We currently can't confirm whether this is a stolen certificate, an impersonation or a shell/front corporation. The website for "d2innovation[.]jp" has been inactive/HTTP403 since early 2023 according to the Internet Archive.
So far we have found five samples signed with this certificate. The earliest compilation timestamps go back to the 13th of December 2023. One sample has a header timestamp set to 0 (1970-01-01). Using a cutoff date in the rule might limit hunting results.
Some samples are already available on @abuse_ch Malware Bazaar. We'll share the missing ones in a minute.
This company are publishing pure snake-oil. Copying my independent research & the findings of people on Twitter.
Their latest blog talks of the "Cyberstanc Revelation", when in fact all these findings were uncovered by people on Twitter (myself, @fisxbbb & @unpacker)
I had then tweeted this out, and updated our research blogs to mention these finding, stating that the primary difference was the reconnaissance module - a hallmark TTP of #Kimsuky malware. 🧵4/
The #APT known as #Kimsuky strikes again, this time targeting think tanks, academia, and media organizations with a social engineering. The goal? Stealing Google and subscription credentials of a news and analysis service that focuses on North Korea. Enjoy and Happy Hunting!
Link in the comments!
This one is a little different. In this article, SentinelLabs mentioned ReconShark being used. Can you provide me with any TTPs that are associated with that #malware?
Secondo #CIA e #FBI il gruppo hacker nordcoreano #Kimsuky sponsorizzato dallo stato (alias APT43) ha impersonato giornalisti e accademici per campagne di spear phishing per raccogliere informazioni da think tank, centri di ricerca, istituzioni accademiche e varie organizzazioni dei media.
Germany's domestic intelligence apparatus (BfV), South Korea's National Intelligence Service (NIS) and the U.S. National Security Agency (NSA) warn about cyber attacks mounted by a threat actor tracked as Kimsuky, using #socialengineering and #malware to target think tanks, academia, and news media sectors.
"Kimsuky has been observed leveraging open source information ( #OSINT ) to identify potential targets of interest and subsequently craft their online personas to appear more legitimate by creating email addresses that resemble email addresses of real individuals they seek to impersonate.
The adoption of spoofed identities is a tactic embraced by other state-sponsored groups and is seen as a ploy to gain trust and build rapport with the victims. The adversary is also known to compromise the email accounts of the impersonated individuals to concoct convincing email messages.
#Kimsuky actors tailor their themes to their target's interests and will update their content to reflect current events discussed among the community of North Korea watchers.
Besides using multiple personas to communicate with a target, the electronic missives come with bearing with password-protected malicious documents, either attached directly or hosted on Google Drive or Microsoft OneDrive."
North Korean hackers #Kimsuky using new ReconShark reconnaissance tool to target individuals via spear-phishing emails, OneDrive links & malicious macros.