← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Kimsuky Malware Observed in Latest Campaign Updated With New Recon Component
On 04 May 2023, SentinelOne reported that they identified an ongoing campaign from Kimsuky, a North Korean state-sponsored APT group, that modified its reconnaissance component, called RECONSHARK by SentinelOne, of the BABYSHARK malware. Kimusky weaponized BABYSHARK with the updated reconnaissance component in a macro-enabled Word document hosted on OneDrive, delivering spear-phishing emails with the OneDrive link. RECONSHARK can deploy further payloads and sends the information collected to the command and control server via HTTP POST requests as string variables. A previous Palo Alto's Unit 42 analysis of BABYSHARK reported that the first stage used mshta.exe to load and execute an HTA file from the C2 server. BABYSHARK then registers two scripts as scheduled tasks and a registry key to maintain persistence. The scheduled task launches cmd.exe, and the registry key value runs mshta.exe to execute an HTA file hosted on a C2 server.
MITRE ATT&CK & Malware Families
Indicators of Compromise (97)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA1 | 86a025e282495584eabece67e4e2a43dca28e505 | — | 2023-05-11 | |
| FileHash-SHA1 | c8f54cb73c240a1904030eb36bb2baa7db6aeb01 | — | 2023-05-11 | |
| domain | com-change.info | — | 2023-05-11 | |
| domain | mainchksrh.com | — | 2023-05-11 | |
| domain | mitmail.tech | — | 2023-05-11 | |
| domain | newshare.online | — | 2023-05-11 | |
| domain | yonsei.lol | — | 2023-05-11 | |
| hostname | aaaaawwqwdqkidoemsk.lives.com-change.info | — | 2023-05-11 | |
| hostname | accounts.live.com-change.info | — | 2023-05-11 | |
| hostname | accounts.lives.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.hotmail.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.hotrnail.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.live.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.lives.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.microsoft.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.naver.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.navers.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.navor.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.outlock.com-change.info | — | 2023-05-11 | |
| hostname | cashsentinel.outlook.com-change.info | — | 2023-05-11 | |
| hostname | cloud.navor.com-change.info | — | 2023-05-11 | |
| hostname | downmail.navor.com-change.info | — | 2023-05-11 | |
| hostname | gmail.com-change.info | — | 2023-05-11 | |
| hostname | grnail.com-change.info | — | 2023-05-11 | |
| hostname | hotmail.com-change.info | — | 2023-05-11 | |
| hostname | hotrnail.com-change.info | — | 2023-05-11 | |
| hostname | live.com-change.info | — | 2023-05-11 | |
| hostname | lives.com-change.info | — | 2023-05-11 | |
| hostname | loges.lives.com-change.info | — | 2023-05-11 | |
| hostname | loginsaa.gmail.com-change.info | — | 2023-05-11 | |
| hostname | loginsaa.grnail.com-change.info | — | 2023-05-11 | |
| hostname | logmes.lives.com-change.info | — | 2023-05-11 | |
| hostname | logrns.lives.com-change.info | — | 2023-05-11 | |
| hostname | logws.lives.com-change.info | — | 2023-05-11 | |
| hostname | microsoft.com-change.info | — | 2023-05-11 | |
| hostname | microsoft.loginsaa.gmail.com-change.info | — | 2023-05-11 | |
| hostname | microsoft.loginsaa.grnail.com-change.info | — | 2023-05-11 | |
| hostname | naver.com-change.info | — | 2023-05-11 | |
| hostname | naver.loginsaa.gmail.com-change.info | — | 2023-05-11 | |
| hostname | navers.com-change.info | — | 2023-05-11 | |
| hostname | navor.com-change.info | — | 2023-05-11 | |
| hostname | nlds.navor.com-change.info | — | 2023-05-11 | |
| hostname | outlock.com-change.info | — | 2023-05-11 | |
| hostname | outlook.com-change.info | — | 2023-05-11 | |
| hostname | paypal.com-change.info | — | 2023-05-11 | |
| hostname | publiccloud.navor.com-change.info | — | 2023-05-11 | |
| hostname | skjflkjsjflejlkjieiieieiei.lives.com-change.info | — | 2023-05-11 | |
| FileHash-MD5 | 056b178bbeea109d705439aa4e203d09 | MD5 of 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6 | 2023-05-11 | |
| FileHash-MD5 | 093ecb712d438ab01b3f07718428dcc7 | MD5 of 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa | 2023-05-11 | |
| FileHash-MD5 | 1a6f9190e7c53cd4e9ca4532547131af | MD5 of 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8 | 2023-05-11 | |
| FileHash-MD5 | 1f1f44a01d5784028302d6ad5e7133aa | MD5 of 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e | 2023-05-11 | |
| FileHash-MD5 | 291089c6d8a6f33f4478397fb72992fe | MD5 of b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b | 2023-05-11 | |
| FileHash-MD5 | 3abfe5fd78ffddebf23bd46edf4e4eb7 | MD5 of 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972 | 2023-05-11 | |
| FileHash-MD5 | 404ab5a93767a986b47c9fec33eb8be9 | MD5 of 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0 | 2023-05-11 | |
