Description
Asec Ahnlab analyzes a new backdoor malware called HappyDoor used by the North Korean hacking group Kimsuky in recent email attacks. The malware has evolved over time and contains capabilities for information stealing and remote access. It communicates with command and control servers using encrypted HTTP packets. The report provides technical details on the malware's registry configuration, packet structure, and main capabilities like screenshot capture, keylogging, and command execution.
Date
| Published | Created | Modified |
|---|---|---|
| July 1, 2024, 10:37 a.m. | July 1, 2024, 10:37 a.m. | July 1, 2024, 11:15 a.m. |
Indicators
http://ai.hyyeo.pe.kr/index.php
http://jp.hyyeo.pe.kr/index.php
http://uo.zosua.or.kr/index.php
http://aa.olixa.pe.kr/index.php
http://on.ktspace.pe.kr/index.php
http://go.ktspace.pe.kr/index.php
http://users.nya.pub/index.php
http://app.seoul.minia.ml/kinsa.php
Attack Patterns
AppleSeed - S0622
HappyDoor
Kimsuky
T1064
T1113
T1071
T1036
T1056
T1041
T1003
Additional Informations
Military
Government