Introduction
In recent cybersecurity developments, a concerning infiltration campaign has been uncovered, implicating the North Korean threat group known as ‘Kimsuky.’ This group has been observed utilizing the insidious ‘TrollAgent’ malware to compromise the security of unsuspecting users. Notably, these activities have been detected within the security programs hosted on the website of a Korean construction association.
The Threat Unveiled
Upon attempting to access the website of the Korean construction association, users are prompted to install purported security programs. However, investigation reveals that one of these programs, labeled “NX_PRNMAN,” contains malicious elements, posing a significant threat to users’ security. Analysis indicates that the malware is systematically uploaded to the website, exposing individuals who download files within specific time frames to potential attacks.
Malicious Tactics Unveiled
The installer for the ‘TrollAgent’ malware is stealthily packed using VMProtect, enhancing its ability to evade detection by traditional security measures. Furthermore, alarming evidence suggests that the malware installer is signed with a stolen valid certificate attributed to “D2Innovation,” a reputable Korean defense company. This exploitation of legitimate certificates adds a layer of sophistication to the threat, making it more challenging to identify and mitigate.
Conclusion
In conclusion, the emergence of the ‘Kimsuky’ threat campaign, facilitated by the ‘TrollAgent’ malware, underscores the ever-evolving landscape of cybersecurity threats. The targeted infiltration of trusted websites and the use of advanced obfuscation techniques highlight the necessity for heightened vigilance and proactive security measures.
Recommendations
Given the severity of the threat posed by the ‘Kimsuky’ group and their utilization of the ‘TrollAgent’ malware, it is imperative for organizations and individuals to implement robust cybersecurity protocols. This includes regular security updates, comprehensive malware detection systems, and user education initiatives to mitigate the risk of falling victim to such sophisticated attacks.
This comprehensive approach to cybersecurity will help safeguard against emerging threats and ensure the integrity of digital environments in the face of evolving challenges.
IOC Information:
IOC Type | IOC | Malicious Info |
---|---|---|
ip | 106.52.127.12 | Malicious: 6 Suspicious: 0 Zone: Grey Abuse Score: 1 |
hash | 7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df | Malicious: 35 Malware Family: linux Metadefender Percentage: 100 Blocked Reason: Infected Zone: Yellow HitsCount: 100 |
ip | 111.92.242.47 | Malicious: 2 Suspicious: 0 Zone: Grey Abuse Score: 0 |
hash | 08caa2415f19565aa1fac40ea4a9e3e2eb9c6e382507e3e93677c506e4b42f9c | Malicious: 35 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
ip | 81.68.214.122 | Malicious: 4 Suspicious: 0 Zone: Grey Abuse Score: 0 |
hash | 7fb22f3b6632ab0df493b2e80a66b6a08a3173ccf5f8cdf2fc4956afd63bff23 | Malicious: 42 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
ip | 81.68.197.3 | Malicious: 4 Suspicious: 0 Zone: Grey Abuse Score: 0 |
hash | 42590da283f271cb55efcea7c89866d6dc3358933996166302237f040141fa12 | Malicious: 36 Malware Family: linux Metadefender Percentage: 100 Blocked Reason: Infected Zone: Red HitsCount: 10 |
hash | b4135ca942f8ab7e98259dd4666d9e84ba0c6a4a7326bab4b4abab5b009551be | Malicious: 42 Malware Family: linux Metadefender Percentage: 100 Blocked Reason: Infected Zone: Red HitsCount: 10 |
hash | b1c19e717494b33fa269b5adaf7e591d46f1ab4c1f571f22df254055349ec22c | Malicious: 41 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
hash | 4e4b120f5ae23a2d3a32e9dc09cc1b9ead3e8cd947555f83f84a369a4feff081 | Malicious: 25 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
ip | 110.45.1.53 | Malicious: 0 Suspicious: 0 Zone: Grey Abuse Score: 0 |
ip | 47.88.49.239 | Malicious: 3 Suspicious: 0 Zone: Grey Abuse Score: 0 |
domain | auto.c3pool.org | Malicious: 4 Suspicious: 2 Status: Green |
ip | 45.141.68.25 | Malicious: 5 Suspicious: 0 Zone: Grey Abuse Score: 0 |
ip | 103.255.177.55 | Malicious: 11 Suspicious: 0 Zone: Red Abuse Score: 0 |
domain | hfs.t1linux.com | Malicious: 4 Suspicious: 1 Status: Green |
hash | 4839d344d0251f9122c11222021511702ae8dfd3185c2e300cd21c0c7a574d5f | Malicious: 39 Malware Family: linux Metadefender Percentage: 100 Blocked Reason: Infected Zone: Red HitsCount: 10 |
hash | 6a43077384c2f348908dee0b5a5bbe119f82092cef87586af0b3eefe6d9d05c8 | Malicious: 43 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
ip | 20.205.116.139 | Malicious: 5 Suspicious: 1 Zone: Grey Abuse Score: 0 |
hash | b87346b930120e2be9394177c530843187f7d5393738b7a935583f19cc6937b5 | Malicious: 44 Malware Family: linux Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 10 |
hash | 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e | Malicious: 43 Malware Family: linux Metadefender Percentage: 100 Blocked Reason: File is infected, see description Zone: Red HitsCount: 10 |
ip | 82.156.146.62 | Malicious: 2 Suspicious: 0 Zone: Grey Abuse Score: 0 |
domain | nishabii.xyz | Malicious: 5 Suspicious: 1 Status: Grey |
cve | cve-2021-25646 | |
Domain | zomfaa9a.onlinewebshop.net | Malicious: 2 Suspicious: 0 Status: Red |
Domain | 99695njd.myartsonline.com | Malicious: 1 Suspicious: 0 Status: Red |
Hash | 9339eaf1d77bb0324e393a08a6180fe0658761fc0cd20ba25081963286dfb9c7 | Malicious: 48 Malware Family: konni Metadefender Percentage: N/A Blocked Reason: N/A Zone: Red HitsCount: 100 |
domain | zcvbm1zv.onlinewebshop.net | Malicious: 3 Suspicious: 0 Status: Red |
domain | 694qf6w8.scienceontheweb.net | Malicious: 1 Suspicious: 0 Status: Red |
Domain | jbkza9h7.atwebpages.com | Malicious: 5 Suspicious: 0 Status: Reddomain |
URL | https://onowbabone.tantermhes.ru/fpmp67r49tdomain |
Source: Blog Post
Source Reliability: Trustworthy
Information Reliability: Confirmed
Motivation: Cyber Crime
Source Category: Technical Intelligence
Severity: Low