鲨鱼的狂欢 — APT-C-55 Kimsuky组织近期BabyShark组件披露
Tags
Common Information
| Type | Value |
|---|---|
| UUID | b9b75d68-26de-46b6-85cd-daf0b1a68750 |
| Fingerprint | b3b808f26d9edb0f |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 12, 2022, midnight |
| Added to db | Jan. 30, 2023, 4:34 p.m. |
| Last updated | Nov. 15, 2024, 12:35 p.m. |
| Headline | 鲨鱼的狂欢 — APT-C-55 Kimsuky组织近期BabyShark组件披露 |
| Title | 鲨鱼的狂欢 — APT-C-55 Kimsuky组织近期BabyShark组件披露 |
| Detected Hints/Tags/Attributes | 8/0/32 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://mp.weixin.qq.com/s/ZV8AOTd7YGUgCTTTZtTktQ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | 1drv.com |
|
| Details | Domain | 4 | ielsems.com |
|
| Details | Domain | 6 | worldinfocontact.club |
|
| Details | Domain | 3 | api.onedrive.com |
|
| Details | Domain | 208 | mp.weixin.qq.com |
|
| Details | Domain | 19 | www.huntress.com |
|
| Details | File | 3 | macro.php |
|
| Details | File | 1 | 判断如果%appdata%目录下存在dsektop.tmp |
|
| Details | File | 1 | 最终删除文件dsektop.tmp |
|
| Details | File | 1 | club获取desktop.tmp |
|
| Details | File | 1 | 添加注入表键值appxr1bysyqf6kpaq1aje5sbadka8dgx3g4g写入请求dsektop.tmp |
|
| Details | File | 1 | sys.vbs |
|
| Details | File | 1 | 添加计划任务调用wscript.exe |
|
| Details | File | 1 | 执行sys.vbs |
|
| Details | File | 1 | 样本4bb1827e37223b674ab7270f7b7bbb4d与之前披露的babyshark组件的初始阶段载荷version_hwp.dll |
|
| Details | File | 89 | version.dll |
|
| Details | File | 1 | c:\users\用户名\appdata\roaming\microsoft\创建log.txt |
|
| Details | File | 1 | 样本4bb1827e37223b674ab7270f7b7bbb4d与之前披露的babyshark初始阶段的载荷version_hwp.dll |
|
| Details | File | 1 | 且从编译时间来看样本4bb1827e37223b674ab7270f7b7bbb4d为version_hwp.dll |
|
| Details | md5 | 1 | 3b11456f184a0d263b7f56cb92667b0e |
|
| Details | md5 | 1 | 7de6969f867aada10c175e9d4328942e |
|
| Details | md5 | 1 | 4bb1827e37223b674ab7270f7b7bbb4d |
|
| Details | Pdb | 1 | h:\hijacking\onedrive_hijacking\googledrive_rat_load_complete\googledrive_rat_load_complete\rat_load\release\rat_load.pdb |
|
| Details | Threat Actor Identifier - APT-C | 15 | APT-C-55 |
|
| Details | Url | 1 | https://api.onedrive.com/v1.0/drives/+path1+/items/+path2+select=id,@content.downloadurl+authkey获取后续请求地址hxxps://qizzhq.dm.files.1drv.com/y4mz739xhv5a59pon-9e5_f3u7qk1a-jzwn-c_k-ja3a72_w-5vxa9zax_ymjfirdu4,请求上述地址获取到加密数据,利用vbs脚本解密后执行,最后收集用户相关信息上传至apt组织服务器ielsems.com |
|
| Details | Url | 1 | https://api.onedrive.com/v1.0/drives/+path1+/items/+path2+select=id,@content.downloadurl |
|
| Details | Url | 1 | https://ielsems.com/cic/macro.php?na= |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/og8mfnqokzshlojdidkygq |
|
| Details | Url | 1 | https://mp.weixin.qq.com/s/pkck1ryxvgwfuohqk9rahg),且pdb路径h:\hijacking\onedrive_hijacking\googledrive_rat_load_complete\googledrive_rat_load_complete\rat_load\release\rat_load.pdb与近期披露的babyshark组件路径吻合 |
|
| Details | Url | 1 | https://qizzhq.dm.files.1drv.com/y4mz739xhv5a59pon-9e5_f3u7qk1a-jzwn-c_k-ja3a72_w-5vxa9zax_ymjfirdu4 |
|
| Details | Url | 2 | https://mp.weixin.qq.com/s/pkck1ryxvgwfuohqk9rahg |
|
| Details | Url | 2 | https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood |