#1263177: APT Campaign 'Konni' & 'Kimsuky' find commonality in organizations
- http: // fighiting1013 [.] org / 2 -> Use the same C2 ( https://blog.alyac.co.kr/2308 )
- http: //naoei3-tosma.96 [.] lt / 1 (1.dat)
- http: //naoei3-tosma.96 [.] lt / 3 (Huobi Research Weekly (Vol.62) 2019.05.13-2019.05.19.docx)
The downloaded '1.dat' file will be created as 'ChromInst' folder under 'Roaming' and copied to 'ChromSrch.dat' file . It runs through the host process 'Rundll32.exe', which is loaded via the 'insrchmdl' argument.
- C: \ Users \ [user account] \ AppData \ Roaming \ ChromInst \ ChromSrch.dat ", insrchmdl
Then, register it in the registry Run path and set it to be executed again.
- Key: HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
- Name: ChromSrch "
- Data: C: \ Windows \ system32 \ rundll32.exe "C: \ Users \ [user account] \ AppData \ Roaming \ ChromInst \ ChromSrch.dat", insrchmdl
In addition, access the '3' path and download the normal file with the file name 'Huobi Research Weekly (Vol.62) 2019.05.13-2019.05.19.docx' in the temporary path. This allows the user to view the normal document screen.
[Figure 4] Execution screen of normal document file to be downloaded additionally
The malicious "ChromSrch.dat" file disguised as a chrome web browser module is a 32-bit DLL file that is compressed and executed by UPX Packer.
The file is produced in Korea Time (KST) at about 4 pm on May 22, 2019, and the export function name is' EngineDropperDll.dll (DllRegisterServer, insrchmdl).
This file connects to FTP-based C2 server and executes the attacker's command in 'Ftake' folder path.
- naiei-aldiel.16mb [.] com
ESRC has found that attackers in the Connie group have used the FTP server several times when sending and receiving commands, and that the attacker has used the password for the string 'Victorious! @ #'.
On the other hand, I noticed that another 'ChromSrch.dat' file was hidden in the 'UFlw' sub-path of the C2 server, but it had the same function. In particular, when these files were registered on the server, two types of compression formats were used:
[Fig. 5] Variant malicious code screen registered in C2 server
The two files that were secretly hidden on the server were encrypted and compressed, and only the attacker knows the password because no password was written in a separate code.
■ In the TTPs of the Konni attack, the Kimsuky associativity overlaps
The ESRC witnessed the unique part of the latest Connie series , and believes that the mystery in the veil can be solved one by one.
That is, it is strongly connected to the infringement vector of the Kimsuky organization in the Konni group's TTPs (Tactics, Techniques and Procedures) and Attribution .
At that time, the threat group used malicious code inside the Windows script file (.wsf), such as the '2.wsf' file, to exploit the attack, and a similar 'information reporting .wsf' It has been reported.
Information Reporting .wsf
Read the rest in this link
The 'down.jpg' file distributed in encrypted form based on RC4 algorithm in November 2018 is decrypted by shellcode and generated and executed as 'hupdate.ex' file name on the user's computer .
The 'hupdate.ex' file is a DLL library file made up of Korean resources. When loaded , 'viso.exe' malicious file is additionally registered in the startup program path and 'set.log' Create a file.
The log file contains the TeamViewer ID (ID = 1 030 973 646) and allows the attacker to remotely access the infected computer.
In addition, it will perform a custom team viewer function with the string 'Gongstrong' , same as what was disclosed in the Connie series . Team Viewer ID has been reported in various forms.
It has been confirmed that the final payload of the Conne campaign matches the encrypted file functionality of Kim Soo-ki exactly.
In addition, 'EGIS Co,' which has the same name as 'viso.exe' file name generated by Kim SuSe Key series, has been exploited.
That series - came up with a huge threat extraordinary 'Giant Baby (Operation Giant Baby)' - must not overlook the fact that connected with the report.
We have seen some similar or identical examples of domain and IP addresses of C2 servers found in the infringement indicators of Connie and Kim's key organizations , and these facts are reasonably suspect enough.
Of course, it is not so easy to identify specific APT entities with limited information . It is just one of the endless processes of getting closer to clearer answers through a large number of malicious file samples and various analysis indicators .
Evidence of all digital evidence-based can not be perfect , but you can find similarities in various forms that are difficult to see with simple coincidence or advanced manipulation .
ESRC hopes that this report will be a useful reference for clarifying the background behind Connie , and the relevant IoC content will be provided separately through the Threat Inside service.
|Date added||June 11, 2019, 10:46 p.m.|