   4533ed               | mov                 dword ptr [esp + 0x68], edi
            //   4533e4               | inc                 ecx
            //   4c897c2468           | mov                 ebx, 1

        $sequence_13 = { 666666660f1f840000000000 418b0a 4903c9 4533c0 0fb601 0f1f4000 }
            // n = 6, score = 300
            //   666666660f1f840000000000     | inc    ecx
            //   418b0a               | lea                 ebx, [ebx + 2]
            //   4903c9               | dec                 ebp
            //   4533c0               | test                ebp, ebp
            //   0fb601               | je                  0x23
            //   0f1f4000             | dec                 ebp

        $sequence_14 = { 4533c0 33d2 4883c9ff 4903de ff542468 4533c0 }
            // n = 6, score = 300
            //   4533c0               | inc                 ebp
            //   33d2                 | xor                 eax, eax
            //   4883c9ff             | xor                 edx, edx
            //   4903de               | dec                 eax
            //   ff542468             | or                  ecx, 0xffffffff
            //   4533c0               | dec                 ecx

        $sequence_15 = { 428bbc0888000000 468b540f20 468b5c0f24 4d03d1 4d03d9 666666660f1f840000000000 }
            // n = 6, score = 300
            //   428bbc0888000000     | mov                 dword ptr [esp + 0x68], edi
            //   468b540f20           | jmp                 0xffffffdd
            //   468b5c0f24           | dec                 eax
            //   4d03d1               | mov                 eax, dword ptr [0x60]
            //   4d03d9               | dec                 eax
            //   666666660f1f840000000000     | mov    dword ptr [esp + 0x30], edi

        $sequence_16 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? }
            // n = 4, score = 200
            //   488d8a38000000       | push                edi
            //   e9????????           |                     
            //   488d8a28010000       | dec                 eax
            //   e9????????           |                     

        $sequence_17 = { 8b9590000000 0395d8000000 0395b8000000 8bbda0010000 }
            // n = 4, score = 200
            //   8b9590000000         | dec                 eax
            //   0395d8000000         | mov                 dword ptr [esp + 0x30], edi
            //   0395b8000000         | dec                 eax
            //   8bbda0010000         | mov                 dword ptr [esp + 0x60], ebp

        $sequence_18 = { 8bc2 c1e81f 03d0 69d290010000 3bca 7409 8b84afd0450300 }
            // n = 7, score = 200
            //   8bc2                 | dec                 eax
            //   c1e81f               | mov                 ecx, dword ptr [eax + 0x18]
            //   03d0                 | inc                 ecx
            //   69d290010000         | mov                 ebx, 1
            //   3bca                 | dec                 esp
            //   7409                 | mov                 esi, dword ptr [ecx + 0x20]
            //   8b84afd0450300       | dec                 ecx

        $sequence_19 = { ff15???????? 498bc6 488b4d20 4833cc }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   498bc6               | jne                 0x18
            //   488b4d20             | mov                 ebx, eax
            //   4833cc               | jne                 0x18

        $sequence_20 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 }
            // n = 6, score = 200
            //   4c89642430           | mov                 ebx, eax
            //   c744242880000000     | imul                ebx, eax
            //   c744242002000000     | jne                 0x18
            //   4533c9               | mov                 ebx, eax
            //   4533c0               | imul                ebx, eax
            //   ba00000040           | test                eax, eax

        $sequence_21 = { 8d4702 03c2 89442450 8bf0 }
            // n = 4, score = 200
            //   8d4702               | mov                 ecx, esi
            //   03c2                 | inc                 ecx
            //   89442450             | lea                 edx, [eax + 1]
            //   8bf0                 | dec                 eax

        $sequence_22 = { 8b4c2468 c6043900 803f00 740d }
            // n = 4, score = 200
            //   8b4c2468             | add                 edx, ecx
            //   c6043900             | dec                 ebp
            //   803f00               | add                 ebx, ecx
            //   740d                 | nop                 word ptr [eax + eax]

        $sequence_23 = { 85c0 7471 895c2468 8d4801 }
            // n = 4, score = 200
            //   85c0                 | mov                 edx, ebp
            //   7471                 | inc                 edx
            //   895c2468             | mov                 edi, dword ptr [eax + ecx + 0x88]
            //   8d4801               | inc                 esi

        $sequence_24 = { 83f809 8d7340 7405 be20000000 c68424a000000000 33d2 }
            // n = 6, score = 200
            //   83f809               | inc                 esp
            //   8d7340               | lea                 ecx, [ecx + 0x40]
            //   7405                 | inc                 ecx
            //   be20000000           | mov                 edx, dword ptr [edi + 0x50]
            //   c68424a000000000     | dec                 esp
            //   33d2                 | mov                 dword ptr [esp + 0x60], edi

        $sequence_25 = { 85c0 0f94c1 85c9 0f8494020000 }
            // n = 4, score = 200
            //   85c0                 | mov                 eax, 0x3000
            //   0f94c1               | test                eax, eax
            //   85c9                 | jne                 0x18
            //   0f8494020000         | mov                 ebx, eax

        $sequence_26 = { 8b83d8af0600 eb13 418d41ff 41be01000000 8983d8af0600 }
            // n = 5, score = 100
            //   8b83d8af0600         | test                eax, eax
            //   eb13                 | jne                 0x1a
            //   418d41ff             | mov                 ebx, eax
            //   41be01000000         | imul                ebx, eax
            //   8983d8af0600         | mov                 ebx, eax

        $sequence_27 = { 8b848248960500 85c0 0f84cf000000 83f801 }
            // n = 4, score = 100
            //   8b848248960500       | lea                 ecx, [eax + 1]
            //   85c0                 | test                eax, eax
            //   0f84cf000000         | je                  0x73
            //   83f801               | mov                 dword ptr [esp + 0x68], ebx

        $sequence_28 = { 8b83d8af0600 eb2b 448b83ccaf0600 41ffc0 }
            // n = 4, score = 100
            //   8b83d8af0600         | shr                 eax, 0x1f
            //   eb2b                 | add                 edx, eax
            //   448b83ccaf0600       | imul                edx, edx, 0x190
            //   41ffc0               | cmp                 ecx, edx

        $sequence_29 = { 8b8424a0020000 488d542440 4c8bc3 89442420 }
            // n = 4, score = 100
            //   8b8424a0020000       | mov                 dword ptr [esp + 0x50], eax
            //   488d542440           | mov                 esi, eax
            //   4c8bc3               | mov                 ecx, eax
            //   89442420             | mov                 edx, dword ptr [ebp + 0x90]

        $sequence_30 = { 8b848248960500 85c0 746a 83f801 }
            // n = 4, score = 100
            //   8b848248960500       | mov                 dword ptr [esp + 0x68], ebx
            //   85c0                 | lea                 ecx, [eax + 1]
            //   746a                 | mov                 esi, eax
            //   83f801               | test                eax, eax

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules