1. Overview 1.概述
The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. [1] The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. [2] (This link is only available in Korean.)
被认为得到朝鲜支持的Kimsuky威胁集团自2013年以来一直活跃。起初,他们袭击了韩国与朝鲜有关的研究机构,然后在2014年袭击了韩国一家能源公司。自2017年以来,还发现了针对韩国以外国家的攻击案件。[1]该组织通常对国防部门、国防工业、新闻界、外交部门、国家组织和学术领域进行鱼叉式网络钓鱼攻击,以窃取组织的内部信息和技术。[2](此链接仅提供韩语版本)
Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases is that more LNK shortcut-type malware are being used instead of malware in Hangul Word Processor (HWP) or MS Office document format. The threat actor led users to download a compressed file through attachments or download links within spear phishing emails. When this compressed file is decompressed, it yields a legitimate document file along with a malicious LNK file.
甚至直到最近,Kimsuky集团仍然主要使用鱼叉式网络钓鱼攻击来获得初始访问权。最近的攻击与以前的攻击不同的是,更多的LNK快捷方式类型的恶意软件正在被使用,而不是韩文文字处理器(HWP)或MS Office文档格式的恶意软件。威胁行为者引导用户通过鱼叉式网络钓鱼电子邮件中的附件或下载链接下载压缩文件。当这个压缩文件被解压缩时,它会产生一个合法的文档文件沿着一个恶意的LNK文件。
ASEC is monitoring the Kimsuky group’s attacks using LNK-type malware and is continuously posting identified cases of attacks on the ASEC Blog. The Kimsuky group installs remote control malware to control the infected system after completing such steps to gain initial access. Malware used by the Kimsuky group not only include custom-made such as AppleSeed and PebbleDash [3], but also open-source or commercial malware such as XRat [4], HVNC [5], Amadey [6], and Metasploit Meterpreter [7]. After gaining control, the threat actor ultimately uses RDP or installs Google’s Chrome Remote Desktop [8] to exfiltrate information from the infected system.
ASEC正在监控Kimsuky集团使用LNK类型恶意软件的攻击,并不断在ASEC博客上发布已识别的攻击案例。Kimsuky集团安装远程控制恶意软件,以控制受感染的系统后,完成这些步骤,以获得初始访问。Kimsuky集团使用的恶意软件不仅包括定制的AppleSeed和PebbleDash [3],还包括开源或商业恶意软件,如XRat [4],HVNC [5],Amadey [6]和Metasploit Meterpreter [7]。在获得控制权后,威胁行为者最终使用RDP或安装Google的Chrome远程桌面[8]从受感染的系统中窃取信息。
Here we analyze Amadey and RftRAT which were recently found being distributed. Amadey and RftRAT were constantly used throughout 2023 alongside XRat. However, recent types showed that they were created with AutoIt. This post also covers Infostealers additionally installed by the Kimsuky group using remote control malware. While remote control-type malware continuously change, the malware installed through these have not changed much in the attacks in 2023.
在这里,我们分析最近发现正在分发的Amadey和RftRAT。Amadey和RftRAT在整个2023年一直与XRat一起使用。然而,最近的类型表明它们是用AutoIt创建的。这篇文章还涵盖了Kimsuky集团使用远程控制恶意软件安装的Infostealers。虽然远程控制类型的恶意软件不断变化,但通过这些安装的恶意软件在2023年的攻击中没有太大变化。
2. Initial Access 2.初始接入
2.1. Spear Phishing Attack
2.1.网络钓鱼攻击
In the year 2023, ASEC covered cases of LNK malware distribution in posts such as “Malicious LNK File Disguised as a Normal HWP Document” [9], “Malicious LNK File Being Distributed, Impersonating the National Tax Service” [10], and “Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials” [11].
2023年,ASEC在帖子中报道了LNK恶意软件分发的案例,如“恶意LNK文件伪装成正常的HWP文件”[9],“恶意LNK文件正在分发,冒充国家税务服务”[10]和“恶意LNK文件伪装成生产企业宣传材料的分发”[11]。
By attaching files or including download links in the emails, the threat actor prompted users to download the compressed file and execute the LNK shortcut file inside.
通过在电子邮件中附加文件或包含下载链接,威胁行为者提示用户下载压缩文件并执行其中的LNK快捷方式文件。
图1.压缩文件中包含LNK恶意软件
2.2. LNK Malware 2.2. LNK恶意软件
The LNK file contains an encrypted compressed file, which in turn holds various malware in script format.
LNK文件包含一个加密的压缩文件,该文件又以脚本格式保存各种恶意软件。
图2. LNK文件中包含脚本格式的恶意软件
Executing the LNK file decompresses the file, and ultimately, the script malware is run. The BAT and VBS scripts inside can either be used for executing other scripts or contain an Infostealer responsible for collecting and exfiltrating information from the infected system. There is also a script for maintaining persistence as well as a downloader that downloads and executes additional payloads from an external source.
执行LNK文件会解压缩该文件,最终运行脚本恶意软件。里面的BAT和VBS脚本可以用于执行其他脚本,也可以包含一个Infostealer,负责从受感染的系统收集和泄露信息。还有一个用于维护持久性的脚本,以及一个从外部源下载和执行额外有效负载的下载器。
As such, malware in script format that run in infected systems install additional malware from an external source, major examples of which are backdoors called XRat, Amadey, and RftRAT. While these malware are all packed with VMP when in distribution, recently, Amadey and RftRAT variants created with AutoIt have been used. After a remote control malware is installed, keyloggers and Infostealers are installed to steal internal information and technology from the organizations.
