SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki

There is no description at this point.

References
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Ransomware Emotet Kimsuky
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 394c2440 8b4370 894c2440 8944243c }
            // n = 4, score = 400
            //   394c2440             | cmp                 dword ptr [esp + 0x40], ecx
            //   8b4370               | mov                 eax, dword ptr [ebx + 0x70]
            //   894c2440             | mov                 dword ptr [esp + 0x40], ecx
            //   8944243c             | mov                 dword ptr [esp + 0x3c], eax

        $sequence_1 = { 3bc8 7379 0fb68394af0100 8bd1 }
            // n = 4, score = 400
            //   3bc8                 | cmp                 ecx, eax
            //   7379                 | jae                 0x7b
            //   0fb68394af0100       | movzx               eax, byte ptr [ebx + 0x1af94]
            //   8bd1                 | mov                 edx, ecx

        $sequence_2 = { 2bca 51 8d85e4f5ffff 50 6a00 }
            // n = 5, score = 400
            //   2bca                 | sub                 ecx, edx
            //   51                   | push                ecx
            //   8d85e4f5ffff         | lea                 eax, [ebp - 0xa1c]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_3 = { ffd7 a3???????? 8d85dcf7ffff 50 53 ffd7 }
            // n = 6, score = 400
            // 
            //   a3????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ffd7                 | call                edi

        $sequence_4 = { c70009000000 e9???????? e8???????? 33db }
            // n = 4, score = 400
            //   c70009000000         | mov                 dword ptr [eax], 9
            //   e9????????           |                     
            //   e8????????           |                     
            //   33db                 | xor                 ebx, ebx

        $sequence_5 = { 0f8712020000 8b4910 83f90b 7643 }
            // n = 4, score = 400
            //   0f8712020000         | ja                  0x218
            //   8b4910               | mov                 ecx, dword ptr [ecx + 0x10]
            //   83f90b               | cmp                 ecx, 0xb
            //   7643                 | jbe                 0x45

        $sequence_6 = { 8b83acaf0100 8b0e ffc8 3bc8 }
            // n = 4, score = 400
            //   8b83acaf0100         | mov                 eax, dword ptr [ebx + 0x1afac]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   ffc8                 | dec                 eax
            //   3bc8                 | cmp                 ecx, eax

        $sequence_7 = { 7503 56 eb18 6a00 6a00 6a00 68???????? }
            // n = 7, score = 400
            //   7503                 | jne                 5
            //   56                   | push                esi
            //   eb18                 | jmp                 0x1a
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_8 = { c70016000000 e8???????? b8ffffff7f eb75 }
            // n = 4, score = 400
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   b8ffffff7f           | mov                 eax, 0x7fffffff
            //   eb75                 | jmp                 0x77

        $sequence_9 = { 6a00 50 ff15???????? 8d85ecfbffff }
            // n = 4, score = 400
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]

        $sequence_10 = { ffd6 8bd8 85db 7510 5e }
            // n = 5, score = 400
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   7510                 | jne                 0x12
            //   5e                   | pop                 esi

        $sequence_11 = { 3bf0 0f82b5000000 03c0 3bc6 }
            // n = 4, score = 400
            //   3bf0                 | cmp                 esi, eax
            //   0f82b5000000         | jb                  0xbb
            //   03c0                 | add                 eax, eax
            //   3bc6                 | cmp                 eax, esi

        $sequence_12 = { ff15???????? 8d85ecfbffff 50 8d85f8feffff 50 8d85f4fdffff }
            // n = 6, score = 400
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]

        $sequence_13 = { e8???????? 8d95d4f5ffff b9???????? e8???????? }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8d95d4f5ffff         | lea                 edx, [ebp - 0xa2c]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_14 = { 83c430 8d95f0fcffff b9???????? e8???????? }
            // n = 4, score = 400
            //   83c430               | add                 esp, 0x30
            //   8d95f0fcffff         | lea                 edx, [ebp - 0x310]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_15 = { 66c1e908 880c02 ff07 8b83acaf0100 ffc8 3907 7210 }
            // n = 7, score = 400
            //   66c1e908             | shr                 cx, 8
            //   880c02               | mov                 byte ptr [edx + eax], cl
            //   ff07                 | inc                 dword ptr [edi]
            //   8b83acaf0100         | mov                 eax, dword ptr [ebx + 0x1afac]
            //   ffc8                 | dec                 eax
            //   3907                 | cmp                 dword ptr [edi], eax
            //   7210                 | jb                  0x12

    condition:
        7 of them and filesize < 499712
}
Download all Yara Rules