# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: Black Banshee, Velvet Chollima # Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78 # Reference: https://blog.alyac.co.kr/2209 (Korean) maii-daum-net.atwebpages.com nate-on.bug3.com hanmail.membercp.net korea.getenjoyment.net mail.membercp.net /itsme.daum # Reference: https://twitter.com/blackorbird/status/1086970613552447489 safe-naver-mail.pe.hu # Reference: https://twitter.com/blackorbird/status/1113318554563076096 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403 # Reference: https://blog.alyac.co.kr/2234 (Korean) tcjst.com # Reference: https://twitter.com/blackorbird/status/1118334122592591872 # Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf # Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations # Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24 http://192.186.142.74 192.186.142.74:81 seoulhobi.biz # Reference: https://twitter.com/RedDrip7/status/1133268937808859136 lovemoney.mypressonline.com # Reference: https://blog.alyac.co.kr/2336 (Korean) # Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6 hellojames.sportsontheweb.net # Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/) /expres.php # Reference: https://blog.alyac.co.kr/2347 (Korean) # Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db http://202.168.155.156 carolie-svr-v1.16mb.com my-homework.890m.com naver-security-mail.96.lt oeks39402.890m.com filer1.1apps.com filer2.1apps.com kuku675.site11.com kuku79.herobo.com # Reference: https://blog.alyac.co.kr/2389 (Korean) # Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8 atene.myartsonline.com hellojames.sportsontheweb.net nid2-naver-com.medianewsonline.com smalldeal.mypressonline.com # Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks # Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208 # Reference: https://twitter.com/blackorbird/status/1164370375490228224 alone-service.work app-support.work check-up.work com-main.work doc-view.work login-confirm.work member-service.work minner.work short-line.work sub-state.work web-line.work # Reference: https://twitter.com/cyberwar_15/status/1166592637371060226 rnailr.com # Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf # Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b accounted.top acounts.work ahooc.com alive-user.work alone-service.work app-house.online app-main.site app-support.site app-support.work check-line.site check-operation.site check-up.work client-mobile.work confirm-main.work dounn.net dovvn-mail.com drog-service.com eposcard.co first-state.work gstaticstorage.com heehorse.com hotrnall.co imap-login.com inbox-mail.work inbox-yahoo.com lh-login.com lh-logs.com lh-yahoo.com local-link.work log-yahoo.com login-confirm.site login-confirm.work login-history.pw login-sec.com login-use.com login-yahoo.info logins-yahoo.com mail-down.com mail-inc.work mail-service.win mailseco.com main-line.work main-service.site main-support.work matmiho.com member-service.work message-inbox.work minner.work mobile-device.site mobile-phone.work myprivacy.work net-policies.work old-version.work online-support.work open-auth.work options.work page-view.work phlogin.com profile-setting.work protect-com.work protect-mail.work protect-main.site retry-confirm.com script-main.site sec-line.work sec-live.com set-login.com setting-main.work share-check.site short-line.work sign-in.work srnbc-card.com user-account.link user-accounts.net user-service.link user-service.work viewetherwallet.com wallet-vahoo.com weak-online.work web-info.work web-mind.work web-online.work web-rain.work web-state.work web-store.work yah00.work yrnall.com # Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901 # Reference: https://blog.alyac.co.kr/2538 (Korean) # Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df joelwisian.com reunionhomesok.com # Reference: https://twitter.com/blackorbird/status/1178497550938034177 eoplus.co.kr/board/pressed/ eoplus.co.kr/board/presset/ # Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf # Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786 c-naver.com daum-center.net rrnaver.com udaum.net account-google.member-authorize.com user-manage-center.hol.es user-daum-center.pe.hu user-protect-center.pe.hu naiei-aldiel.16mb.com nid-protect-team.pe.hu nid-management-team.890m.com oeks39402.890m.com vkcxvkweo.96.lt # Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666 clouds.scienceontheweb.net # Reference: https://twitter.com/spider_girl22/status/1191306963369353216 online---shop.atwebpages.com # Reference: https://blog.alyac.co.kr/2645 (Korean) # Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b member-view-center.esy.es primary-help.esy.es ago2.co.kr/bbs/data/dir/F.php antichrist.or.kr/data/cheditor/dir1/F.php gyjmc.com/board/data/cheditor/dir1/F.php # Reference: https://otx.alienvault.com/pulse/5e257c8c189e48e8e053e75b antichrist.or.kr/data/cheditor/dir1/lyric64 batgalim.org.il/facebook/Facebook/Entities/ppp/encoding.png jonashartley.com/hilaryolsen/wp-includes/images/crystal/1122/upload.php jonashartley.com/hilaryolsen/wp-admin/network/run.php jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/res.php jonashartley.com/hilaryolsen/wp-includes/random_compat/1122/expres.php jonashartley.com/hilaryolsen/wp-includes/customize/1111/res.php jonashartley.com/hilaryolsen/wp-includes/customize/1111/expres.php happy-new-year.esy.es safe-naver-mail.pe.hu # Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf # Reference: https://otx.alienvault.com/pulse/5e42fd9c9fa37be52610c5c5 accounting-microsofft.epizy.com csdaum-help.esy.es daum-account-login.esy.es daum-account-login.esy.esoeks39402.890m.com daum-account-signin.pe.hu daum-login-protect.hol.es daum-setting.hol.es daum-stting.hol.es daumlogin.esy.es gyjmc.com mail-customer-safety-center.hol.es mail-kinu.hol.es mail-naver-protect.hol.es mail.naver.comuf.com member-authorize.com member-daum-regist.hol.es member-view-center.esy.es memver-view-center.esy.es nager-relogin-security.96.lt naiei-ldel.16mb.com naver-password.esy.es naver-security-mail.96.lt naverhelp.esy.es naverkorea.esy.es naverlogin.esy.es nid-mail.pe.hu nid-management-team.890m.com nid-protect-team.pe.hu primary-help.esy.es protect-yahoo-teeam.000webhostapp.com security-mail-daum.000webhostapp.com snu-mail-ac-kr.esy.es suppcrt-seourity.esy.es uefa2018.000webhostapp.com user-daum-center.pe.hu user-management-center.hol.es user-protect-center.pe.hu vkcxvkweo.96.lt webrnail-kinu.hol.es # Reference: https://twitter.com/anyrun_app/status/1115513990711521280 # Reference: https://www.virustotal.com/gui/file/540336c5e61d589776e267eed14eac835720b4484312434ce4f27adfec8bf817/detection 185.224.137.164:21 # Reference: https://twitter.com/cyberwar_15/status/1227709181605613569 happy-boy.pe.hu # Reference: https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html # Reference: https://otx.alienvault.com/pulse/5e4c19894aad216887c8cb3d ago2.co.kr/bbs/data/tmp aiyac-updaite.hol.es daum-center.net embed-helper.esy.es er-manage-center.hol.es finale-jack.esy.es kakao-check.esy.es my-homework.890m.com naver-mail-com.hol.es nid-protect-team.pe.hu nid-yyanagemeniteam.890m.com nortice-centre.esy.es oeks39402.890m.com rrnaver.com simple-hick.esy.es suppcrt-seourity.esy.es udaum.net upgradesrv.890m.com user-daum-center.pe.hu user-manage-cenier.nol.es user-protect-center.pe.hu # Reference: https://twitter.com/cyberwar_15/status/1230093739554557953 pingball.mygamesonline.org # Reference: https://twitter.com/spider_girl22/status/1233198285747154944 # Reference: https://twitter.com/cyberwar_15/status/1241591674255446016 # Reference: https://app.any.run/tasks/f4172853-90e6-49ad-be7b-bf6efa771448/ nagoya.datastore.pe.hu suzuki.datastore.pe.hu toyota.datastore.pe.hu # Reference: https://blog.alyac.co.kr/2737 (Korean) mernberinfo.tech # Reference: https://twitter.com/cyberwar_15/status/1232989735011794945 # Reference: https://www.virustotal.com/gui/file/2cd5f1852ac6d3ed481394ea0abc49f16789c12fb81bcdf9988762730fb0aa8f/detection # Reference: https://twitter.com/spider_girl22/status/1234761655214493697 # Reference: https://twitter.com/cyberwar_15/status/1240677656451899394 # Reference: https://twitter.com/Timele9527/status/1240620534468997125 all200.mireene.com crphone.mireene.com jmable.mireene.com jmdesign.mireene.com nhpurumy.mireene.com orblog.mireene.com sgmedia.mireene.com vnext.mireene.com # Reference: https://twitter.com/Timele9527/status/1240123132419223554 mybobo.mygamesonline.org # Reference: https://twitter.com/DeadlyLynn/status/1245264426321600513 saemaeul.mireene.com # Reference: https://twitter.com/AnonySecAgency/status/1250605504520318977 rolls-royce-love.890m.com # Reference: https://twitter.com/VK_Intel/status/1257243399742251010 upload.bigfile.hol.es # Reference: https://twitter.com/AnonySecAgency/status/1263047043150299136 gotoclean.com.co ricefarm.kr/bbs/st/expres.php # Reference: https://twitter.com/cyberwar_15/status/1266553918454067201 # Reference: https://www.rfa.org/korean/in_focus/nkhacking-05292020160533.html (Korean) com-download.work # Reference: https://twitter.com/cyberwar_15/status/1268073043365990401 part.bigfile.pe.hu # Reference: https://blog.alyac.co.kr/3033 (Korean) # Reference: https://otx.alienvault.com/pulse/5ed7c80f673c40df00c52fa6 boaz.kr/skin/member/basic/css/cross.php boaz.kr/skin/member/basic/css/report.php boaz.kr/skin/member/log/cross.php boaz.kr/skin/member/log/pre.hta boaz.kr/skin/member/log/report.php boaz.kr/skin/member/log/suf.hta # Reference: https://twitter.com/XOR_Hex/status/1273023258535886848 dept-dp.lab.hol.es # Reference: https://twitter.com/cyberwar_15/status/1273435333430935552 gbxhd.org-help.com # Reference: https://twitter.com/ccxsaber/status/1273804166612135940 security-confirm.bmail-org.com # Reference: https://twitter.com/ShadowChasing1/status/1274724519803043852 finalist.org-help.com # Reference: https://twitter.com/cyberwar_15/status/1275368364819410950 foxhunter.getenjoyment.net korea.getenjoyment.net pootball.getenjoyment.net # Reference: https://twitter.com/DeadlyLynn/status/1275998401524424704 attachchosun.atwebpages.com # Reference: https://twitter.com/ccxsaber/status/1278941222166380545 lovelovelove.atwebpages.com # Reference: https://twitter.com/DeadlyLynn/status/1281840956170317824 bascetball.atwebpages.com # Reference: https://twitter.com/cyberoverdrive/status/1285955528770891776 # Reference: https://www.virustotal.com/gui/file/4fae9a942aafddc8ee21a753302cec3c5273d3f71e132f176cb799dd922e30ac/detection pingguo5.atwebpages.com # Reference: https://app.any.run/tasks/74d55d02-7bbd-444c-a01b-30ac52a7e576/ foxonline123.atwebpages.com # Reference: https://twitter.com/cyberwar_15/status/1296301860312084482 jongjin.000webhostapp.com # Reference: https://twitter.com/DeadlyLynn/status/1299970605043707905 # Reference: https://www.virustotal.com/gui/file/4ff2a67b094bcc56df1aec016191465be4e7de348360fd307d1929dc9cbab39f/detection portable.epizy.com # Reference: https://otx.alienvault.com/pulse/5f737caa710907613c4d2773 account-protect.work account-viewer.work com-active.work com-download.work com-option.work com-ssl.work com-sslnet.work com-vps.work default.tokyo desk-top.work doc-view.pw dorey.work dutaley.work exiweng.work idiolos.work intemet.work jp-sec.pw jp-ssl.work kinac.work net-sec.pw org-view.pw org-view.work org-vip.work org-vps.work poulsen.work robezo.work rtyuio.work sslport.work sslserver.work ssltop.work taplist.work tlsmain.work unrepong.work verdall.xyz vpstop.work webmain.work # Reference: