← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Kimsuky Malware Observed in Latest Campaign Updated With New Recon Component
WHITE Kimsuky eric.ford 2023-05-11 Modified: 2023-05-11
97
IOCs
HIGH VOLUME
On 04 May 2023, SentinelOne reported that they identified an ongoing campaign from Kimsuky, a North Korean state-sponsored APT group, that modified its reconnaissance component, called RECONSHARK by SentinelOne, of the BABYSHARK malware. Kimusky weaponized BABYSHARK with the updated reconnaissance component in a macro-enabled Word document hosted on OneDrive, delivering spear-phishing emails with the OneDrive link. RECONSHARK can deploy further payloads and sends the information collected to the command and control server via HTTP POST requests as string variables. A previous Palo Alto's Unit 42 analysis of BABYSHARK reported that the first stage used mshta.exe to load and execute an HTA file from the C2 server. BABYSHARK then registers two scripts as scheduled tasks and a registry key to maintain persistence. The scheduled task launches cmd.exe, and the registry key value runs mshta.exe to execute an HTA file hosted on a C2 server.
threatactor/kimsukydw-osint-cibmalware/babyshark
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
BabyShark ReconShark
Indicators of Compromise (15 / 97 total)
All FileHash-SHA1 domain hostname FileHash-MD5 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 056b178bbeea109d705439aa4e203d09 MD5 of 8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6 2023-05-11
FileHash-MD5 093ecb712d438ab01b3f07718428dcc7 MD5 of 7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa 2023-05-11
FileHash-MD5 1a6f9190e7c53cd4e9ca4532547131af MD5 of 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8 2023-05-11
FileHash-MD5 1f1f44a01d5784028302d6ad5e7133aa MD5 of 2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e 2023-05-11
FileHash-MD5 291089c6d8a6f33f4478397fb72992fe MD5 of b3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b 2023-05-11
FileHash-MD5 3abfe5fd78ffddebf23bd46edf4e4eb7 MD5 of 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972 2023-05-11
FileHash-MD5 404ab5a93767a986b47c9fec33eb8be9 MD5 of 94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0 2023-05-11
FileHash-MD5 4c4e5d2b814522c41fe12ffb16b096b4 MD5 of c4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0 2023-05-11
FileHash-MD5 51d0fb0bbd2914e73599e3b8c434d802 MD5 of 1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d 2023-05-11
FileHash-MD5 6b116d471a787eb520869ed5c6965fa8 MD5 of dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a 2023-05-11
FileHash-MD5 711eb1d89764d45f4ff2622143f744c2 MD5 of 1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0 2023-05-11
FileHash-MD5 76e71cf45e99d03a92c8271998a1caee MD5 of 331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7 2023-05-11
FileHash-MD5 9cefeae7219d6d2a3188877ebc71a82d MD5 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 MD5 of 52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731 2023-05-11
FileHash-MD5 9f76d2f73020064374efe67dc28fa006 MD5 of 6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c 2023-05-11
FileHash-MD5 d40c20a77371309045f5123af76637b2 MD5 of 66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2 2023-05-11
References (2)
↗ https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/ ↗ https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/