← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)
WHITE Kimsuky AlienVault 2024-05-21 Modified: 2024-06-20
53
IOCs
HIGH VOLUME
A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associated with the Kimsuky group. Signs of similar attacks targeting Japan were also observed.
aptnorthkoreakimsuky
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
reconshark
Indicators of Compromise (53)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 7ca1a603a7440f1031c666afbe44afc8 2024-05-21
FileHash-SHA1 e12d0655cc09cddb4fb836c641f73179d4bc1121 SHA1 of 7ca1a603a7440f1031c666afbe44afc8 2024-05-21
FileHash-SHA256 9c6f6db86b5ccdda884369c9c52dd8568733e126e6fe9c2350707bb6d59744a1 SHA256 of 7ca1a603a7440f1031c666afbe44afc8 2024-05-21
FileHash-MD5 1dd007b44034bb3ce127b553873171e5 2024-05-21
FileHash-MD5 49bac05068a79314e00c28b163889263 2024-05-21
FileHash-MD5 56fa059cf7dc562ce0346b943e8f58bb 2024-05-21
FileHash-MD5 75ec9f68a5b62705c115db5119a78134 2024-05-21
FileHash-MD5 a12757387f178a0ec092fb5360e4f473 2024-05-21
FileHash-MD5 aa8bd550de4f4dee6ab0bfca82848d44 2024-05-21
FileHash-MD5 b5080c0d123ce430f1e28c370a0fa18b 2024-05-21
FileHash-MD5 e86a24d9f3a42bbb8edc0ca1f8b3715c 2024-05-21
FileHash-SHA1 a610f5d2460d58f5a7bd20977ccef19501c850fb SHA1 of 1dd007b44034bb3ce127b553873171e5 2024-05-21
FileHash-SHA1 d873ffa1c33c4e76fd7393d8be27425307e8fe91 SHA1 of 49bac05068a79314e00c28b163889263 2024-05-21
FileHash-SHA256 2209f27b08fc10118ef03ca983f1bbdff3ca2371a02382f9f34f64fdcae07ffe SHA256 of 49bac05068a79314e00c28b163889263 2024-05-21
FileHash-SHA256 2f7f3a86a868f6c5a85fb12fe028fd254cd9622075b179923187461c72d6aea0 SHA256 of 1dd007b44034bb3ce127b553873171e5 2024-05-21
URL http://beastmodser.club/sil/0304/VOA_Korea.docx 2024-05-21
URL http://beastmodser.club/sil/0304/d.php?na 2024-05-21
URL http://brandwizer.co.in/green_pad/wp- 2024-05-21
URL http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type- 2024-05-21
URL http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/essay/d.php?na=battmp 2024-05-21
URL http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/kohei/r.php 2024-05-21
URL http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-marker/ayaka 2024-05-21
URL http://dusieme.com/hwp/d.php?na=sched 2024-05-21
URL http://dusieme.com/js/cic0117/ca.php?na=dot_emsi.gif 2024-05-21
URL http://dusieme.com/panda/TBS 2024-05-21
URL http://dusieme.com/panda/d.php?na=vbtmp 2024-05-21
URL http://ielsems.com/panda 2024-05-21
URL http://ielsems.com/romeo/d.php?na=vbtmp 2024-05-21
URL http://joongang.site/pprb/sec/d.php 2024-05-21
URL http://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx 2024-05-21
URL http://mitmail.tech/gorgon/ca.php 2024-05-21
URL http://mitmail.tech/gorgon/ca.php?na=video.gif 2024-05-21
URL http://nuclearpolicy101.org/wp-admin/includes/0421/d.php?na=vbtmp 2024-05-21
URL http://nuclearpolicy101.org/wp-admin/includes/0603/d.php?na= 2024-05-21
URL http://nuclearpolicy101.org/wp-admin/includes/lee/leeplug/cow.php 2024-05-21
URL http://rapportdown.lol/rapport/com/ 2024-05-21
URL http://rapportdown.lol/rapport/com/ca.php?na=video.gif 2024-05-21
URL http://rfa.ink/bio/d.php?na=battmp 2024-05-21
URL http://rfa.ink/bio/d.php?na=vbtmp 2024-05-21
URL http://worldinfocontact.club/111/d.php 2024-05-21
URL http://worldinfocontact.club/111/kfrie/cow.php 2024-05-21
domain beastmodser.club 2024-05-21
domain brandwizer.co 2024-05-21
domain brandwizer.co.in 2024-05-21
domain dusieme.com 2024-05-21
domain ielsems.com 2024-05-21
domain joongang.site 2024-05-21
domain makeoversalon.net.in 2024-05-21
domain mitmail.tech 2024-05-21
domain nuclearpolicy101.org 2024-05-21
domain rapportdown.lol 2024-05-21
domain worldinfocontact.club 2024-05-21
domain yonsei.lol 2024-05-21
References (1)
↗ https://www.genians.co.kr/blog/threat_intelligence/facebook