Today > vulnerabilities   -   You can now download lists of IOCs here!

North Korean based backdoor packs a punch

June 21, 2024, 7:13 a.m.

Tags
backdoor
espionage
defense
northkorea
2024-06-21
nikigo
aerospace
nikihttp
External References
Description

This report analyzes a new threat campaign discovered in late May, featuring multiple layers and ultimately delivering a previously undocumented backdoor. The campaign specifically targets Aerospace and Defense companies, sectors of particular interest to North Korean threat groups. The backdoors analyzed are simple yet powerful tools with various obfuscation techniques and capabilities like reconnaissance, data collection, and remote control. While attribution is made with low confidence to the Kimsuky threat group, there are indications of multiple developers potentially involved, including the possible outsourcing of some malware creation capabilities.

Date

Published: June 21, 2024, 6:47 a.m.

Created: June 21, 2024, 6:47 a.m.

Modified: June 21, 2024, 7:13 a.m.

Indicators

faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e

f58a9905aad4d82a89a787017f1a357309caa01e2da081d76671f3319c66aa74

cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d

c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874

a637d9836285254831c80fdd407f4dae440ad382a23ca12abae2d721cffe913f

62840447d4d17f14047d7aa0b0916ed94114741846fbac3743e0b393a0273a9c

5b3cc9cced1ef0cb0bba5549cc2ac09c49ae10554d2409ea16bc5e118d278c15

4f463f3fe541288d16ffd89f81d83d7e9e7e5a5e476850eac48c782a61a26bc0

3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744

24a42a912c6ad98ab3910cb1e031edbdf9ed6f452371d5696006c9cf24319147

162b24784dd0dd19c2ce08961a9b836b5ff645d1d02da9c18616a0d348467e61

000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7

67.217.62.219

http://playboys.chickenkiller.com/index.php

http://imagedownload.ignorelist.com/index.php

http://en.uberlingen.com/index.php

http://download.uberlingen.com/index.php

http://download-attachments.mooo.com/down.php?ctx=bin&id=danielinternal

http://100.100.100.2/proxy.asp

http://download-attachments.mooo.com/down.php?ct

Attack Patterns

NikiGo

NikiHTTP

Kimsuky

T1113

T1547

T1082

T1071

T1204

T1027

T1041

T1566

Additional Informations

Aerospace

Defense