2022 Threat Trend Report on Kimsuky

In comparison to 2021, 2022 was a year filled with invisible activities, new attack types, Fully Qualified Domain Names (FQDN), and attack preparations. AhnLab identified a significantly higher number of these activities in comparison to 2021. One of these cases involved an incorrect configuration of C2 servers, causing the files within the said servers to be exposed and allowing AhnLab to procure samples, server information files, and variant samples that had never been known externally.  The threat actors are using…

Unique characteristics of Kimsuky group’s spear phishing emails

A unique difference with the past cases was discovered during the analysis of the Kimsuky group’s spear phishing URLs. Until now, the group used Fully Qualified Domain Names (FQDN) disguised as famous Korean web portals. An analysis of the URLs collected during the past two months revealed multiple new FQDNs including keywords related to certain Korean banks, instead of the past FQDNs disguised as web portals.   Unique characteristics of Kimsuky group’s spear phishing emails

Threat Trend Report on Region-Specific Ransomware

Background Currently, ransomware creators include individuals, cyber criminal gangs and state-supported groups. Out of these individuals and groups, cyber criminal gangs are the most proactive in ransomware development, while individuals and state-supported groups are less so. Privately developed ransomware is most often for research purposes with the intention of destroying data. Some state-sponsored threat groups also develop ransomware. The purpose of these cases is not for financial gain either but for data destruction, and Wipers, which do not allow recovery,…