Date: 09/24/2024
Severity: Medium
Summary
Kimsuky, also known as Black Banshee, is a North Korean advanced persistent threat (APT) group that primarily targets South Korea and other countries to gather intelligence. Active since at least 2012, Kimsuky employs various tactics, including phishing campaigns and malware, to compromise organizations, particularly those related to defense, politics, and nuclear issues. The group's activities are believed to be state-sponsored, reflecting North Korea's strategic interests in regional stability and information control.
Indicators of Compromise (IOC) List
URL/Domain | https://mngrdp.site/simba/def.hta https://onessearth.online/sch/d.php?na=battmp https://mngrdp.site/simba/d.php?na=battmp https://mngrdp.site/simba/r.php |
Hash |
6b0df478e95155ebec3e67f9e9aad3d0
b23871c90af11e70e4efee4aa3bc2a43
499464979869b4f9e19f94295ae0a9e2
ce50d33839280f3fe8cf25916583db8d6d0a843c
cef16f624556d79a85ab05ddc261e2befe97f227
9109358da5adf41b91fec99cbea92aaa653ab291
6aa86e6c5ca97af149bf22c4deb7b0456727a4c5e67b508c9518e8c8e1b79795
24048a45edb373df83bcaee3fd2b0bc2b4bb858fe154919195f48fa0410b73b9
b01eef4bfd68fa46ae93ade813471e62e8939b6f3d53c94114ffd98c0d5f1fd3 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "https://mngrdp.site/simba/def.hta" or url like "https://mngrdp.site/simba/def.hta" or userdomainname like "https://onessearth.online/sch/d.php?na=battmp" or url like "https://onessearth.online/sch/d.php?na=battmp" or userdomainname like "https://mngrdp.site/simba/d.php?na=battmp" or url like "https://mngrdp.site/simba/d.php?na=battmp" or userdomainname like "https://mngrdp.site/simba/r.php" or url like "https://mngrdp.site/simba/r.php" |
Detection Query 2 |
md5hash IN ("6b0df478e95155ebec3e67f9e9aad3d0","b23871c90af11e70e4efee4aa3bc2a43","499464979869b4f9e19f94295ae0a9e2") |
Detection Query 3 |
sha1hash IN ("ce50d33839280f3fe8cf25916583db8d6d0a843c","cef16f624556d79a85ab05ddc261e2befe97f227","9109358da5adf41b91fec99cbea92aaa653ab291") |
Detection Query 4 |
sha256hash IN ("6aa86e6c5ca97af149bf22c4deb7b0456727a4c5e67b508c9518e8c8e1b79795","24048a45edb373df83bcaee3fd2b0bc2b4bb858fe154919195f48fa0410b73b9","b01eef4bfd68fa46ae93ade813471e62e8939b6f3d53c94114ffd98c0d5f1fd3") |
Reference:
https://www.rewterz.com/threat-advisory/north-korean-apt-kimsuky-aka-black-banshee-active-iocs-35