In comparison to 2021, 2022 was a year filled with invisible activities, new attack types, Fully Qualified Domain Names (FQDN), and attack preparations.
AhnLab identified a significantly higher number of these activities in comparison to 2021. One of these cases involved an incorrect configuration of C2 servers, causing the files within the said servers to be exposed and allowing AhnLab to procure samples, server information files, and variant samples that had never been known externally.
The threat actors are using the same attack methods and malware from before. On the other hand, they have been gradually changing their attack methods, one of which being the use of customized open-source tools and exploitation of vulnerabilities.
FlowerPower was by far the most common in attacks of 2022, and many of its variant types were also identified.
Content of bait documents used in the attacks includes Internet router installation files, application receipts, email plugins, cryptocurrency, symposium plans, MAC address lookup programs, order forms, consultation requests, and national defense research.
The targeted industries according to AhnLab Smart Defense (ASD), AhnLab’s malware threat analysis and cloud diagnosis system, were mainly universities, broadcasting systems, press, semiconductors, and think tanks.
2022 Threat Trend Report on Kimsuky