因此,在受感染系统中运行的脚本格式的恶意软件会从外部源安装其他恶意软件,主要示例是称为XRat,Amadey和RftRAT的后门程序。虽然这些恶意软件在分发时都包含VMP,但最近使用了使用AutoIt创建的Amadey和RftRAT变体。安装远程控制恶意软件后,安装键盘记录器和信息窃取者,以窃取组织的内部信息和技术。
3. Remote Control Malware
3.远程控制恶意软件
3.1. XRat (QuasarRAT) 3.1. XRat(QuasarRAT)
XRat is a RAT malware developed in .NET and was created based on QuasarRAT published on GitHub. It was confirmed that the Kimsuky group was using XRat from a much earlier point in time. Recently, instead of in independent executable or DLL file formats, this is being used in attacks as an encrypted payload. It consists of the file “ht.dll” which is the loader, the data file “htsetting.ini” holding the configuration data, and an encrypted payload. This method seems to be for the purpose of bypassing security products.
XRat是一种在.NET中开发的RAT恶意软件,基于GitHub上发布的QuasarRAT创建。据证实,Kimsuky小组从更早的时间点开始使用XRat。最近,它不再是独立的可执行文件或DLL文件格式,而是作为加密的有效载荷用于攻击。它由加载器文件“ht.dll”、保存配置数据的数据文件“htsetting.ini”和加密的有效负载组成。这种方法似乎是为了绕过安全产品。
The loader reads, decrypts, and injects the htsetting.ini file located in the same path. All ht.dll loaders identified so far were packed with VMP, and the decrypted binary contained the following strings used by the threat actor.
加载程序读取、解密并注入位于同一路径中的htsetting.ini文件。到目前为止识别的所有ht.dll加载程序都使用VMP打包,解密的二进制文件包含威胁参与者使用的以下字符串。
图3.加载器ht.dll打包VMP
The configuration file contains the name of the actual encrypted malware, the RC4 decryption key, and information on the legitimate file to inject into. Ht.dll references this information to read and decrypt the encrypted file before injecting it into a legitimate process. The payload that is injected and run in the end can be another malware besides XRat, depending on the encrypted file.
配置文件包含实际加密恶意软件的名称、RC4解密密钥以及要注入的合法文件的信息。Ht.dll引用此信息来读取和解密加密文件,然后将其注入合法进程。最终注入并运行的有效载荷可能是XRat之外的另一种恶意软件,具体取决于加密文件。
3.2. Amadey 3.2.阿马迪
The Kimsuky group also used Amadey Bot in their attacks. Amadey is a malware that began being sold on illegal forums. It is a downloader that installs additional malware from the C&C server. Besides such downloader features, it can also transmit basic information about the system or exfiltrate screenshots and account credentials saved in web browsers and email clients depending on the settings or whether certain plugins are installed.
Kimsuky集团还在他们的攻击中使用Amadey Bot。Amadey是一种恶意软件,开始在非法论坛上出售。它是一个下载器,从C&C服务器安装额外的恶意软件。除了这些下载器功能外,它还可以传输有关系统的基本信息,或根据设置或是否安装某些插件来泄露保存在Web浏览器和电子邮件客户端中的屏幕截图和帐户凭据。
The Kimsuky group uses a dropper to install Amadey. This dropper, in DLL format, creates a randomly named hidden folder in the %PUBLIC% path where it drops the files it holds. The compressed file containing the actual Amadey is among the created files, and examining the compression size shows this file to be large, exceeding 300 MB. This is also presumed to be an attempt to evade security products by intentionally increasing the size.
Kimsuky小组使用滴管安装Amadey。这个dropper以DLL格式在%PUBLIC%路径中创建一个随机命名的隐藏文件夹,并将其保存的文件放置在其中。包含实际Amadey的压缩文件在创建的文件中,检查压缩大小显示此文件很大,超过300 MB。这也被认为是试图通过故意增加尺寸来逃避安全产品。
图4.在公共路径中创建的Amadey相关文件
Afterward, it creates the path “%ALLUSERSPROFILE%\Startup” and registers it to the Startup folder. Here, a script named “svc.vbs” is created, which is responsible for maintaining persistence. Amadey, which is loaded and executed through the Rundll32.exe process, goes through svchost.exe before being injected into the iexplore.exe process and run.
然后,它创建路径“%ALLUSERSPROFILE%\Startup”并将其注册到Startup文件夹。这里创建了一个名为“svc.vbs”的脚本,它负责维护持久性。Amadey是通过Rundll32.exe进程加载和执行的,在注入iexplore.exe进程并运行之前,它会经过svchost.exe。
图5.受感染系统的信息传输到C&C服务器
Even in 2023, the threat actor installed Amadey in many of their attacks, and in most instances, it was installed by the same type of dropper. Said dropper also included RftRAT besides Amadey. RftRAT, like Amadey, also has a file size exceeding 300 MB.
即使在2023年,威胁行为者在他们的许多攻击中安装了Amadey,在大多数情况下,它是由同一类型的滴管安装的。除了Amadey之外,所述滴管还包括RftRAT。与Amadey一样,RftRAT的文件大小也超过300 MB。
The RftRAT instances identified in these attacks were all packed with VMP like Amadey and were found to contain the keyword “RFTServer” in the decrypted strings. RftRAT is a backdoor that can receive commands from the C&C server and execute them.
