SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kimsuky (Back to overview)

Kimsuky

Actor(s): Kimsuki, Kimsuky


There is no description at this point.

References
2021-10-07S2W Inc.Jaeki Kim, Sojun Ryu, Kyoung-ju Kwak
@online{kim:20211007:operation:6b8234f, author = {Jaeki Kim and Sojun Ryu and Kyoung-ju Kwak}, title = {{Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?}}, date = {2021-10-07}, organization = {S2W Inc.}, url = {https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/}, language = {English}, urldate = {2021-10-14} } Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?
Appleseed Kimsuky
2021-08-23InQuestDmitry Melikov
@online{melikov:20210823:kimsuky:e899bfa, author = {Dmitry Melikov}, title = {{Kimsuky Espionage Campaign}}, date = {2021-08-23}, organization = {InQuest}, url = {https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign}, language = {English}, urldate = {2021-08-30} } Kimsuky Espionage Campaign
Kimsuky
2020-12-15KISAKISA
@techreport{kisa:20201215:operation:3972195, author = {KISA}, title = {{Operation MUZABI}}, date = {2020-12-15}, institution = {KISA}, url = {https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf}, language = {Korean}, urldate = {2020-12-16} } Operation MUZABI
Kimsuky
2020-06-12ThreatConnectThreatConnect Research Team
@online{team:20200612:probable:89a5bed, author = {ThreatConnect Research Team}, title = {{Probable Sandworm Infrastructure}}, date = {2020-06-12}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure}, language = {English}, urldate = {2020-06-16} } Probable Sandworm Infrastructure
Avaddon Emotet Kimsuky
2020-03-10Virus BulletinJaeki Kim, Kyoung-Ju Kwak (郭炅周), Min-Chang Jang
@online{kim:20200310:kimsuky:f634a21, author = {Jaeki Kim and Kyoung-Ju Kwak (郭炅周) and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear phishing}}, date = {2020-03-10}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear phishing
Kimsuky MyDogs
2020-03-04MetaSwan's LabMetaSwan
@online{metaswan:20200304:kimsuky:86badd0, author = {MetaSwan}, title = {{Kimsuky group's resume impersonation malware}}, date = {2020-03-04}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware}, language = {English}, urldate = {2020-03-06} } Kimsuky group's resume impersonation malware
Kimsuky
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-18PWC UKKris McConkey, Sveva Vittoria Scenarelli
@online{mcconkey:20200218:tracking:b1acf1a, author = {Kris McConkey and Sveva Vittoria Scenarelli}, title = {{Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1}}, date = {2020-02-18}, organization = {PWC UK}, url = {https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html}, language = {English}, urldate = {2020-02-26} } Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1
Kimsuky
2019-10-04Virus BulletinJaeki Kim, Kyoung-ju Kwak, Min-Chang Jang
@techreport{kim:20191004:kimsuky:5780914, author = {Jaeki Kim and Kyoung-ju Kwak and Min-Chang Jang}, title = {{Kimsuky group: tracking the king of the spear-phishing}}, date = {2019-10-04}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf}, language = {English}, urldate = {2020-09-23} } Kimsuky group: tracking the king of the spear-phishing
Kimsuky
2019-09-11PrevailionDanny Adamitis, Elizabeth Wharton
@online{adamitis:20190911:autumn:8bec4cb, author = {Danny Adamitis and Elizabeth Wharton}, title = {{Autumn Aperture}}, date = {2019-09-11}, organization = {Prevailion}, url = {https://blog.prevailion.com/2019/09/autumn-aperture-report.html}, language = {English}, urldate = {2020-06-08} } Autumn Aperture
Kimsuky
2019-06-10ESTsecurityAlyac
@online{alyac:20190610:special:f4e2a26, author = {Alyac}, title = {{[Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common}}, date = {2019-06-10}, organization = {ESTsecurity}, url = {https://blog.alyac.co.kr/2347}, language = {Korean}, urldate = {2020-03-17} } [Special Report] APT Campaign 'Konni' & 'Kimsuky' Organizations Found in Common
Kimsuky
Yara Rules
[TLP:WHITE] win_kimsuky_auto (20211008 | Detects win.kimsuky.)
rule win_kimsuky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.kimsuky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b9???????? e8???????? 8d85f8feffff 50 6a00 6a00 6a1a }
            // n = 7, score = 400
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a1a                 | push                0x1a

        $sequence_1 = { 50 e8???????? 83c418 8d85f8feffff 6a00 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   6a00                 | push                0

        $sequence_2 = { 7516 ff15???????? 8bd8 e8???????? 0fafd8 }
            // n = 5, score = 400
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   e8????????           |                     
            //   0fafd8               | imul                ebx, eax

        $sequence_3 = { 6a00 50 ff15???????? 8d85ecfbffff 50 8d85f8feffff 50 }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85ecfbffff         | lea                 eax, dword ptr [ebp - 0x414]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   50                   | push                eax

