{"id":2980,"date":"2023-05-24T17:59:28","date_gmt":"2023-05-24T17:59:28","guid":{"rendered":"https:\/\/krsp.co\/agency\/?p=2980"},"modified":"2023-05-24T18:34:24","modified_gmt":"2023-05-24T18:34:24","slug":"sentinellabs-identifies-ongoing-campaign-by-north-korean-apt-group-kimsuky","status":"publish","type":"post","link":"https:\/\/krsp.co\/agency\/2023\/05\/sentinellabs-identifies-ongoing-campaign-by-north-korean-apt-group-kimsuky\/","title":{"rendered":"SentinelLabs Identifies Ongoing Campaign by North Korean APT Group Kimsuky"},"content":{"rendered":"\n<p>SentinelLabs recently detected an ongoing operation conducted by <a href=\"https:\/\/attack.mitre.org\/groups\/G0094\/\">Kimsuky<\/a>, a North Korean Advanced Persistent Threat (APT) group, which aims to infiltrate North Korea-centric information services, human rights activists, and organizations that support defectors from the Democratic People&#8217;s Republic of Korea (DPRK).<\/p>\n\n\n\n<p>This campaign primarily revolves around gathering intelligence and extracting information by utilizing a modified version of the RandomQuery malware. By employing this variant, Kimsuky can execute precise attacks following the initial reconnaissance phase.<\/p>\n\n\n\n<p>To distribute the <a href=\"https:\/\/download.ahnlab.com\/global\/brochure\/ATIP_2023_Jan_Threat-Trend-Report-on-Kimsuky-Group.pdf\">RandomQuery<\/a> malware, Kimsuky continues to rely on <a href=\"https:\/\/en.wikipedia.org\/wiki\/Microsoft_Compiled_HTML_Help\">Microsoft Compiled HTML Help (CHM) files<\/a>, a tactic they have employed consistently over an extended period. This approach allows them to deliver a variety of malware to their targets effectively.<\/p>\n\n\n\n<p>To deceive their unsuspecting victims and network defenders, Kimsuky strategically employs new top-level domains (TLDs) and domain names for their malicious infrastructure. By imitating standard .com TLDs, they attempt to create a false sense of legitimacy, increasing the likelihood of their targets falling for their tricks.<\/p>\n\n\n\n<p>Indicators of Compromise<br>SHA1 Hashes<br>96d29a2d554b36d6fb7373ae52765850c17b68df<\/p>\n\n\n\n<p>84398dcd52348eec37738b27af9682a3a1a08492<\/p>\n\n\n\n<p>912f875899dd989fbfd64b515060f271546ef94c<\/p>\n\n\n\n<p>49c70c292a634e822300c57305698b56c6275b1c<\/p>\n\n\n\n<p>8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c<\/p>\n\n\n\n<p>0288140be88bc3156b692db2516e38f1f2e3f494<\/p>\n\n\n\n<p>Domains<br>com-port[.]space<\/p>\n\n\n\n<p>com-pow[.]click<\/p>\n\n\n\n<p>com-def[.]asia<\/p>\n\n\n\n<p>com-www[.]click<\/p>\n\n\n\n<p>com-otp[.]click<\/p>\n\n\n\n<p>com-price[.]space<\/p>\n\n\n\n<p>de-file[.]online<\/p>\n\n\n\n<p>com-people[.]click<\/p>\n\n\n\n<p>kr-angry[.]click<\/p>\n\n\n\n<p>kr-me[.]click<\/p>\n\n\n\n<p>cf-health[.]click<\/p>\n\n\n\n<p>com-hwp[.]space<\/p>\n\n\n\n<p>com-view[.]online<\/p>\n\n\n\n<p>com-in[.]asia<\/p>\n\n\n\n<p>ko-asia[.]click<\/p>\n\n\n\n<p>db-online[.]space<\/p>\n\n\n\n<p>Source: <a href=\"https:\/\/www.sentinelone.com\/labs\/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit\/\">https:\/\/www.sentinelone.com\/labs\/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SentinelLabs recently detected an ongoing operation conducted by Kimsuky, a North Korean Advanced Persistent Threat (APT) group, which aims to infiltrate North Korea-centric information services, human rights activists, and organizations that support defectors from the Democratic People&#8217;s Republic of Korea (DPRK).<\/p>\n","protected":false},"author":2,"featured_media":2983,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[27],"class_list":["post-2980","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-security"],"_links":{"self":[{"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/posts\/2980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/comments?post=2980"}],"version-history":[{"count":4,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/posts\/2980\/revisions"}],"predecessor-version":[{"id":2989,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/posts\/2980\/revisions\/2989"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/media\/2983"}],"wp:attachment":[{"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/media?parent=2980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/categories?post=2980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/krsp.co\/agency\/wp-json\/wp\/v2\/tags?post=2980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}