In this report, AhnLab collected information such as associated malware and C2 (Command & Control) servers through various routes, and compared and contrasted attack methods known to have been carried out by the existing Kimsuki Group for analysis. . Based on this, the malicious code distribution method and attack characteristics of the Kimsuki 2022 group were written.
Last year, it was discovered that the Kimsuki group was actively using enhanced spear-phishing techniques to deceive targeted individuals and members of the organization. Spear phishing is a method of attack that causes infection with malicious code or access to a phishing site by sending a carefully crafted email targeting a specific person or organization.
As a result of the analysis of various related malicious documents and files collected by AhnLab, the attacker produced malicious documents disguised as discussions, consultation requests and reports of search results on topics highly related to the target organizations and individuals and used them to distribute malicious codes. Moreover, judging by the elaborate production of documents and emails that are difficult to distinguish from the real ones, it is presumed that the attack group carried out a thorough preliminary investigation of the target.
The Kimsuki Group has also expanded the types of malware used in the attacks. The Kimsuki Group has been known to mainly use some keylogging or backdoor malware since around 2020.
However, following analysis of malicious URLs and associated File Transfer Protocol (FTP) servers collected by AhnLab, keylogging malware “FlowerPower” and backdoor malware “AppleSeed” as well as various information in the leaked web browser malware ‘InfoStealer’, and ‘RAT (Remote Administration Tool)’, a remote control malware, were also discovered. Judging from this, it looks like the attacker is diversifying the malicious code used in the attack to cause greater damage.
Attack attempts exploiting vulnerabilities in famous software have also been detected. AhnLab has found malicious code that exploits the “Folina (CVE-2022-30190)” Microsoft Office vulnerability in the File Transfer Protocol (FTP) server that the Kimsuki Group appears to have used. The “Pollina” vulnerability was identified as a zero-day vulnerability in January 2022 and a patch was released in June.
However, organizations and individuals who do not apply the security patch may be exposed to attacks using the vulnerability. In particular, if the Polyna vulnerability is exploited, users can be infected with malicious code simply by opening a malicious word file, so organizations and individuals should apply the security patch for the software they are using. .
In order to prevent damage, the organization’s security officer ▲Checks the security status of PCs, operating systems, software and websites within the organization ▲Checks systems for vulnerabilities operating systems/software and applies security patches ▲Uses security solutions/services and conducts internal employee security training ▲Up-to-date Company has explained the need to secure trend information and attack vulnerabilities and establish policies.
Individuals should follow security rules, such as ▲ refrain from running attachments and URLs in emails from unknown sources ▲ apply the latest security patches such as software, operating system and the Internet browser ▲ use two-factor authentication in addition to passwords when logging in by ▲ maintaining the latest version of the vaccine and performing real-time monitoring functions.
An AhnLab official said, “The Kimsukey Group, a major hacking group, has been shown to set a clear target and conduct advanced attacks on that target.” , Organizations and individuals need to keep abreast of cyber threat information and practices. basic security practices in their daily lives.
“AhnLab TIP” is a next-generation threat intelligence platform that integrates AhnLab’s accumulated security threat response technology and know-how. ▲ Malicious code and vulnerability, forensic report ▲ Latest security news, security advisory ▲ Threat type based on IoC (indicators of compromise) related to security content, malicious file information, IP, URL ▲ Function DDW (Deep&Dark Web) monitoring, etc. Provides a comprehensive threat intelligence service. Additionally, it features a “cloud sandbox” analysis feature that provides results through multidimensional behavioral analysis for suspicious files/URLs uploaded by users, and an API provisioning feature that enables easy interoperability with various security management solutions in addition to AhnLab products.
editor@itworld.co.kr
