the Kimsuky Group's use of AutoIt to create malware, specifically RftRAT and Amadey:
Malware Creation Using AutoIt: The Kimsuky group, known for its cyber espionage activities, has been using the AutoIt scripting language to create malware. This includes the development of RftRAT and Amadey. This use of AutoIt is a significant development in Kimsuky’s arsenal and demonstrates their adaptability and focus on evading detection.
Stealing Information and Technology: Researchers have identified that the Kimsuky group is using this malware to steal information and technology from South Korea and other countries. The group installs remote control malware to gain control over the infected systems after gaining initial access.
Kimsuky Group's Malware Arsenal: In addition to custom-made malware like AppleSeed and PebbleDash, the Kimsuky group also uses open-source or commercial malware such as XRat, HVNC, and Metasploit, along with the recently identified RftRAT and Amadey.
Kimsuky Group's Background: The Kimsuky threat group, which is believed to be supported by North Korea, has been active since 2013. It has been involved in a range of activities, initially targeting North Korea-related research institutes in South Korea and subsequently expanding its operations to other countries.
Public Awareness and Reporting: The activities of the Kimsuky group, including their use of AutoIt for creating malware, have been reported and documented by various cybersecurity sources, including the ASEC Blog and AlienVault's Open Threat Exchange.
These insights highlight the evolving nature of cyber threats and the importance of continuous monitoring and updating cybersecurity measures to protect against such sophisticated attacks. For more detailed technical information, you might need to access the reports directly on AlienVault's Open Threat Exchange or consult additional cybersecurity news and analysis platforms.
IoC
DOMAIN
- topspace.org
- theservicellc.com
- techgolfs.com
- splitbusiness.com
- prohomepage.net
- ciso2ciso.com
- brhosting.net
URL
- https://topspace.org/index.php
- https://techgolfs.com/index.php
- https://splitbusiness.com/index.php
- 91.202.5.80
- 23.236.181.108
- 209.127.37.40
- 192.236.154.125
- 172.93.201.248
- 152.89.247.57
SHA256
- fa7d61c8ad81d81a45382c7d8ca230b178c99f78347d3bb82119fa1b815e3cfc
- ed9f048516ddc55d608dd0d8afb335362ecd64e429e1a5bebd2d990792b8fa73
REFERENCES
- https://meterpreter.org/kimsuky-threat-group-autoit-malware/#:~:text=According%20to%20a%20security%20researcher,and%20focus%20on%20evading%20detection
- https://www.securitricks.com/kimsuky-group-uses-autoit-to-create-malware-rftrat-amadey-wednesday-december-13-2023/#:~:text=Here%20is%20the%20latest%20malware,has%20been%20identified%20by%20researchers
- https://malware.news/t/kimsuky-group-uses-autoit-to-create-malware-rftrat-amadey/76472
- https://allinfosecnews.com/item/kimsuky-group-uses-autoit-to-create-malware-rftrat-amadey-2023-12-08/#:~:text=Kimsuky%20Group%20Uses%20AutoIt%20to,has%20been%20active%20since%202013
- https://otx.alienvault.com/pulse/6572f58b3e024e9714111883
- https://otx.alienvault.com/pulse/6579b3e780b08a7717b8e895
- https://prohomepage.net/index.php
- http://brhosting.net/index.php
TAGS
rftrat, amadey, log4j exploits, autoit, keylogger, kimsuky, xrat, infostealer, appleseed, quasarrat, rdp wrapper, lazarus, korean, pebbledash, powershell, mimikatz, injector, konni, remote control
No comments:
Post a Comment