Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Appearance of Kimsuky group's new backdoor (HappyDoor)

July 1, 2024, 11:15 a.m.

Description

Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypted HTTP packets. The report provides technical details on the malware's registry configuration, packet structure, and main capabilities like screenshot capture, keylogging, and command execution.

Date

Published: July 1, 2024, 10:37 a.m.

Created: July 1, 2024, 10:37 a.m.

Modified: July 1, 2024, 11:15 a.m.

Indicators

http://ai.hyyeo.pe.kr/index.php

http://jp.hyyeo.pe.kr/index.php

http://uo.zosua.or.kr/index.php

http://aa.olixa.pe.kr/index.php

http://on.ktspace.pe.kr/index.php

http://go.ktspace.pe.kr/index.php

http://users.nya.pub/index.php

http://app.seoul.minia.ml/kinsa.php

ai.hyyeo.pe.kr

jp.hyyeo.pe.kr

uo.zosua.or.kr

on.ktspace.pe.kr

aa.olixa.pe.kr

go.ktspace.pe.kr

users.nya.pub

app.seoul.minia.ml

Attack Patterns

AppleSeed - S0622

HappyDoor

Kimsuky

T1064

T1113

T1071

T1036

T1056

T1041

T1003

Additional Informations

Military

Government