SecuriTricks - Attack Report

External References

https://asec.ahnlab.com/

https://otx.alienvault.com/

Description

This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but later switched to using a downloader named SmallTiger. The final payload in the earlier attacks was DurianBeacon, a backdoor malware previously used by the Andariel group. The SmallTiger downloader was employed to download additional payloads, including information stealers and credential harvesters like Mimikatz and WebBrowserPassView. The attacks began in November 2023 and were ongoing as of May 2024, with the threat actor leveraging various distribution methods such as software updaters, mshta, and even GitHub.

Date

Published	Created	Modified
June 11, 2024, 10:04 a.m.	June 11, 2024, 10:04 a.m.	June 11, 2024, 10:31 a.m.

Indicators

ef7cc214feb1419042d03ee9bb76922d9fa25e9be87002f70a2b3ebad8b7b451

92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

b556d90b30f217d5ef20ebe3f15cce6382c4199e900b5ad2262a751909da1b34

91.228.218.7

38.110.1.69

104.36.229.179

104.168.145.83

www.yah00.o-r.kr

www.navver.o-r.kr

www.luvb.n-b.kr

www.lfgu.n-e.kr

www.lazor.kro.kr

www.kepir.p-e.kr

www.devf.n-e.kr

www.aslark1.kro.kr

www.aslark.kro.kr

w3.navver.o-r.kr

my.shoping.kro.kr

kevinblog.ddns.net

Attack Patterns

WebBrowserPassView

MultiRDP

SmallTiger

DurianBeacon

Mimikatz

Meterpreter

Kimsuky and Andariel

T1175

T1038

T1096

T1211

T1556

T1197

T1136

T1552

T1087

T1573

T1574

T1564

T1057

T1105

T1543

T1219

T1204

T1053

T1133

T1059

Additional informations

Semiconductor

Defense

Manufacturing

SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)

Tags