Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

ThreatConnect Research Roundup: More Kimsuky “AutoUpdate” Malware

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

  • Kimsuky “AutoUpdate” Malware
  • Mustang Panda PlugX
  • Spoofed Google Support Domain
  • GreedyWonk
  • Emotet
  • WastedLocker
  • IndigoDrop

Roundup Highlight: More Kimsuky “AutoUpdate” Malware

Our highlight in this Roundup is Incident 20200618A: Suspected Kimsuky “AutoUpdate” Malware. ThreatConnect Research identified an additional malware sample likely associated with Kimsuky (a DPRK-based group) due to behaviors similar to a sample reported on the ESTsecurity ALYac Blog, which was also referenced in last week’s Research Roundup Blog.

Like last week’s file, this sample (1E14DED758C5DD7B41FE20297935EEEF) is also similar to the downloader (C315DE8AC15B51163A3BC075063A58AA) identified in the above blog based on behaviors including a string deobfuscation routine and specific URL parameters.

Of note, it was uploaded to VirusTotal with the filename bmail-security-check.scr which shares strings with the embedded obfuscated command and control server at security-confirm.bmail-org[.]com. This server was live as of Jun 18, 2020 16:54 UTC. For more details, see the Incident in the ThreatConnect Common Community.

MITRE ATT&CK® Techniques Observed:

  • T1027 – Obfuscated Files or Information

IOCs Identified:

  • 1E14DED758C5DD7B41FE20297935EEEF
  • security-confirm.bmail-org[.]com

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20200619B: File Matching YARA Rule Associated to Mustang Panda PlugX ThreatConnect Research identified a file via a YARA rule associated to Mustang Panda PlugX malware.
  • 20200623A: Spoofed Google Support Domain Registered Using jackjacko@tutamail[.]com ThreatConnect Research identified a suspicious Google Support-spoofing domain registered through THCservers on May 28 2020.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

  • Operation GreedyWonk: Multiple Economic and Foreign Policy SitesCompromised, Serving Up Flash Zero-Day Exploit (Source: http://www.fireeye.fr/blog/threat-research/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html)
  • Emotet C2 and RSA Key Update – 06/22/2020 13:40 (Source: https://paste.cryptolaemus.com/emotet/2020/06/22/emotet-c2-rsa-update-06-22-20-1.html)
  • WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group (Source: https://blog.fox-it.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/)
  • IndigoDrop spreads via military-themed lures to deliver Cobalt Strike (Source: https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html)
About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.