SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki, Kimsuky

There is no description at this point.

References
2022-08-26cocomelonc
@online{cocomelonc:20220826:malware:c330f1e, author = {cocomelonc}, title = {{Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.}}, date = {2022-08-26}, url = {https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 9. Default file extension hijacking. Simple C++ example.
Kimsuky
2022-08-02ASECASEC Analysis Team
@online{team:20220802:word:dbe2c7e, author = {ASEC Analysis Team}, title = {{Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)}}, date = {2022-08-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/en/37396/}, language = {English}, urldate = {2022-08-02} } Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)
Kimsuky
2022-04-20cocomelonccocomelonc
@online{cocomelonc:20220420:malware:b20963e, author = {cocomelonc}, title = {{Malware development: persistence - part 1. Registry run keys. C++ example.}}, date = {2022-04-20}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky
2022-01-05AhnLabASEC Analysis Team
@online{team:20220105:analysis:6eadabd, author = {ASEC Analysis Team}, title = {{Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)}}, date = {2022-01-05}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30532/}, language = {English}, urldate = {2022-04-15} } Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
Appleseed Kimsuky PEBBLEDASH
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-08-23InQuestDmitry Melikov
@online{melikov:20210823:kimsuky:e899bfa, author = {Dmitry Melikov}, title = {{Kimsuky Espionage Campaign}}, date = {2021-08-23}, organization = {InQuest}, url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign}, language = {English}, urldate = {2021-08-30} } Kimsuky Espionage Campaign
Kimsuky
2020-12-15KISAKISA
@techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Kimsuky
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20221125 | Detects win.kimsuky.)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.kimsuky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd7 a3???????? 8d85ccf3ffff 50 56 ffd7 a3???????? }
            // n = 7, score = 400
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85ccf3ffff         | lea                 eax, [ebp - 0xc34]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   a3????????           |                     

        $sequence_1 = { 6800f70484 6a00 6a00 68???????? 8d85e4fbffff 50 8d45e4 }
            // n = 7, score = 400
            //   6800f70484           | push                0x8404f700
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     
            //   8d85e4fbffff         | lea                 eax, [ebp - 0x41c]
            //   50                   | push                eax
            //   8d45e4               | lea                 eax, [ebp - 0x1c]

        $sequence_2 = { 8d85f0feffff 50 68???????? ff15???????? 6a04 6a00 }
            // n = 6, score = 400
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     
            //   6a04                 | push                4
            //   6a00                 | push                0

        $sequence_3 = { 56 eb18 6a00 6a00 6a00 68???????? }
            // n = 6, score = 400
            //   56                   | push                esi
            //   eb18                 | jmp                 0x1a
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_4 = { 85c0 7516 ff15???????? 8bd8 e8???????? }
            // n = 5, score = 400
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     

        $sequence_5 = { ffd7 a3???????? 8d85dcf7ffff 50 53 }
            // n = 5, score = 400
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_6 = { 33c0 eb05 1bc0 83c801 85c0 7423 6a00 }
            // n = 7, score = 400
            //   33c0                 | xor                 eax, eax
            //   eb05                 | jmp                 7
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c0                 | test                eax, eax
            //   7423                 | je                  0x25
            //   6a00                 | push                0

        $sequence_7 = { a1???????? 33c5 8945fc 833d????????00 7413 b801000000 }
            // n = 6, score = 400
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   833d????????00       |                     
            //   7413                 | je                  0x15
            //   b801000000           | mov                 eax, 1

        $sequence_8 = { b9???????? e8???????? 8d95c8f2ffff b9???????? e8???????? }
            // n = 5, score = 400
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95c8f2ffff         | lea                 edx, [ebp - 0xd38]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 428bbc0888000000 468b540f20 468b5c0f24 4d03d1 4d03d9 666666660f1f840000000000 }
            // n = 6, score = 300
            //   428bbc0888000000     | mov                 dword ptr [esp + 0x60], ebp
            //   468b540f20           | dec                 eax
            //   468b5c0f24           | mov                 ecx, dword ptr [eax + 0x18]
            //   4d03d1               | dec                 eax
            //   4d03d9               | mov                 edi, dword ptr [esp + 0x30]
            //   666666660f1f840000000000     | dec    eax

        $sequence_10 = { 8b4520 4883c514 85c0 0f857affffff 4c8b7c2460 4c8b6c2420 4c8b642428 }
            // n = 7, score = 300
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   4883c514             | dec                 eax
            //   85c0                 | add                 ebp, 0x14
            //   0f857affffff         | test                eax, eax
            //   4c8b7c2460           | jne                 0xffffff82
            //   4c8b6c2420           | dec                 esp
            //   4c8b642428           | mov                 edi, dword ptr [esp + 0x60]

        $sequence_11 = { 488b7c2430 488b742438 488b6c2470 4d8bc6 4d2b4730 4183bfb400000000 }
            // n = 6, score = 300
            //   488b7c2430           | jmp                 0xffffffe0
            //   488b742438           | dec                 eax
            //   488b6c2470           | mov                 eax, dword ptr [0x60]
            //   4d8bc6               | dec                 eax
            //   4d2b4730             | mov                 dword ptr [esp + 0x30], edi
            //   4183bfb400000000     | dec                 eax

        $sequence_12 = { 4889742438 4533ff 4c89642428 4c896c2420 33f6 }
            // n = 5, score = 300
            //   4889742438           | mov                 eax, esi
            //   4533ff               | dec                 ebp
            //   4c89642428           | sub                 eax, dword ptr [edi + 0x30]
            //   4c896c2420           | inc                 ecx
            //   33f6                 | cmp                 dword ptr [edi + 0xb4], 0

        $sequence_13 = { 33f6 4533ed 4533e4 4c897c2468 }
            // n = 4, score = 300
            //   33f6                 | mov                 esi, dword ptr [esp + 0x38]
            //   4533ed               | dec                 eax
            //   4533e4               | mov                 ebp, dword ptr [esp + 0x70]
            //   4c897c2468           | dec                 ebp

        $sequence_14 = { 33d2 4883c9ff 4903de ff542468 }
            // n = 4, score = 300
            //   33d2                 | xor                 ebp, ebp
            //   4883c9ff             | inc                 ebp
            //   4903de               | xor                 esp, esp
            //   ff542468             | dec                 esp

        $sequence_15 = { 7405 48ffcd ebdb 65488b042560000000 48897c2430 48896c2460 488b4818 }
            // n = 7, score = 300
            //   7405                 | dec                 esp
            //   48ffcd               | mov                 ebp, dword ptr [esp + 0x20]
            //   ebdb                 | dec                 esp
            //   65488b042560000000     | mov    esp, dword ptr [esp + 0x28]
            //   48897c2430           | je                  7
            //   48896c2460           | dec                 eax
            //   488b4818             | dec                 ebp

        $sequence_16 = { 85c9 0f8494020000 89bda0000000 897d30 }
            // n = 4, score = 200
            //   85c9                 | imul                ebx, eax
            //   0f8494020000         | jne                 0x18
            //   89bda0000000         | mov                 ebx, eax
            //   897d30               | mov                 ebx, eax

        $sequence_17 = { 8b442468 6683f809 7508 83f809 }
            // n = 4, score = 200
            //   8b442468             | dec                 eax
            //   6683f809             | mov                 ecx, dword ptr [eax + 0x18]
            //   7508                 | inc                 ecx
            //   83f809               | mov                 ebx, 1

        $sequence_18 = { 8b7590 660f1f440000 837df000 0f841b020000 }
            // n = 4, score = 200
            //   8b7590               | inc                 ecx
            //   660f1f440000         | mov                 eax, 0x3000
            //   837df000             | jne                 0x18
            //   0f841b020000         | mov                 ebx, eax

        $sequence_19 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 }
            // n = 6, score = 200
            //   4c89642430           | mov                 ebx, eax
            //   c744242880000000     | jne                 0x18
            //   c744242002000000     | mov                 ebx, eax
            //   4533c9               | imul                ebx, eax
            //   4533c0               | test                eax, eax
            //   ba00000040           | jne                 0x1a