https://twitter.com/cyberwar_15/status/1313175039307476993 daumcleaner.mywebcommunity.org naver.mywebcommunity.org workcrafter.mywebcommunity.org # Reference: https://twitter.com/DeadlyLynn/status/1314181830162083841 # Reference: https://www.virustotal.com/gui/file/363386c4caa5a995d3ca9345520c90942d5d3e1aaf8056831348f92eb73c15db/detection goldbin.myartsonline.com # Reference: https://twitter.com/vigilantbeluga/status/1315720089316941824 # Reference: https://twitter.com/vigilantbeluga/status/1315722308703543297 hdac-wallet.com kasse-v1.hdac-wallet.com update.hdac-tech.com wallet.hdac-tech.com # Reference: https://twitter.com/vigilantbeluga/status/1255002262256025600 # Reference: https://www.virustotal.com/gui/file/3110f00c1c48bbba24931042657a21c55e9a07d2ef315c2eae0a422234623194/detection general-second.org-help.com # Reference: https://us-cert.cisa.gov/ncas/alerts/aa20-301a # Reference: https://otx.alienvault.com/pulse/5f9856f8655cfd07338c8e83 account.daum.unikftc.kr account.daum.unikortv.com account.daurn.pe.hu amberalexander.ghtdev.com beyondparallel.sslport.work bigfile.pe.hu cdaum.pe.hu cloudmail.cloud cloudnaver.com coinone.co.in com-download.work com-option.work com-ssl.work com-sslnet.work com-vps.work comment.poulsen.work cooper.center csnaver.com daum.net.pl daum.unikortv.com daurn.org daurn.pe.hu demand.poulsen.work dept-dr.lab.hol.es downloadman06.com dubai-1.com eastsea.or.kr gloole.net help-navers.com help.unikoreas.kr helpnaver.com hogy.desk-top.work impression.poulsen.work intemet.work intranet.ohchr.account-protect.work jonga.ml jp-ssl.work kooo.gq loadmanager07.com login.bignaver.com login.daum.kcrct.ml login.daum.net-accounts.info login.daum.unikortv.com login.outlook.kcrct.ml mail.unifsc.com mailsnaver.com member-authorize.com member.daum.uniex.kr member.daum.unikortv.com member.navier.pe.hu msdatl3.inc msolui80.inc myaccount.nkaac.net myaccounts.gmail.kr-infos.com myetherwallet.co.in myetherwallet.com.mx naver.co.in naver.com.cm naver.com.de naver.com.ec naver.com.mx naver.com.pl naver.com.se naver.cx naver.hol.es naver.koreagov.com naver.onegov.com naver.pw naver.unibok.kr naverdns.co net.tm.ro nid.naver.com.se nid.naver.corper.be nid.naver.onektx.com nid.naver.unibok.kr nid.naver.unicrefia.com nidlogin.naver.corper.be nidnaver.email nidnaver.net ns.onekorea.me nytimes.onekma.com org-vip.work preview.manage.org-view.work pro-navor.com read-hanmail.net read-naver.com read.tongilmoney.com resetprofile.com resultview.com riaver.site sankei.sslport.work securetymail.com servicenidnaver.com smtper.cz smtper.org sslserver.work ssltop.work statement.poulsen.work sts.desk-top.work taplist.work tiosuaking.com top.naver.onekda.com usernaver.com view-hanmail.net view-naver.com vilene.desk-top.work vpstop.work webmain.work webuserinfo.com ww-naver.com # Reference: https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite # Reference: https://www.cyberscoop.com/north-korea-espionage-kimsuky-cybereason/ # Reference: https://otx.alienvault.com/pulse/5fa029ed2e8d9de384c74f26 csv.posadadesantiago.com/home/up.php?id= csv.posadadesantiago.com/home?act=news&id= csv.posadadesantiago.com/home?id= myaccounts.posadadesantiago.com/test/Update.php?wShell= wave.posadadesantiago.com/home/dwn.php?van= # Reference: https://blog.alyac.co.kr/3352 # Reference: https://otx.alienvault.com/pulse/5fa1bb282c5efd7327b229a6 xeoskin.co.kr/wp/wp-includes/SimplePie/Net/ # Reference: https://twitter.com/cyberwar_15/status/1327040440189607936 # Reference: https://twitter.com/cyberwar_15/status/1327045373781635072 # Reference: https://twitter.com/cyberwar_15/status/1327403605825970176 # Reference: https://twitter.com/cyberwar_15/status/1327403626118094848 accountcheck.net app.veryton.ml appmedicine.whoint.cf astrozeneca.ml bidmc.accountcheck.net daumi.club daurn.ga dup.photo.oiiio.ga email-hanwha.pe.hu