Date: 1st July
Severity: High
Summary
A new malicious Google Chrome extension that is intended to steal sensitive data as part of an ongoing intelligence collection campaign has been connected to the North Korea-affiliated threat actor known as Kimsuky. Kimsuky is a well-known North Korean advanced persistent threat (APT) group that has been operating since at least 2012. They plan financially driven attacks and cyber-espionage against South Korean organizations. Also tracked as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, it is a sister group of the Lazarus cluster and a component of the Reconnaissance General Bureau (RGB).
Gurucul TDIR Queries
Query for Domains and URLs
- userdomainname IN (“sdfa.liveblog365.com”) or url IN (“http://sdfa.liveblog365.com/ares/hades.txt”)
- userdomainname IN (“sdfa.liveblog365.com”) or url IN (“http://sdfa.liveblog365.com/ares/babyhades.txt”)
- userdomainname IN (“ney.r-e.kr”) or url IN (“http://ney.r-e.kr/mar/tys.txt”)
- userdomainname IN (“ney.r-e.kr”) or url IN (“http://ney.r-e.kr/mar/tys.php”)
- userdomainname IN (“webman.w3school.cloudns.nz”) or url IN (“https://webman.w3school.cloudns.nz/”)
- userdomainname IN (“onewithshare.blogspot.com”) or url IN (“https://onewithshare.blogspot.com/2023/04/10.html”)
- userdomainname IN (“raw.githubusercontent.com”) or url IN (“https://raw.githubusercontent.com/HelperDav/Web/main/update.xml”)
Query for Hashes