        $sequence_4 = { 83c430 8d95f0fcffff b9???????? e8???????? 8d95ecfbffff b9???????? e8???????? }
            // n = 7, score = 400
            //   83c430               | add                 esp, 0x30
            //   8d95f0fcffff         | lea                 edx, dword ptr [ebp - 0x310]
            //   b9????????           |                     
            //   e8????????           |                     
            //   8d95ecfbffff         | lea                 edx, dword ptr [ebp - 0x414]
            //   b9????????           |                     
            //   e8????????           |                     

        $sequence_5 = { ffd7 a3???????? 8d85ecfbffff 50 }
            // n = 4, score = 400
            //   ffd7                 | call                edi
            //   a3????????           |                     
            //   8d85ecfbffff         | lea                 eax, dword ptr [ebp - 0x414]
            //   50                   | push                eax

        $sequence_6 = { 50 e8???????? 8d85f0fcffff 50 8d85f8feffff 6804010000 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85f0fcffff         | lea                 eax, dword ptr [ebp - 0x310]
            //   50                   | push                eax
            //   8d85f8feffff         | lea                 eax, dword ptr [ebp - 0x108]
            //   6804010000           | push                0x104

        $sequence_7 = { 50 ff15???????? 85c0 7516 ff15???????? 33c0 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7516                 | jne                 0x18
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { 7423 6a00 8d85f0feffff 50 68???????? ff15???????? }
            // n = 6, score = 400
            //   7423                 | je                  0x25
            //   6a00                 | push                0
            //   8d85f0feffff         | lea                 eax, dword ptr [ebp - 0x110]
            //   50                   | push                eax
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_9 = { 4c896c2420 33f6 4533ed 4533e4 }
            // n = 4, score = 300
            //   4c896c2420           | mov                 eax, 0x5a4d
            //   33f6                 | nop                 dword ptr [eax + eax]
            //   4533ed               | dec                 ecx
            //   4533e4               | add                 eax, 4

        $sequence_10 = { 4533e4 4c897c2468 e8???????? 488be8 b84d5a0000 0f1f440000 }
            // n = 6, score = 300
            //   4533e4               | mov                 edx, ebp
            //   4c897c2468           | dec                 esp
            //   e8????????           |                     
            //   488be8               | mov                 esi, eax
            //   b84d5a0000           | dec                 ebp
            //   0f1f440000           | test                eax, eax

        $sequence_11 = { cc 4883ec28 833d????????00 7529 b906000000 }
            // n = 5, score = 300
            //   cc                   | jne                 0xffffffb5
            //   4883ec28             | dec                 esp
            //   833d????????00       |                     
            //   7529                 | mov                 dword ptr [esp + 0x68], edi
            //   b906000000           | inc                 ecx

        $sequence_12 = { 48833b00 75a9 8b4520 4883c514 85c0 0f857affffff 4c8b7c2460 }
            // n = 7, score = 300
            //   48833b00             | mov                 ebx, 1
            //   75a9                 | dec                 esp
            //   8b4520               | mov                 dword ptr [esp + 0x20], ebp
            //   4883c514             | xor                 esi, esi
            //   85c0                 | inc                 ebp
            //   0f857affffff         | xor                 ebp, ebp
            //   4c8b7c2460           | inc                 ebp

        $sequence_13 = { 4983c004 4983c102 664585db 75af 4c897c2468 41bb01000000 }
            // n = 6, score = 300
            //   4983c004             | inc                 ebp
            //   4983c102             | xor                 esp, esp
            //   664585db             | dec                 esp
            //   75af                 | mov                 dword ptr [esp + 0x68], edi
            //   4c897c2468           | dec                 eax
            //   41bb01000000         | mov                 ebp, eax

        $sequence_14 = { 468b5c0f24 4d03d1 4d03d9 666666660f1f840000000000 418b0a }
            // n = 5, score = 300
            //   468b5c0f24           | test                ebx, ebx
            //   4d03d1               | jne                 0xffffffb1
            //   4d03d9               | dec                 esp
            //   666666660f1f840000000000     | mov    dword ptr [esp + 0x68], edi
            //   418b0a               | int3                

        $sequence_15 = { 4c897c2460 ffd6 458b4754 488bd5 4c8bf0 4d85c0 }
            // n = 6, score = 300
            //   4c897c2460           | dec                 esp
            //   ffd6                 | mov                 dword ptr [esp + 0x60], edi
            //   458b4754             | call                esi
            //   488bd5               | inc                 ebp
            //   4c8bf0               | mov                 eax, dword ptr [edi + 0x54]
            //   4d85c0               | dec                 eax

        $sequence_16 = { 8d4702 03c2 89442450 8bf0 8bc8 }
            // n = 5, score = 200
            //   8d4702               | call                esi
            //   03c2                 | inc                 ebp
            //   89442450             | mov                 eax, dword ptr [edi + 0x54]
            //   8bf0                 | dec                 eax
            //   8bc8                 | mov                 edx, ebp

