Back

APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)

May 21, 2024, 11:37 a.m.

Tags

apt
kimsuky
northkorea
2024-05-21

External References

https://www.genians.co.kr/

https://otx.alienvault.com/

Description

A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associated with the Kimsuky group. Signs of similar attacks targeting Japan were also observed.

Date

Published Created Modified
May 21, 2024, 11:15 a.m. May 21, 2024, 11:15 a.m. May 21, 2024, 11:37 a.m.

Indicators

2f7f3a86a868f6c5a85fb12fe028fd254cd9622075b179923187461c72d6aea0

2209f27b08fc10118ef03ca983f1bbdff3ca2371a02382f9f34f64fdcae07ffe

9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1

52.177.14.24

5.9.123.217

199.59.243.225

162.0.209.91

162.0.209.27

http://worldinfocontact.club/111/kfrie/cow.php

http://worldinfocontact.club/111/d.php

http://rfa.ink/bio/d.php?na=vbtmp

http://rfa.ink/bio/d.php?na=battmp

http://rapportdown.lol/rapport/com/ca.php?na=video.gif

http://rapportdown.lol/rapport/com/

http://nuclearpolicy101.org/wp-admin/includes/lee/leeplug/cow.php

http://nuclearpolicy101.org/wp-admin/includes/0603/d.php?na=

http://nuclearpolicy101.org/wp-admin/includes/0421/d.php?na=vbtmp

http://mitmail.tech/gorgon/ca.php?na=video.gif

http://mitmail.tech/gorgon/ca.php

http://joongang.site/pprb/sec/d.php

http://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx

http://ielsems.com/romeo/d.php?na=vbtmp

http://dusieme.com/panda/d.php?na=vbtmp

http://ielsems.com/panda

http://dusieme.com/panda/TBS

http://dusieme.com/hwp/d.php?na=sched

http://dusieme.com/js/cic0117/ca.php?na=dot_emsi.gif

http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-marker/ayaka

http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/kohei/r.php

http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/essay/d.php?na=battmp

http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-

http://beastmodser.club/sil/0304/d.php?na

http://brandwizer.co.in/green_pad/wp-

http://beastmodser.club/sil/0304/VOA_Korea.docx

Attack Patterns

reconshark

Kimsuky

T1064

T1567

T1497

T1057

T1083

T1071

T1543

T1055

T1219

T1053

T1112

T1041

T1059

Additional Informations

Japan