Research Roundup: Kimsuky Phishing Operations Putting in Work

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

• Kimsuky
• Cobalt Strike
• Beacon shellcode loader
• Bazar
• Mustang Panda PlugX

Roundup Highlight: Kimsuky Phishing Operations Putting in Work

Our highlight in this Roundup is Incident 20200610B: Suspected Kimsuky Shared Hosted Phishing Related Domains. An international NGO that provides threat sharing and analysis support to frequently targeted communities reached out to ThreatConnect wanting to learn more about the origins of a targeted phishing attack they were researching. Researching both the attacker’s infrastructure and tooling, we believe the nexus of the attack to be DPRK’s Kimsuky group (aka Velvet Chollima). For an in-depth look at this research, read our blog.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

• 20200930A: Domains Registered Through MonoVM Used with Various Malware On September 24 and 25 2020 Twitter user Bryce (@bryceabdo) identified a series of domains associated with Cobalt Strike, Beacon shellcode loader, and Bazar activity. The identified domains were registered through MonoVM in late September 2020 and hosted in one of a few CIDR blocks. ThreatConnect Research identified additional domains registered using the same email addresses and a third that most likely are related to the same actor based on its recent use of MonoVM to register domains hosted in some of the same CIDR blocks.
• 20200925A: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified a Mustang Panda PlugX binary and extracted Command and Control locations from the embedded configuration.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

• Targeted Attacks on Oil and Gas Supply Chain Industries in the Middle East (Source: https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east)
• Daily Emotet IoCs and Notes for 09/28/20 (Source: https://paste.cryptolaemus.com/emotet/2020/09/28/emotet-malware-IoCs_09-28-20.html)
• The Internet did my homework (Source: https://blog.talosintelligence.com/2020/09/the-internet-did-my-homework.html)
• Threat Roundup for September 18 to September 25 (Source: https://blog.talosintelligence.com/2020/09/threat-roundup-0918-0925.html)
• Emotet C2 Deltas from 2020/09/22 as of 13:30EDT or 17:30UTC (Source: https://paste.cryptolaemus.com/emotet/2020/09/22/emotet-C2-Deltas-1730-1330_09-22-20.html)
• Emotet C2 Deltas from 2020/09/23 as of 07:20EDT or 11:20UTC (Source: https://paste.cryptolaemus.com/emotet/2020/09/23/emotet-C2-Deltas-1120-0720_09-23-20.html)