genexine.member-info.net jnj.accountcheck.net kaist.r-naver.com kari.gq kimm.r-naver.com krnvc.ga logins.daumi.club logins.daurn.ga love.krnvc.ga mail.astrozeneca.ml member-info.net oiiio.ga on.color.oiiio.ga r-naver.com shinpoong.accountcheck.net shinpoong.r-naver.com shkj.hol.es veryton.ml webmail.kari.gq whoint.cf # Reference: https://twitter.com/RedDrip7/status/1329628989699235840 # Reference: https://otx.alienvault.com/pulse/5fb804ac581df7fe4f35bfd6 # Reference: https://www.virustotal.com/gui/file/9365ce79a51768a398cc22ec701d5f256de827fbefed283c933dea4052d66027/detection pelebra.atwebpages.com # Reference: https://twitter.com/jfslowik/status/1330611004456067073 asia-studies.net itamaraty.net midsecurity.org netsecurityservice.com securitycounci1report.org # Reference: https://twitter.com/cyberwar_15/status/1332300116179312640 bidmc.accountcheck.net genexine.member-info.net jnj.accountcheck.net shinpoong.accountcheck.net shinpoong.r-naver.com # Reference: https://twitter.com/cyberwar_15/status/1333181928606814211 daumusercenter.web.app # Reference: https://twitter.com/cyberwar_15/status/1333767468473487363 autoway.huyndai.ml huyndai.ml # Reference: https://twitter.com/Timele9527/status/1333971180290592769 documentserver.site # Reference: https://twitter.com/h2jazi/status/1339226171272286209 # Reference: https://blog.alyac.co.kr/3458 (Korean) # Reference: https://otx.alienvault.com/pulse/5fdbc57a744937101f4f9adc hahae.co.kr/new3/ISAF/Libs/php/cross.php # Reference: https://twitter.com/RedDrip7/status/1336258913323216896 # Reference: https://www.virustotal.com/gui/file/1909010c264328edaf24cc2804d4f046aabd3c59de45e1d295d4155eb466d753/detection price365.co.kr/abbi/json/ps/aa.php # Reference: https://twitter.com/cyberwar_15/status/1343610577894088704 # Reference: https://www.virustotal.com/gui/ip-address/27.255.79.204/relations bkl-co.ml conm.ga covision.tk dongguk.ml edongwon.ml edongyang.ml ejnuac.ml ekecc.ml ekoreapetroleum.ml eland.ml enepa.cf esmec.ml gwdeuac.ml gwpancon.ml imperial.fit kangwon.ml kccworld.ml kyungnam.ml kyungnam.tk kyungshin.ml leeko.ml maeil.ml miraeasset.ml naver.srl nexaemc.ml nh-amundi.ml onestorecorp.ml s-food.ml samyang.ml sejonggroup.ml slworld.cf sogang.ml tlbu.ml webnaver.srl wonik.ml yncc.ml zdnet.ga email.dongwon.ml email.dongyang.ml email.jnuac.ml email.kecc.ml email.koreapetroleum.ml email.nepa.cf ext.imperial.fit gwmail.deuac.ml gwmail.pancon.ml mail.bkl-co.ml mail.conm.ga mail.covision.tk mail.dongguk.ml mail.eland.ml mail.esmec.ml mail.kangwon.ml mail.kccworld.ml mail.kyungnam.ml mail.kyungnam.tk mail.kyungshin.ml mail.leeko.ml mail.maeil.ml mail.miraeasset.ml mail.naver.srl mail.nh-amundi.ml mail.onestorecorp.ml mail.s-food.ml mail.samyang.ml mail.sejonggroup.ml mail.slworld.cf mail.sogang.ml mail.tlbu.ml mail.wonik.ml mail.yncc.ml mail.zdnet.ga nidlogin.naver.srl nmail.exaemc.ml webmail.naver.srl # Reference: https://twitter.com/cyberwar_15/status/1345704290069876736 karist.cf kaist-ac.xyz krfa.ml veryton.ml kaist.krfa.ml kaist-ac.xyz mail.kaist-ac.xyz vpn.karist.cf app.veryton.ml # Reference: https://twitter.com/h2jazi/status/1347225069890789376 # Reference: https://www.virustotal.com/gui/file/18ee06625f7bddadafa8c256d63a123f4e69d5488f88828052fd7803b3aa8b3b/detection cwda.co.kr/theme/basic/skin/new/basic/update/ # Reference: https://twitter.com/AnonySecAgency/status/1350988738973884418 # Reference: https://www.virustotal.com/gui/file/fd740b70649f06269bf8fe2d0d4fdd87d99606a7a666c4f6a2fc89bee70b6649/detection connectter.atwebpages.com # Reference: https://twitter.com/cyberwar_15/status/1352117474943135745 # Reference: https://twitter.com/cyberwar_15/status/1352117964527423490 # Reference: https://www.virustotal.com/gui/ip-address/121.78.88.85/relations attach.ddns.net bigfile-naver.servepics.com cafe-daum.ddns.net naver.serveblog.net naver.servehttp.com