        $sequence_17 = { 488d4c2450 e8???????? 90 488b5008 }
            // n = 4, score = 200
            //   488d4c2450           | inc                 ebp
            //   e8????????           |                     
            //   90                   | mov                 eax, dword ptr [edi + 0x54]
            //   488b5008             | dec                 eax

        $sequence_18 = { 8bcf 85c0 0f94c1 85c9 0f8494020000 89bda0000000 897d30 }
            // n = 7, score = 200
            //   8bcf                 | push                edi
            //   85c0                 | dec                 eax
            //   0f94c1               | sub                 esp, 0x40
            //   85c9                 | dec                 eax
            //   0f8494020000         | mov                 dword ptr [esp + 0x70], ebp
            //   89bda0000000         | dec                 eax
            //   897d30               | mov                 dword ptr [esp + 0x38], esi

        $sequence_19 = { 8b442468 6683f809 7508 83f809 8d7340 7405 be20000000 }
            // n = 7, score = 200
            //   8b442468             | jne                 0x18
            //   6683f809             | mov                 ebx, eax
            //   7508                 | imul                ebx, eax
            //   83f809               | test                eax, eax
            //   8d7340               | jne                 0x18
            //   7405                 | mov                 ebx, eax
            //   be20000000           | test                eax, eax

        $sequence_20 = { 8b7590 660f1f440000 837df000 0f841b020000 }
            // n = 4, score = 200
            //   8b7590               | jne                 0x1a
            //   660f1f440000         | mov                 ebx, eax
            //   837df000             | test                eax, eax
            //   0f841b020000         | jne                 0x1a

        $sequence_21 = { 498bc6 488b4d20 4833cc e8???????? }
            // n = 4, score = 200
            //   498bc6               | nop                 dword ptr [eax + eax]
            //   488b4d20             | dec                 ecx
            //   4833cc               | add                 eax, 4
            //   e8????????           |                     

        $sequence_22 = { 488d8a38000000 e9???????? 488d8a28010000 e9???????? }
            // n = 4, score = 200
            //   488d8a38000000       | mov                 dword ptr [esp + 0x60], edi
            //   e9????????           |                     
            //   488d8a28010000       | call                esi
            //   e9????????           |                     

        $sequence_23 = { 4c89642430 c744242880000000 c744242002000000 4533c9 4533c0 ba00000040 }
            // n = 6, score = 200
            //   4c89642430           | mov                 edx, ebp
            //   c744242880000000     | dec                 esp
            //   c744242002000000     | mov                 esi, eax
            //   4533c9               | dec                 ebp
            //   4533c0               | test                eax, eax
            //   ba00000040           | inc                 ebp

        $sequence_24 = { 85c0 0f84e6000000 c6850801000000 33c0 }
            // n = 4, score = 200
            //   85c0                 | lea                 eax, dword ptr [edi + 2]
            //   0f84e6000000         | add                 eax, edx
            //   c6850801000000       | mov                 dword ptr [esp + 0x50], eax
            //   33c0                 | mov                 edi, dword ptr [ebp + 0x1a0]

        $sequence_25 = { 8bc1 81fb00000001 0f97c0 89442440 }
            // n = 4, score = 200
            //   8bc1                 | mov                 ebx, eax
            //   81fb00000001         | imul                ebx, eax
            //   0f97c0               | lea                 eax, dword ptr [edi + 2]
            //   89442440             | add                 eax, edx

        $sequence_26 = { 8bf0 85c0 7471 895c2468 }
            // n = 4, score = 200
            //   8bf0                 | jmp                 0xd
            //   85c0                 | mov                 ebx, dword ptr [esp + 0x58]
            //   7471                 | mov                 byte ptr [ebp + 0xd70], 0
            //   895c2468             | mov                 eax, dword ptr [esp + 0x68]

        $sequence_27 = { e8???????? 33ed 48896f10 48c7471807000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   33ed                 | dec                 ebp
            //   48896f10             | add                 ebx, ecx
            //   48c7471807000000     | nop                 word ptr [eax + eax]

        $sequence_28 = { e8???????? 33db 8bf8 85c0 0f8453020000 4c8d2d6eb70200 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   33db                 | xor                 esi, esi
            //   8bf8                 | inc                 ebp
            //   85c0                 | xor                 ebp, ebp
            //   0f8453020000         | inc                 ebp
            //   4c8d2d6eb70200       | xor                 esp, esp

        $sequence_29 = { e8???????? 33db 488d442454 895c2438 4c8d4c2448 48895c2430 488d55e0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   33db                 | xor                 esp, esp
            //   488d442454           | dec                 ecx
            //   895c2438             | add                 ecx, 2
            //   4c8d4c2448           | inc                 bp
            //   48895c2430           | test                ebx, ebx
            //   488d55e0             | jne                 0xffffffb5

        $sequence_30 = { e8???????? 33db 488dbc2470010000 0f1f00 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   33db                 | dec                 esp
            //   488dbc2470010000     | mov                 dword ptr [esp + 0x68], edi
            //   0f1f00               | int3                

    condition:
        7 of them and filesize < 1021952
}
Download all Yara Rules