SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)
June 11, 2024, 10:31 a.m.
Tags
External References
Description
This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but later switched to using a downloader named SmallTiger. The final payload in the earlier attacks was DurianBeacon, a backdoor malware previously used by the Andariel group. The SmallTiger downloader was employed to download additional payloads, including information stealers and credential harvesters like Mimikatz and WebBrowserPassView. The attacks began in November 2023 and were ongoing as of May 2024, with the threat actor leveraging various distribution methods such as software updaters, mshta, and even GitHub.
Date
Published: June 11, 2024, 10:04 a.m.
Created: June 11, 2024, 10:04 a.m.
Modified: June 11, 2024, 10:31 a.m.
Indicators
ef7cc214feb1419042d03ee9bb76922d9fa25e9be87002f70a2b3ebad8b7b451
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50
b556d90b30f217d5ef20ebe3f15cce6382c4199e900b5ad2262a751909da1b34
91.228.218.7
38.110.1.69
104.36.229.179
104.168.145.83
www.yah00.o-r.kr
www.navver.o-r.kr
www.luvb.n-b.kr
www.lfgu.n-e.kr
www.lazor.kro.kr
www.kepir.p-e.kr
www.devf.n-e.kr
www.aslark1.kro.kr
www.aslark.kro.kr
w3.navver.o-r.kr
my.shoping.kro.kr
kevinblog.ddns.net
Attack Patterns
WebBrowserPassView
MultiRDP
SmallTiger
DurianBeacon
Mimikatz
Meterpreter
Kimsuky and Andariel
T1175
T1038
T1096
T1211
T1556
T1197
T1136
T1552
T1087
T1573
T1574
T1564
T1057
T1105
T1543
T1219
T1204
T1053
T1133
T1059
Additional Informations
Semiconductor
Defense
Manufacturing