Back to the Future: Inside the Kimsuky KGH Spyware Suite
Tags
country: North Korea Japan United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Code Signing - T1553.002 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Exploits - T1587.004 Exploits - T1588.005 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Windows Service - T1543.003 Windows Credential Manager - T1555.004 Tool - T1588.002 Logon Scripts - T1037 Code Signing - T1116 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID b631da57-00ad-4ff7-b844-dd1beecd433f
Fingerprint ad2c1cfa05b387db
Analysis status DONE
Considered CTI value 2
Text language
Published Nov. 2, 2020, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Back to the Future: Inside the Kimsuky KGH Spyware Suite
Title Back to the Future: Inside the Kimsuky KGH Spyware Suite
Detected Hints/Tags/Attributes 116/3/93
Source URLs
Redirection Url
Details Source https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
URL Provider
Details Provider Source level domain
Details cybereason.com www.cybereason.com
Attributes
Details Type #Events CTI Value
Details Domain 3 
hao.aini.pe.hu
Details Domain 2 
mernberinfo.tech
Details Domain 5 
eastsea.or.kr
Details Domain 2 
dongkuiri.atwebpages.com
Details Domain 2 
attachchosun.atwebpages.com
Details Domain 2 
portable.epizy.com
Details Domain 2 
foxonline123.atwebpages.com
Details Domain 2 
nhpurumy.mireene.com
Details Domain 4 
jmable.mireene.com
Details Domain 1 
csv.posadadesantiago.com
Details Domain 3 
wave.posadadesantiago.com
Details Domain 1 
myaccounts.posadadesantiago.com
Details Domain 1 
www.eventosatitlan.com
Details File 1 
m1.dll
Details File 1 
msic.exe
Details File 2 
m.dll
Details File 3 
hao.ai
Details File 2 
venus03.ps1
Details File 2 
leess1982.ps1
Details File 2 
portable.ep
Details File 98 
download.php
Details File 1 
res2.txt
Details File 8 
expres.php
Details File 17 
up.php
Details File 10 
dwn.php
Details File 1 
_on_un_nk_20200130.doc
Details File 1 
pm_abe_draft_letter_on_un_nk_20200130.doc
Details File 2 
defector.doc
Details File 1 
cur_install_x64.dll
Details File 1 
msfltr32.dll
Details File 1 
0807.dot
Details File 1 
0928.dot
Details File 18 
winload.exe
Details File 376 
wscript.exe
Details File 5 
cs.exe
Details File 4 
a.vbs
Details File 56 
iexplorer.exe
Details File 1 
c:\users\user\appdata\local\aresoft\msic.exe
Details File 1 
c:\users\user\appdata\local\aresoft\msfltr32.dll
Details File 2126 
cmd.exe
Details File 1 
c:\users\user\appdata\local\temp\3f34a.tmp
Details File 14 
c.txt
Details File 1 
c:\users\user\appdata\local\temp\c.txt
Details File 409 
c:\windows\system32\cmd.exe
Details File 1 
c:\test1.txt
Details File 1 
%appdata%\microsoft\ntusers.log
Details File 3 
dwn.dat
Details File 1 
%temp%\appx.exe
Details File 1 
appx.exe
Details File 56 
update.php
Details sha1 1 
87b35e1998bf00a8b7e32ed391c217deaec408ad
Details sha1 1 
f846981567760d40b5a90c8923ca8c2e7c881c5f
Details sha1 1 
90d00ecb1e903959a3853e8ee1c8af89fb82a179
Details sha256 1 
97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323
Details sha256 1 
d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c
Details sha256 1 
7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43
Details sha256 2 
252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c
Details sha256 1 
bcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9
Details sha256 1 
af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f
Details sha256 1 
e4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e
Details sha256 1 
66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7
Details sha256 1 
f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9
Details sha256 1 
fa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b
Details sha256 1 
65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c
Details sha256 1 
7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0
Details sha256 1 
e9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c
Details IPv4 1 
173.205.125.124
Details Pdb 1 
e:\spy\webbrowser\kgh_browser-master\x64\release\kgh_browser-master.pdb
Details Url 1 
http://hao.aini.pe.hu/init/image?i=ping&u=8dc1078f1639d34c&p=wait
Details Url 1 
http://mernberinfo.tech/wp-data/?m=dunan&p=de3f6e263724&v=win6.1.0
Details Url 1 
http://eastsea.or.kr/?m=a&p1=00000009&p2=win6.1.7601x64
Details Url 1 
http://dongkuiri.atwebpages.com/venus02/venus03/venus03.ps1
Details Url 1 
http://attachchosun.atwebpages.com/leess1982/leess1982.ps1
Details Url 1 
http://portable.epizy.com/img/png/download.php?filename=images01
Details Url 1 
http://foxonline123.atwebpages.com/home/jpg/download.php?filename=flower03
Details Url 1 
http://nhpurumy.mireene.com/theme/basic/skin/member/basic
Details Url 1 
http://jmable.mireene.com/shop/kcp/js/com/expres.php?op=2
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=sbk&ver=x64
Details Url 1 
http://csv.posadadesantiago.com/home/up.php?id=[machine_name]
Details Url 1 
http://wave.posadadesantiago.com/home/dwn.php?van=10860
Details Url 2 
http://wave.posadadesantiago.com/home/dwn.php?van=101
Details Url 1 
http://wave.posadadesantiago.com/home/dwn.php?van=102
Details Url 1 
http://csv.posadadesantiago.com/home?act=news&id=[machine_name]
Details Url 1 
http://csv.posadadesantiago.com/home?id=
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=tre&ver=x64
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=wbi&ver=x64
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=cmd&ver=x64
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=pws&ver=x64
Details Url 1 
http://myaccounts.posadadesantiago.com/test/update.
Details Url 1 
http://csv.posadadesantiago.com/home?id=[machine_name]&act=upf&ver=x64
Details Url 1 
http://myaccounts.posadadesantiago.com/test/update.php?wshell=201
Details Windows Registry Key 9 
HKCU\Environment\UserInitMprLogonScript
Details Windows Registry Key 31 
HKCU\Software\Microsoft\Windows