在这些攻击中识别的RftRAT实例都是用VMP打包的,如Amadey,并且在解密的字符串中包含关键字“RFTServer”。RftRAT是一个后门,可以从C&C服务器接收命令并执行它们。
图6. RftRAT中的解密字符串
3.3. Latest Attack Cases 3.3.最新攻击案例
It was recently identified that the Kimsuky group has been using AutoIt to create malware. The Kimsuky group ported Amadey which had been used from the past to AutoIt and also used it for the purpose of injecting RftRAT.
最近发现Kimsuky集团一直在使用AutoIt创建恶意软件。Kimsuky小组将过去使用的Amadey移植到AutoIt,并将其用于注入RftRAT。
In past attack cases, only the debug string RFTServer was found, but in recent attacks, a malware containing a PDB path was found. The string within the PDB path shows that the threat actor named this malware “rft” as a RAT type. Accordingly, said malware is categorized as “RftRAT” here.
在过去的攻击案例中,只找到调试字符串RFTServer,但在最近的攻击中,发现了包含PDB路径的恶意软件。PDB路径中的字符串显示威胁参与者将此恶意软件命名为“rft”作为RAT类型。因此,所述恶意软件在此被归类为“RftRAT”。
图7. RftRAT的PDB信息
- PDB String: E:_WORK\My_Work\Exploit\Spyware_spy\RAT\RFT_Socket_V3.2\Release\rft.pdb
PDB字符串:E:_WORK\My_Work\Exploit\Spyware_spy\RAT\RFT_Socket_V3.2\Release\rft.pdb
3.3.1. AUTOIT AMADEY
As covered above, Amadey is one of the malware that has been constantly used by the Kimsuky group. The version of Amadey used by the Kimsuky group is different from the type used by other threat actors: Kimsuky group’s Amadey uses Domain Generation Algorithms (DGA), and when it scans for antivirus software installed in the infected system, it also searches for product names from South Korean companies.
如上所述,Amadey是Kimsuky集团经常使用的恶意软件之一。Kimsuky集团使用的Amadey版本与其他威胁行为者使用的类型不同:Kimsuky集团的Amadey使用域生成算法(DGA),当它扫描受感染系统中安装的防病毒软件时,它还会搜索韩国公司的产品名称。
The recently identified Amadey is ported into the AutoIt language and has the same format as the types identified in the past attack cases. The threat actor installed both a legitimate AutoIt executable file and a compiled AutoIt script in the infected system. The compiled AutoIt script is 100 MB in size for the purpose of hindering analysis and contains dummy data as shown below.
最近发现的Amadey被移植到AutoIt语言中,并且与过去攻击案例中发现的类型具有相同的格式。威胁参与者在受感染的系统中安装了合法的AutoIt可执行文件和编译的AutoIt脚本。编译后的AutoIt脚本大小为100 MB,目的是妨碍分析,并包含如下所示的虚拟数据。
图8.攻击中使用的已编译AutoIt脚本文件
Although written in a different language, the decrypted AutoIt script can be considered to be the Amadey malware. The HTTP request structure for sending the system information collected from the infected system to the C&C server is identical to that of the typical Amadey.
虽然是用不同的语言编写的,但解密的AutoIt脚本可以被认为是Amadey恶意软件。用于将从受感染系统收集的系统信息发送到C&C服务器的HTTP请求结构与典型的Amadey相同。
图9. Amadey发送到C&C服务器的HTTP数据包的结构
Besides this, it also has a routine for checking for products from South Korean companies when retrieving the list of antivirus products installed in the infected system. Furthermore, it supports the feature to download additional payloads in not only an exe format, but also dll, PowerShell, vbs, and js formats.
除此之外,它还有一个例行程序,用于在检索受感染系统中安装的防病毒产品列表时检查韩国公司的产品。此外,它还支持下载额外的有效载荷,不仅是exe格式,还包括dll,PowerShell,vbs和js格式。
图10.执行Amadey例程的脚本
As mentioned above, the Amadey used by the Kimsuky group supports DGA. DGA, also known as Domain Generation Algorithm, dynamically generates a domain (C&C server address) instead of a fixed form. After dynamically obtaining the C&C server address based on the date, the Kimsuky group used this as a subsidiary C&C server. When the connection to the C&C server was down, the subsidiary C&C server generated through DGA was used for communication.
如上所述,Kimsuky集团使用的Amadey支持DGA。DGA,也称为域生成算法,动态生成域(C&C服务器地址),而不是固定的形式。在根据日期动态获得C&C服务器地址后,Kimsuky集团将其用作子C&C服务器。当与C&C服务器的连接断开时,通过DGA生成的子C&C服务器用于通信。
3.3.2. RFTRAT
The AutoIt scripts used in the attacks include Amadey and RftRAT. The AutoIt executable file and the malicious AutoIt script are also created through a dropper. The following ASD log shows the execution log of “d015700.dll”, which is the dropper that installs RftRAT, and the log showing RftRAT ultimately creating an Infostealer after being injected into svchost.exe. Additionally, AppleSeed, another malware used by the Kimsuky group, was additionally installed in the same system afterward.
攻击中使用的AutoIt脚本包括Amadey和RftRAT。AutoIt可执行文件和恶意AutoIt脚本也是通过dropper创建的。下面的ASD日志显示了“d015700.dll”的执行日志,它是安装RftRAT的dropper,以及显示RftRAT在注入svchost.exe后最终创建Infostealer的日志。此外,AppleSeed是Kimsuky集团使用的另一种恶意软件,后来也安装在同一系统中。
图12. Kimsuky集团的攻击日志
The RftRAT used in previous attacks is in DLL format and packed in VMP, so an exact comparison is difficult. However, it was categorized into the past version of RftRAT due to the fact that the same library file is used, that ICMLuaUtil is used to bypass UAC, and that the path names used for saving C&C communication and command results are almost the same.
在以前的攻击中使用的RftRAT是DLL格式的,并打包在VMP中,因此很难进行准确的比较。但是,由于使用相同的库文件,ICMLuaUtil用于绕过UAC,并且用于保存C&C通信和命令结果的路径名几乎相同,因此它被归类为RftRAT的过去版本。
图13.与最新版本类似的RftRAT旧版本中的字符串
The compiled AutoIt script is similar to the Amadey in the case above, but it is actually an injector that executes svchost.exe and injects RftRAT into it. The ultimate payload RftRAT cannot be executed independently. Data must be read in from a mapped file named “A1CCA2EC-C09F-D33C-4317-7F71F0E2A976_0”. The injector AutoIt script writes the paths of the AutoIt executable file and script into this file.
编译后的AutoIt脚本类似于上面案例中的Amadey,但它实际上是一个执行svchost.exe并将RftRAT注入其中的注入器。最终的有效负载RftRAT无法独立执行。必须从名为“A1 CCA 2 EC-C 09 F-D33 C-4317-7F71F0E2A976_0”的映射文件读入数据。注射器AutoIt脚本将AutoIt可执行文件和脚本的路径写入此文件。
图14.通过文件映射过程传输的AutoIt相关文件的路径
The transmitted paths of the AutoIt executable file and script are used later on in the UAC bypassing stage. RftRAT uses the ICMLuaUtil interface of the CMSTPLUACOM component to bypass UAC and execute itself as administrator. After being run as administrator, RftRAT collects basic information about the infected system and sends it to the C&C server.
AutoIt可执行文件和脚本的传输路径稍后将在UAC绕过阶段使用。RftRAT使用CMSTPLUACOM组件的ICMLuaUtil接口绕过UAC并以管理员身份执行自身。在以管理员身份运行后,RftRAT收集有关受感染系统的基本信息,并将其发送到C&C服务器。
| Offset 偏移 | Data 数据 |
|---|---|
| 0x0000 | Signature (0x963DA7EF) 签名(0x963DA7EF) |
| 0x0004 | Infected system’s ID 受感染系统的ID |
| 0x0044 | IP address IP地址 |
| 0x014 | Computer name 计算机名 |
表1.传送到C&C服务器的数据
图15.用于与C&C服务器通信的数据包
Afterward, it receives commands from the C&C server. RftRAT writes the received commands to the path “%APPDATA%\asc\t1.pb” before decrypting them. Decryption yields the actual commands, which are written to the same file and reread to be executed. The command, the execution results, and the additionally downloaded file are created in the paths below.
然后,它从C&C服务器接收命令。RftRAT在解密之前将接收到的命令写入路径“%APPDATA%\asc\t1.pb”。解密产生实际的命令,这些命令被写入同一个文件并重新读取以执行。命令、执行结果和额外下载的文件将在以下路径中创建。
| Path 路径 | Description 描述 |
|---|---|
| %APPDATA%\asc\t1.pb | Command downloaded from the C&C server 从C&C服务器下载的命令 |
| %APPDATA%\asc\t2.ax | Command execution results 命令执行结果 |
| %APPDATA%\asc\t3.br | File downloaded through the download command 通过download命令下载的文件 |
表2. C&C通信和命令过程中生成的文件
| Command 命令 | Description 描述 |
|---|---|
| 0x00 | Download file 下载文件 |
| 0x01 | Upload file (zip compressed) 上传文件(zip压缩) |
| 0x02 | Look up driver information 查找驱动程序信息 |
| 0x04 | Change file name 更改文件名 |
| 0x05 | Create directory 创建目录 |
| 0x06 | Delete file 删除文件 |
| 0x07 | Execute file (with UAC Bypass) 执行文件(使用UAC旁路) |
| 0x08 | Look up process information 查找过程信息 |
| 0x09 | Terminate process 终止进程 |
| 0x0A | Reverse shell 反向shell |
| 0x0B | Terminate process and delete file 终止进程并删除文件 |
| 0x12 | Terminate 终止 |
| 0x14 | Wait 等 |
表3. RftRAT的命令
4. Post-infection 4.感染后
After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers. The group also installs Mimikatz and RDP Wrapper, which have both been steadily used for many years.
在控制受感染的系统后,为了泄露信息,Kimsuky集团安装了各种恶意软件,如键盘记录器和从Web浏览器中提取帐户和Cookie的工具。该小组还安装了Mimikatz和RDP Wrapper,这两个软件已经稳定使用多年。
4.1. Keylogger 4.1.键盘记录
The keylogger is usually installed in the path “%ALLUSERSPROFILE%\startup\NsiService.exe”. It persists in the system and monitors key input from the user, which is saved in the path “%ALLUSERSPROFILE%\semantec\av\C_1025.nls” or “%ALLUSERSPROFILE%\Ahn\av\C_1025.nls”. Additionally, “%ALLUSERSPROFILE%\semantec” is a folder where the keylogger is installed, along with various malware covered in this article.
键盘记录程序通常安装在路径“%ALLUSERSPROFILE%\startup\NsiService.exe”中。它会在系统中持续存在,并监视用户输入的密钥,这些密钥保存在路径“%ALLUSERSPROFILE%\semantec\av\C_1025.nls”或“%ALLUSERSPROFILE%\Ahn\av\C_1025.nls”中。此外,“%ALLUSERSPROFILE%\semantec”是键盘记录程序的安装文件夹,沿着本文中介绍的各种恶意软件。
4.2. Infostealer 4.2.信息窃取者
Malware for collecting information from web browsers were created in the “%ALLUSERSPROFILE%\semantec\” path under the names “GBIA.exe”, “GBIC.exe”, “GBS.exe”, and “GPIA.dll”. While most target account credentials and cookies saved in web browsers, there are types that collect files in the “Local Extension Settings” path, which is the configuration data related to Chrome extensions.
从Web浏览器收集信息的恶意软件是在“%ALLUSERSPROFILE%\semantec\”路径中创建的,名称为“GBIA.exe”、“GBIC.exe”、“GBS.exe”和“GPIA.dll”。虽然大多数目标帐户凭据和Cookie保存在Web浏览器中,但有些类型会收集“本地扩展设置”路径中的文件,这是与Chrome扩展相关的配置数据。
图16.从Web浏览器窃取帐户凭据
Besides these, the tool named “GPIA.exe” looks up all paths in the infected system and displays the files in each folder. Because the file containing the paths of all files is naturally large, it also allows this file to be split-compressed.
除此之外,名为“GPIA.exe”的工具查找受感染系统中的所有路径,并显示每个文件夹中的文件。由于包含所有文件路径的文件自然很大,因此还允许对该文件进行拆分压缩。
图17.系统路径查找工具
4.3. Other Types 4.3.其他类型
A notable fact about the Kimsuky group is that it often abuses RDP for information theft. Accordingly, it either installs RDP Wrapper or uses a patcher malware for multiple sessions. Recently, there was a discovery of a malware that monitors the login records of the user. This seems to be for the purpose of finding out when the user logs in to use RDP to connect during idle times.
关于Kimsuky集团的一个值得注意的事实是,它经常滥用RDP窃取信息。因此,它要么安装RDP Wrapper,要么使用补丁恶意软件进行多个会话。最近,发现了一种恶意软件,可以监视用户的登录记录。这似乎是为了找出用户在空闲时间登录使用RDP连接的时间。
The file “taskhosts.exe” installed in the path “%ALLUSERSPROFILE%\semantec\” is an injector that injects “ipcheck.dll” into the “explorer.exe” and “runtimebroker.exe” processes. “ipcheck.dll” monitors the user’s log-on/log-off activities by hooking the “WinStationQueryInformationW()” and “ExitWindowsEx()” functions and the log is saved in the path “%PUBLIC%\Log64.txt”.
安装在路径“%ALLUSERSPROFILE%\semantec\”中的文件“taskhosts.exe”是一个注入器,它将“ipcheck.dll”注入到“explorer.exe”和“runtimebroker.exe”进程中。“ipcheck.dll”通过挂接“WinStationQueryInformationW()”和“ExitWindowsEx()”函数来监视用户的登录/注销活动,日志保存在路径“%PUBLIC%\Log64.txt”中。
图18.登录和注销记录保存在日志文件中
The threat actor also used proxy malware. Proxy tools in the past were run by receiving command line arguments, but the type used by Kimsuky reads and uses a configuration file named “setting.ini”. The port number 3389 configured in the default address indicates that it is likely to establish an RDP connection to a private network.
威胁行为者还使用了代理恶意软件。过去的代理工具是通过接收命令行参数来运行的,但Kimsuky使用的类型读取并使用名为“setting.ini”的配置文件。默认地址中配置的端口号3389表示可能与专用网络建立RDP连接。
5. Conclusion 5.结论
The Kimsuky threat group is continuously launching spear phishing attacks against South Korean users. Recently, malicious LNK files have been distributed to South Korean users with various topics, so users are advised to practice particular caution.
Kimsuky威胁组织不断对韩国用户发起鱼叉式网络钓鱼攻击。最近,恶意LNK文件已分发给韩国用户的各种主题,因此建议用户特别小心。
The group usually employs the method of distributing malware through attachments or download links in emails. When a user executes them, the threat actor may be able to take control of the system that is currently in use. The Kimsuky group has been newly creating and using various malware to control infected systems and steal information. Recently, the group has been using AutoIt to create malware to bypass security products.
该组织通常采用通过电子邮件中的附件或下载链接分发恶意软件的方法。当用户执行它们时,威胁行为者可能能够控制当前正在使用的系统。Kimsuky集团最近创建并使用各种恶意软件来控制受感染的系统并窃取信息。最近,该组织一直在使用AutoIt创建恶意软件,以绕过安全产品。
Users must carefully check the senders of emails and refrain from opening files from unknown sources. It is also recommended to apply the latest patch for OS and programs such as Internet browsers and update V3 to the latest version to prevent such malware infection in advance.
用户必须仔细检查电子邮件的安全性,并避免打开来自未知来源的文件。此外,建议为操作系统和互联网浏览器等程序应用最新补丁,并将V3更新到最新版本,以提前预防此类恶意软件感染。
File Detection 文件检测File Detection
– Downloader/Win.Amadey.R626032 (2023.11.30.00)
– 下载器/Win.Amadey.R626032(2023.11.30.00)
– Backdoor/Win.Agent.R626033 (2023.11.30.00)
—后门/Win.Agent.R626033(2023.11.30.00)
– Downloader/Win.Amadey.C5462118 (2023.07.28.03)
—下载者/Win.Amadey.C5462118(2023.07.28.03)
– Trojan/AU3.Loader (2023.11.22.01)
Trojan/AU3.Loader(Trojan/AU3.Loader)2023.11.22.01
– Dropper/Win.Agent.C5542993 (2023.11.17.02)
—Dropper/Win.Agent.C5542993(2023年11月17日)
– Trojan/Win.Agent.C5430096 (2023.05.20.00)
—Trojan/Win.Agent.C5430096(2023.05.20.00)(特洛伊安)
– Infostealer/Win.Agent.R622445 (2023.11.17.02)
—信息窃取器/Win.Agent.R622445(2023.11.17.02)
– Downloader/Win.Amadey.C5479015 (2023.08.31.01)
—Downloader/Win.Amadey.C5479015(2023.08.31.01)
– Trojan/Win.Agent.C5485099 (2023.09.11.03)
—Trojan/Win.Agent.C5485099(2023.09.11.03)(特洛伊安)
– Trojan/Win.Agent.C5479017 (2023.08.31.01)
—Trojan/Win.Agent.C5479017(2023.08.31.01)(特洛伊安)
– Trojan/Win.Loader.C5479014 (2023.08.31.01)
—Trojan/Win.Loader.C5479014(2023年8月31日)
– Trojan/Win.Agent.C5465186 (2023.11.30.00)
—Trojan/Win.Agent.C5465186(2023.11.30.00)(特洛伊安)
– Infostealer/Win.Agent.C5542999 (2023.11.17.02)
—信息窃取器/Win.Agent.C5542999(2023.11.17.02)
– Infostealer/Win.Agent.C5542997 (2023.11.17.02)
—信息窃取器/Win.Agent.C5542997(2023.11.17.02)
– Trojan/Win.Agent.C5451959 (2023.11.30.00)
—Trojan/Win.Agent.C5451959(2023.11.30.00)(特洛伊安)
– Trojan/Win.Agent.Prevention.C5446554 (2023.11.30.00)
– Trojan/Win.Agent.Exclusion.C5446554(2023.11.30.00)
– Trojan/Win.Agent.R589022 (2023.06.28.02)
—Trojan/Win.Agent.R589022(2023.06.28.02)(特洛伊安)
– Trojan/Win.Loader.R588248 (2023.11.30.00)
—Trojan/Win.Loader.R588248(Trojan/Win.Loader.R58248)
– Trojan/Win.Agent.C5444839 (2023.11.30.00)
—Trojan/Win.Agent.C5444839(2023.11.30.00)(特洛伊安)
– Trojan/Win.Stealer.C5441397 (2023.11.30.00)
—Trojan/Win.Stealer.C5441397(2023.11.30.00)(特洛伊安)
– Trojan/Win.KeyLogger.C5430090 (2023.05.20.00)
—Trojan/Win.KeyLogger.C5430090(2023年5月20日)
– Malware/Win.Generic.C5430065 (2023.11.30.00)
恶意软件Win.Generic.C5430065(2023.11.30.00)
– Trojan/Win.Stealer.R579484 (2023.05.20.00)
—Trojan/Win.Stealer.R579484(2023.05.20.00)(特洛伊安)
– Trojan/Win.Loader.C5430091 (2023.05.20.00)
—Trojan/Win.Loader.C5430091(2023年5月20日)
– Trojan/Win.KeyLogger.C5430092 (2023.05.20.00)
—Trojan/Win.KeyLogger.C5430092(2023年5月20日)
– Trojan/Win.Loader.C5430099 (2023.05.20.00)
—Trojan/Win.Loader.C5430099(2023年5月20日)
– Trojan/Win.Proxy.C5430093 (2023.05.20.00)
—Trojan/Win.Proxy.C5430093(2023年5月20日)
– Trojan/Win.Agent.C5430095 (2023.05.20.00)
—Trojan/Win.Agent.C5430095(2023.05.20.00)(特洛伊安)
Behavior Detection 行为检测Behaviour Detection
– Persistence/MDP.AutoIt.M4766
持久性MDP.AutoIt.M4766
– Injection/MDP.Hollowing.M4767
—注入/MDP.Hollowing.M4767
IOC
MD5
– f5ea621f482f9ac127e8f7b784733514 : RftRAT Dropper – AutoIt (d009086.dll)
– f5 ea 621 f482 f9 ac 127 e8 f7 b784733514:RftRAT滴管- AutoIt(d009086.dll)
– 7b6471f4430c2d6907ce4d349f59e69f : Amadey – AutoIt Script (adal.au3)
-7 b6471 f4430 c2 d 6907 ce 4d 349 f59 e69 f:Amadey – AutoIt脚本(adal.au3)
– 14a7f83d6215a4d4c426ad371e0810a2 : RftRAT – AutoIt Script (run.au3)
-14 a7 f83 d 6215 a4 d4 c426 ad 371 e0810 a2:RftRAT – AutoIt脚本(run.au3)
– 74d5dac64c0740d3ff5a9e3aca51ccdf : RftRAT – AutoIt Script (chkdisc.au3)
74 d5 dac 64 c 0740 d3 ff 5a 9 e3aca 51 ccdf:RFTRAT—AutoIt脚本(chkdisc.au 3)
– a7c9b4d70e4fad86598de37d7bf1fe96 : RftRAT – AutoIt Script (run.au3)
– a7 c9 b4 d 70 e4 fad 86598 de 37 d 7 bf 1fe 96:RftRAT – AutoIt脚本(run.au3)
– 32696d9e1e72affaf8bc707ab271200d : Loader (ht.dll)
-32696 d9 e1 e72 affaf 8bc 707 ab 271200 d:加载程序(ht.dll)
– 4b667f7ea5bdc9d872774f733fdf4d6a : Loader (ht.dll)
—4 b667 f7 ea 5 bdc 9d872774 f733 fdf 4d 6 a:loader(ht.dll)(文件格式)
– 7f582f0c5c9a14c736927d4dbb47c5fa : Loader (ht.dll)
—7 f582 f0 c5 c9 a14 c736927 d4 dbb 47 c5 fa:Loader(ht.dll):文件夹
– 94aef716b23e8fa96808f1096724f77f : Loader (ht.dll)
—94 aef 716 b23 e8 fa 96808 f1096724 f77 f:Loader(ht.dll):加载器(ht.dll)
– 0786984ab46482637c2d483ffbaf66dc : Loader (ht.dll)
—0786984 ab 46482637 c2d 483 ffbaf 66 dc:Loader(ht.dll):文件夹
– 1f63ce3677253636a273a88c5b26418d : Loader (ht.dll)
—1f 63 ce 3677253636 a273 a88 c5 b26418 d:loader(ht.dll):加载器
– 6f7cd8c0d9bfb0f97083e4431e4944c1 : Amadey Dropper (10.dll)
—6 f7 cd 8 c 0 d9 bfb 0 f97083 e4431 e4944 c1:Amadey Dropper(10.dll)(英文)
– 4fc726ab835ce559bada42e695b3d341 : Amadey Dropper (11.dll)
-4fc 726 ab 835 ce 559 bada 42 e695 b3 d341:Amadey滴管(11.dll)
– 0fc1c99fd0d6f5488ab77e296216c7c6 : Amadey Dropper (10.dll)
-0 fc 1c 99 fd 0 d 6 f5488 ab 77 e296216 c7 c6:Amadey滴管(10.dll)
– f9c4d236b893c0d72321a9210359f530 : Amadey (svc4615.dll)
– f9c4d236b893c0d72321a9210359f530:Amadey(svc4615.dll)
– e22336eaf1980d2be5feed61b2dbc839 : Amadey (svc7014.dll)
– e22336eaf1980d2be5feed61b2dbc839:Amadey(svc7014.dll)
– 862a855557cc274ab86e226e45338cff : Amadey (mtms2883.dll)
-862a85555cc274ab86e226e45338cff:Amadey(mtms2883.dll)
– 0f5762be09db44b2f0ccf05822c8531a : Amadey (ad53.dat)
-0f5762be09db4b2f0ccf05822c8531a:Amadey(ad53.dat)
– c87094e261860e3a1f70b0681e1bc8c5 : Amadey (ad54.dat)
– c87094e261860e3a1f70b0681e1bc8c5:Amadey(ad54.dat)
– bac7f5eefe6a67e9555e93b0d950db59 : Amadey (d021999.dll)
– bac7f5eefe6a67e9555e93b0d950db59:Amadey(d021999.dll)
– c5a1305aba22c8fedd6624753849905b : Amadey (mtms02.dat)
– c5a1305aba2c8fed62475384905b:Amadey(mtms02.dat)
– 068d395c60e32f01b5424e2a8591ba73 : Amadey (adal66.dat)
– 068d395c60e32f01b5424e2a8591ba73:Amadey(adal66.dat)
– f3caa0f922600b4423ebcb16d7ea2dc6 : RftRAT Dropper (_e2.dll)
—f3 caa 0 f922600 b4423 ebcb 16 d7 ea2dc 6:rftrat dropper(_e2.dll)
– 355817015c8510564c6ac89c976f2416 : RftRAT Dropper (_d2.dll)
—355817015 c8510564 c6ac 89 c976 f2416:RftRAT Dropper(_d2.dll)
– d541aa6bae0f8c9bd7e7b6193b52e8f2 : RftRAT Dropper (d010943.dll)
– d541 aa 6 bae 0 f8 c9 bd 7 e7 b6193 b52 e8 f2:RftRAT滴管(d010943.dll)
– 093608a2d6eb098eb7ea917cc22e9998 : RftRAT Dropper (30.dll)
—093608 a2 d6 eb 098 eb7 ea 917 cc 22 e9998:RftRAT Dropper(30.dll)
– f76cde928a6eda27793ade673bcd6620 : RftRAT (msc1439.dll)
– f76cde928a6eda27793ade673bcd620:RftRAT(msc1439.dll)
– aaa42b1209ed54bfcbd2493fe073d59b : RftRAT (mtms1929.dll)
– aaa42b1209ed54bfcbd2493fe073d59b:RftRAT(mtms1929.dll)
– 1003a440c710ddf7faa1a54919dd01d8 : RftRAT (rtm8668.dll)
– 1003a440c710ddf7faa1a54919dd01d8:RftRAT(rtm8668.dll)
– b67e6e4c16e0309cfc2511414915df15 : RftRAT (cmms1106.dll)
– b67e6e4c16e0309cfc2511414915df15:RftRAT(cmms1106.dll)
– 4d4d485d3bfd3cbc97ed4b9a671f740f : RftRAT (cmms2366.dll)
– 4d4d485d3bfd3cbc97ed4b9a671f740f:RftRAT(cmms2366.dll)
– cf3440fa165e3f78d2a2252a6924f702 : RftRAT (mtms7794.dll)
– cf3440fa165e3f78d2a2252a6924f702:RftRAT(mtms7794.dll)
– c55da826e50e2615903607e61968778f : RftRAT
– c55da826e50e2615903607e61968778f:RftRAT
– d070cf19b66da341f64c01f8195afaed : RftRAT (r2.dat)
—d 070 cf 19 b66 da 341 f64 c 01 f8195 afaed:RFTRAT(r2.dat)(英文)