| FileHash-MD5 | 4c4e5d2b814522c41fe12ffb16b096b4 | MD5 of c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0 | 2023-05-11 | |
| FileHash-MD5 | 51d0fb0bbd2914e73599e3b8c434d802 | MD5 of 1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d | 2023-05-11 | |
| FileHash-MD5 | 6b116d471a787eb520869ed5c6965fa8 | MD5 of dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a | 2023-05-11 | |
| FileHash-MD5 | 711eb1d89764d45f4ff2622143f744c2 | MD5 of 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0 | 2023-05-11 | |
| FileHash-MD5 | 76e71cf45e99d03a92c8271998a1caee | MD5 of 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7 | 2023-05-11 | |
| FileHash-MD5 | 9cefeae7219d6d2a3188877ebc71a82d | MD5 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 MD5 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 | 2023-05-11 | |
| FileHash-MD5 | 9f76d2f73020064374efe67dc28fa006 | MD5 of 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c | 2023-05-11 | |
| FileHash-MD5 | d40c20a77371309045f5123af76637b2 | MD5 of 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2 | 2023-05-11 | |
| FileHash-SHA1 | 0a631b0072cee1e20854b187276a0ba560d6d4f8 | SHA1 of 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0 | 2023-05-11 | |
| FileHash-SHA1 | 162a72a53e79602e4d0e2cc81dc5b3253498cb92 | SHA1 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 SHA1 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 | 2023-05-11 | |
| FileHash-SHA1 | 432e43053a65d8de9011198aaa8d9fbe679cfba6 | SHA1 of 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972 | 2023-05-11 | |
| FileHash-SHA1 | 548b64c0f904733dd5433f6f3878487eeda54fa1 | SHA1 of 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0 | 2023-05-11 | |
| FileHash-SHA1 | 5ae5ca0daccfa21706e157a19bdb67e48cbfe137 | SHA1 of 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6 | 2023-05-11 | |
| FileHash-SHA1 | 7012195c8c6aca88e2d805d632f148f74f0b6e64 | SHA1 of 1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d | 2023-05-11 | |
| FileHash-SHA1 | 818bfc1fdb8126b58835e77f13afa9435e883919 | SHA1 of 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7 | 2023-05-11 | |
| FileHash-SHA1 | 88708e9562a8c4ee4601b3990a664bc63b378753 | SHA1 of 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8 | 2023-05-11 | |
| FileHash-SHA1 | 89b9b7f2c3eb275eabe78c04a30dc09281a201e6 | SHA1 of 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa | 2023-05-11 | |
| FileHash-SHA1 | 89d599fe7a3025cd8d285dc044799c1054fb5f00 | SHA1 of b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b | 2023-05-11 | |
| FileHash-SHA1 | 9b28ef5adf11016e4ccd3b3a422a0f48f43eed18 | SHA1 of c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0 | 2023-05-11 | |
| FileHash-SHA1 | cb1125d5a57a529bf88bf590c0cb675f37261839 | SHA1 of 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e | 2023-05-11 | |
| FileHash-SHA1 | d1207b7b846b80418b459e9d03e1b5afbd3e97a7 | SHA1 of 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2 | 2023-05-11 | |
| FileHash-SHA1 | d96c04952ba0cb61b64bc7f08d7257913d8b7968 | SHA1 of 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c | 2023-05-11 | |
| FileHash-SHA1 | ec4bd72fcb440f47912d06c75a9d56ad86953f70 | SHA1 of dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a | 2023-05-11 | |
| FileHash-SHA256 | 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972 | — | 2023-05-11 | |
| FileHash-SHA256 | 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0 | — | 2023-05-11 | |
| FileHash-SHA256 | 1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d | — | 2023-05-11 | |
| FileHash-SHA256 | 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e | — | 2023-05-11 | |
| FileHash-SHA256 | 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7 | — | 2023-05-11 | |
| FileHash-SHA256 | 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 | — | 2023-05-11 | |
| FileHash-SHA256 | 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2 | — | 2023-05-11 | |
| FileHash-SHA256 | 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c | — | 2023-05-11 | |
| FileHash-SHA256 | 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa | — | 2023-05-11 | |
| FileHash-SHA256 | 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6 | — | 2023-05-11 | |
| FileHash-SHA256 | 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0 | — | 2023-05-11 | |
| FileHash-SHA256 | 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8 | — | 2023-05-11 | |
| FileHash-SHA256 | b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b | — | 2023-05-11 | |
| FileHash-SHA256 | c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0 | — | 2023-05-11 | |
| FileHash-SHA256 | dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a | — | 2023-05-11 | |
| URL | https://tdalpacafarm.com/files/kr/contents/Usoro.hta | — | 2023-05-11 | |
| URL | https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta | 0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5 | 2023-05-11 | |
| URL | https://tdalpacafarm.com/files/kr/contents/upload.php' | — | 2023-05-11 | |
| domain | tdalpacafarm.com | — | 2023-05-11 |