Pulse Detail — Threat Intelligence

PULSE NAME

APT attack discovered using Facebook and MS management console (Attack signs detected targeting Korea and Japan)

WHITE Kimsuky AlienVault 2024-05-21 Modified: 2024-06-20

IOCs

HIGH VOLUME

A threat actor impersonated a North Korean human rights official on Facebook and approached targets. They shared malicious URLs disguised as documents. Microsoft OneDrive cloud service was used to host the malicious MSC file, which communicated with C2 servers and deployed Reconshark malware associated with the Kimsuky group. Signs of similar attacks targeting Japan were also observed.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1543 T1071 T1053 T1567 T1219 T1055 T1112 T1059 T1083 T1064 T1497 T1057 T1041

MALWARE FAMILIES

reconshark

Indicators of Compromise (9 / 53 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	7ca1a603a7440f1031c666afbe44afc8	—	2024-05-21
FileHash-MD5	1dd007b44034bb3ce127b553873171e5	—	2024-05-21
FileHash-MD5	49bac05068a79314e00c28b163889263	—	2024-05-21
FileHash-MD5	56fa059cf7dc562ce0346b943e8f58bb	—	2024-05-21
FileHash-MD5	75ec9f68a5b62705c115db5119a78134	—	2024-05-21
FileHash-MD5	a12757387f178a0ec092fb5360e4f473	—	2024-05-21
FileHash-MD5	aa8bd550de4f4dee6ab0bfca82848d44	—	2024-05-21
FileHash-MD5	b5080c0d123ce430f1e28c370a0fa18b	—	2024-05-21
FileHash-MD5	e86a24d9f3a42bbb8edc0ca1f8b3715c	—	2024-05-21

References (1)

↗ https://www.genians.co.kr/blog/threat_intelligence/facebook