        $sequence_20 = { 85c0 0f84b3000000 85f6 0f8497000000 8bd6 }
            // n = 5, score = 200
            //   85c0                 | dec                 eax
            //   0f84b3000000         | mov                 ebp, dword ptr [esp + 0x60]
            //   85f6                 | dec                 esp
            //   0f8497000000         | arpl                word ptr [ebp + 0x3c], di
            //   8bd6                 | xor                 ecx, ecx

        $sequence_21 = { 85c0 7471 895c2468 8d4801 }
            // n = 4, score = 200
            //   85c0                 | imul                ebx, eax
            //   7471                 | test                eax, eax
            //   895c2468             | jne                 0x1a
            //   8d4801               | mov                 ebx, eax

        $sequence_22 = { 8bd7 3bd8 0f94c2 85d2 7419 }
            // n = 5, score = 200
            //   8bd7                 | xor                 ebp, ebp
            //   3bd8                 | inc                 ebp
            //   0f94c2               | xor                 esp, esp
            //   85d2                 | xor                 edx, edx
            //   7419                 | dec                 eax

        $sequence_23 = { 8bcf 85c0 0f94c1 85c9 0f8494020000 }
            // n = 5, score = 200
            //   8bcf                 | mov                 dword ptr [esp + 0x30], edi
            //   85c0                 | dec                 eax
            //   0f94c1               | mov                 dword ptr [esp + 0x60], ebp
            //   85c9                 | inc                 ebp
            //   0f8494020000         | xor                 edi, edi

        $sequence_24 = { ff15???????? 498bc6 488b4d20 4833cc }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   498bc6               | jne                 0x1a
            //   488b4d20             | mov                 ebx, eax
            //   4833cc               | imul                ebx, eax

        $sequence_25 = { 8bc7 458bf1 c1c005 03c2 }
            // n = 4, score = 100
            //   8bc7                 | mov                 esi, dword ptr [ebp - 0x70]
            //   458bf1               | nop                 word ptr [eax + eax]
            //   c1c005               | cmp                 dword ptr [ebp - 0x10], 0
            //   03c2                 | je                  0x22e

        $sequence_26 = { 8bc7 412bc1 4469cb8b000000 4103c2 69c8b5000000 }
            // n = 5, score = 100
            //   8bc7                 | test                ecx, ecx
            //   412bc1               | je                  0x29f
            //   4469cb8b000000       | mov                 ecx, edi
            //   4103c2               | test                eax, eax
            //   69c8b5000000         | sete                cl

        $sequence_27 = { 8bc7 4d8d4004 8bcf d1e9 }
            // n = 4, score = 100
            //   8bc7                 | inc                 ecx
            //   4d8d4004             | sub                 eax, ecx
            //   8bcf                 | inc                 esp
            //   d1e9                 | mov                 dword ptr [ebp + 0x28], eax

        $sequence_28 = { 8bc7 488b4c2468 4833cc e8???????? 4c8d5c2470 498b5b28 }
            // n = 6, score = 100
            //   8bc7                 | inc                 ebp
            //   488b4c2468           | xor                 ecx, ecx
            //   4833cc               | inc                 ebp
            //   e8????????           |                     
            //   4c8d5c2470           | xor                 eax, eax
            //   498b5b28             | mov                 edx, 0x40000000

        $sequence_29 = { 8bc7 483bc1 7504 33c0 }
            // n = 4, score = 100
            //   8bc7                 | cmp                 ax, 9
            //   483bc1               | jne                 0xe
            //   7504                 | cmp                 eax, 9
            //   33c0                 | lea                 esi, [ebx + 0x40]

        $sequence_30 = { 8bc7 412bc1 44894528 4103c2 }
            // n = 4, score = 100
            //   8bc7                 | mov                 dword ptr [ebp + 0xa0], edi
            //   412bc1               | mov                 dword ptr [ebp + 0x30], edi
            //   44894528             | test                eax, eax
            //   4103c2               | je                  0xbb

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules