Flag This

References:

• blogs.vmware.com - This blog post delves into the importance of identifying and mitigating vulnerable kernel drivers, providing insights into how attackers exploit these vulnerabilities. - 15d
• malware.news - Malware News reports on Check Point Research's findings on vulnerable drivers. - 15d
• research.checkpoint.com - This report provides an in-depth analysis of vulnerable Windows drivers, including the root causes, common characteristics, and practical examples of exploitation. It also investigates how security products attempt to mitigate these threats. - 15d
• Malware Analysis, News and Indicators - The North Korean APT group Kimsuky(a.k.a Emerald Sleet, APT43, Springtail) has been active since at least 2013, initially targeting government ministries in South Korea, but has since conducted attacks against targets engaged in media, research, politics, and diplomacy around the world. The group primarily uses spear phishing attacks to distribute malware and attempt to take over accounts to harvest data. The group has primarily targeted Windows environments, but there have been instances of attacks on Android. - 13d
• medium.com - In February 2024, S2W disclosed Kimsuky group’s attack campaign that exhibited a different pattern from previous ones. This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol. Notably, Kimsuky group has recently begun developing malware using the Go language, indicating a rapid evolution in their malicious software. - 13d
• www.virusbulletin.com - Kimsuky group has recently begun developing malware using the Go language, indicating a rapid evolution in their malicious software. This change suggests a shift in their strategic objectives or that another member with access to the AppleSeed and AlphaSeed source code has developed malware like Troll Stealer. - 13d
• medium.com - Author : Jiho Kim | S2W TALON #VB024 — Executive Summary The North Korean APT group Kimsuky(a.k.a Emerald Sleet, APT43, Springtail) has been active since at least 2013, initially targeting government ministries in South Korea, but has since conducted attacks against targets engaged in media, research, politics, and diplomacy around the world. The group primarily uses spear phishing attacks to distribute malware and attempt to take over accounts to harvest data. The group has primarily targeted Windows environments, but there have been instances of attacks on Android. Reference: Talon, the threat research and intelligence center of S2W, has continuously tracked the activities of the Kimsuky group and discovered additional samples like the previously known AppleSeed. We named AlphaSeed, Troll Stealer and GoBear. In February 2024, S2W disclosed Kimsuky group’s attack campaign that exhibited a different pattern from previous ones. This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol. Notably, Kimsuky group has recently begun developing malware using the Go language, indicating a rapid evolution in their malicious software. This change suggests a shift in their strategic objectives or that another member with access to the AppleSeed and AlphaSeed source code has developed malware like Troll Stealer. We have categorized Kimsuky group’s new malware based on their functionalities and types. In this report, we will examine the operational mechanisms of each malware type and share recent attack cases. During our analysis, we found that all the malware, except for BetaSeed, was written in Go. This aligns with the Kimsuky group’s recent trend of utilizing Go-based tools and malware. Accordingly, we will delve into the specifics of Kimsuky’s new Go strategy. Key Takeaways (Understanding Kimsuky’s Subgroup, SeedpuNK ) Explore the classification of Kimsuky into three subgroups based on their primary malware. Among them, understand the SeedpuNK, which is represented by the AppleSeed, and their attack techniques. (Insights into New Go-Based Malware) Review the behavior of three newly discovered Go-based malware and analyze their connections to the existing SeedpuNK’s malware. (Understanding SeedpuNK’s Recent Go Strategy ) Discuss SeedpuNK’s shift toward using the Go in their recent strategies, highlighting its benefits in terms of stability, usability, and scalability. For more details, please refer to the presentation at VB2024. Abstract: Presentation: (Attach later when public) was originally published in on Medium, where people are continuing the conversation by highlighting and responding to this story. Article Link: 1 post - 1 participant - 12d
• www.virusbulletin.com - Author : Jiho Kim | S2W TALON #VB024 — Executive Summary The North Korean APT group Kimsuky(a.k.a Emerald Sleet, APT43, Springtail) has been active since at least 2013, initially targeting government ministries in South Korea, but has since conducted attacks against targets engaged in media, research, politics, and diplomacy around the world. The group primarily uses spear phishing attacks to distribute malware and attempt to take over accounts to harvest data. The group has primarily targeted Windows environments, but there have been instances of attacks on Android. Reference: Talon, the threat research and intelligence center of S2W, has continuously tracked the activities of the Kimsuky group and discovered additional samples like the previously known AppleSeed. We named AlphaSeed, Troll Stealer and GoBear. In February 2024, S2W disclosed Kimsuky group’s attack campaign that exhibited a different pattern from previous ones. This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol. Notably, Kimsuky group has recently begun developing malware using the Go language, indicating a rapid evolution in their malicious software. This change suggests a shift in their strategic objectives or that another member with access to the AppleSeed and AlphaSeed source code has developed malware like Troll Stealer. We have categorized Kimsuky group’s new malware based on their functionalities and types. In this report, we will examine the operational mechanisms of each malware type and share recent attack cases. During our analysis, we found that all the malware, except for BetaSeed, was written in Go. This aligns with the Kimsuky group’s recent trend of utilizing Go-based tools and malware. Accordingly, we will delve into the specifics of Kimsuky’s new Go strategy. Key Takeaways (Understanding Kimsuky’s Subgroup, SeedpuNK ) Explore the classification of Kimsuky into three subgroups based on their primary malware. Among them, understand the SeedpuNK, which is represented by the AppleSeed, and their attack techniques. (Insights into New Go-Based Malware) Review the behavior of three newly discovered Go-based malware and analyze their connections to the existing SeedpuNK’s malware. (Understanding SeedpuNK’s Recent Go Strategy ) Discuss SeedpuNK’s shift toward using the Go in their recent strategies, highlighting its benefits in terms of stability, usability, and scalability. For more details, please refer to the presentation at VB2024. Abstract: Presentation: (Attach later when public) was originally published in on Medium, where people are continuing the conversation by highlighting and responding to this story. Article Link: 1 post - 1 participant - 12d