– e665a985f71567f24a293ea430aad67d : RftRAT (r2.dat)
– e665a985f71567f24a293ea430aad67d:RftRAT(r2.dat)
– c52410ed6787c39db87c4158e73089d4 : RftRAT (r1.dat)
– c52410ed6787c39db87c4158e73089d4:RftRAT(r1.dat)
– 1ac0b0da11e413a21bec08713e1e7c59 : RftRAT (40.dat)
– 1ac0b0da11e413a21bec08713e1e7c59:RftRAT(40.dat)
– 39e755c08156123e4cabac6bf8d1fd3a : RftRAT (a2.dat)
– 39e755c08156123e4cabac6bf8d1fd3a:RftRAT(a2.dat)
– 187aa9b12c05cd1ff030044786903e7e : KeyLogger (NsiService.exe)
– 187aa9b12c05cd1ff030044786903e7e:KeyLogger(NsiService.exe)
– b1337eb53b21594ac5dbd76138054ffb : KeyLogger (NsiService.exe)
– b1337eb53b21594ac5dbd76138054ffb:KeyLogger(NsiService.exe)
– d820ddb3026a5960b2c6f39780480d28 : KeyLogger (NsiService.exe)
– d820ddb3026a5960b2c6f39780480d28:KeyLogger(NsiService.exe)
– 5c2809177bb95edc68f9a08a96420bb7 : Stealer – Web browser (GBIA.exe)
-5c 2809177 bb 95 edc 68 f9 a08 a96420 bb 7:Stealer – Web浏览器(GBIA.exe)
– 0bf558adde774215bb221465a4edd2fe : Stealer – Web browser (GBIA.exe)
-0 bf 558 adde 774215 bb 221465 a4 edd 2fe:Stealer – Web浏览器(GBIA.exe)
– aa2cf925bae24c5cad2b1e1ad745b881 : Stealer – Web browser (GPIA.dll)
– aa 2cf 925 bae 24 c5 cad 2b 1 e1 ad 745 b881:Stealer – Web浏览器(GPIA.dll)
– baa058003bf79ba82ac1b744ed8d58cb : Stealer – Chrome extension (GBS.exe)
– baa 058003 bf 79 ba 82 ac 1b 744 ed 8d 58 cb:Stealer – Chrome扩展程序(GBS.exe)
– 38182f1f0a1cf598295cfbbabd9c5bf4 : Stealer – File path (GPIA.exe)
-38182 f1 f0 a1 cf 598295 cfbabd 9 c5 bf 4:Stealer -文件路径(GPIA.exe)
– 272c29bf65680b1ac8ec7f518780ba92 : Stealer – File path (GPIA.exe)
-272 c29 bf 65680 b1 ac 8 ec 7 f518780 ba 92:Stealer -文件路径(GPIA.exe)
– e860dac57933f63be9a374fb78bca209 : Proxy (svc.exe)
– e860 dac 57933 f63 be 9a 374 fb 78 bca 209:代理(svc.exe)
– e96ca2aa7c6951802e4b17649cc5b581 : Injector (taskhosts.exe)
– e96 ca 2aa 7 c6951802 e4 b17649 cc 5 b581:注射器(taskhosts.exe)
– 4eddf54757ae168450882176243d2bd2 : Injector (sihosts.exe)
-4 eddf 54757 ae 168450882176243 d2 bd 2:注射器(sihosts.exe)
– 119063c82373598d00d17734dd280016 : LogonMon (ipcheck.dll)
– 119063c82373598d00d17734dd280016:LogonMon(ipcheck.dll)
C&C
– hxxps://prohomepage[.]net/index.php :Amadey – AutoIt Script
– hxxps://prohomepage[. net/index.php:Amadey – AutoIt Script
– 45.76.93[.]204:56001 : RftRAT – AutoIt Script
– 45.76.93[.] 204:56001:RftRAT – AutoIt脚本
– 91.202.5[.]80:52030 : RftRAT – AutoIt Script
– 91.202.5[.] 80:52030:RftRAT – AutoIt脚本
– 192.236.154[.]125:50108 : RftRAT – AutoIt Script
– 192.236.154[.] 125:50108:RftRAT – AutoIt脚本
– hxxp://brhosting[.]net/index.php : Amadey
– hxxp://brhosting[.] net/index.php:Amadey
– hxxps://topspace[.]org/index.php : Amadey
– hxxps://topspace[.] org/index.php:Amadey
– hxxps://theservicellc[.]com/index.php : Amadey
– hxxps://theservicellc[.] com/index.php:Amadey
– hxxps://splitbusiness[.]com/index.php : Amadey
– hxxps://拆分业务[.] com/index.php:Amadey
– hxxps://techgolfs[.]com/index.php : Amadey
– hxxps://techgolfs[.] com/index.php:Amadey
– 23.236.181[.]108:52390 : RftRAT
– 23.236.181 108:52390:RftRAT
– 152.89.247[.]57:52390 : RftRAT
– 152.89.247[.] 57:52390:RftRAT
– 172.93.201[.]248:8083 : RftRAT
– 172.93.201[.] 248:8083:RftRAT
– 172.93.201[.]248:52390 : RftRAT
– 172.93.201[.] 248:52390:RftRAT
– 209.127.37[.]40:52390 : RftRAT
– 209.127.37[.] 40:52390:RftRAT
原文始发于ASEC:Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
转载请注明:Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey) | CTF导航
相关文章
